European Open Identity Summit – Review

This week saw the first European Open Identity Summit hosted by identity management vendor ForgeRock [1].  Following hot on the heels of the US summit, that was in Pacific Grove, California in June, the sold out European event, brought together customers, partners, vendors and analysts from the likes of Salesforce, Deloitte, Forrester and Kuppinger Cole amongst others.

Whilst the weather was typically October-esque, the venue was typically French chateau, set in panoramic grounds, with great hosting, food and wine to keep everyone in a relaxed mood.

The agenda brought together the key themes of the modern identity era, such as standards adoption (XACML, SAML2, OAuth2, OpenID Connect, SCIM), modern implementation approaches (JSON, API, REST) through to the vision for modern identity enablement for areas such as mobile and adaptive authentication, all whilst allowing customers and partners a chance to collaborate and swap war stories with some great networking.


Consumer Identity As A Revenue Generator

I have discussed the evolution of identity management on several occasions over the years (not least in August!), with the current iteration seeing a strong focus on utilising the identity of the consumer, as an approach to help drive new and existing revenue, for services and applications.  By capturing consumer identity details, either via portal facing registration systems, or making services available online, brand stickiness can be increased and a more relationship based approach can be developed. Developing platforms for consumer focused identity, requires several key components, mainly scale, modularity and agility.


Salesforce Expand Identity Offering

One of the key announcements at the summit was the expansion of the identity offering, by CRM software as a service giants, Salesforce.  With the Identity Connect platform, Salesforce and ForgeRock have entered into an OEM agreement, where the ForgeRock Open Identity Stack is used to enable the Salesforce solution to allow enterprises to seamlessly integrate with existing on-premise identity directories, with additional SSO capabilities.  Salesforce hope the solution will accelerate the onboarding of new and existing client accounts into their portfolio of online services. This is yet another example of organisations seeing customer identity as a key strategic component of business enablement and revenue generation.


Passwords Are Dead...Long Live The Password!

One of this years keynote speakers was Forrester's Eve Maler.  Always an articulate presenter, Eve dropped the bombshell that 'passwords are dead...'.  Whilst this isn't probably the most surprising announcement in the identity and infosec worlds, there is still to be defined, a clear way to replace the use of passwords as an authentication mechanism.  This is a topic I have blogged on multiple occasions (The Problem With Passwords Again, Still - Oct 2012, The Password Is Dead (Long Live The Password) - Feb 2012, Passwords And Why They're Going Nowhere - Mar 2013).  The failures of password use, storage and implementation are well known, but they are now too well embedded technically and psychologically, that a simple passage to something resembling biometric sustainability is somewhat remote.  Answers on a postcard with how that can be obtained!


The Future is Bright

Everyone loves modern - modern art, modern fashion, cutting edge music, the latest tech gadgets, but where does that leave modern identity management?  Modern in this respect, shouldn't just be focused on the new and shiny.  It needs to be focused on the new and useful.  Mobile devices are clearly the key component for information access, either via smart phones or tablets.  The desktop is dead and the laptop not far behind.  Modern identity needs to integrate seamlessly with mobile devices, utilising native technologies and loosely coupled REST based APIs and integration points.  Modern identity must also be convenient and easy to use.  Security in general is bypassed when too restrictive or complex and modern identity is no different.  For authentication and authorization processes to be effective, they need to convenient, good looking and easy to use.


The summit was a great event, that produced some interesting and thought provoking discussions, highlighting identity management as a key component of many organisations' go-to-market approach for 2014 and beyond.


[1] - For audience transparency, the author is employed by ForgeRock.

OpenDJ is Java 8 ready…

Java 8 CompatibleA few weeks ago, I came upon the Adopt openjdk program, launched by the London Java User Group. I’ve decided to give it a try and for that to leverage the Dev@Cloud and FOSS program from CloudBees.

While building OpenDJ I hit a roadblock : XJC is defective with OpenJDK 8 and prevents us from building the DSML gateway that is part of the OpenDJ project. It’s only recently when the openjdk bug database was made publicly available that I found it was a known P1 issue, yet still not resolved.

Recently someone filed a bug against OpenDJ for failing with openjdk 8, so we paid more attention, found the cause of the failure and fixed it. And now OpenDJ directory server is working fine on openjdk 8. We are keeping an automatic build and test with openjdk8 (*) to make sure things will work when Java 8 is released.

Next steps will be to verify that OpenDJ still works with the beta version of jdk8 of IBM Java virtual machine.


* If you’re not familiar with OpenDJ nightly tests, do not try to interpret the results out there. Some of those complex replication tests are unfortunately sensitive to processor speed, thread timing and synchronization.So they tend to fail often on single CPU virtual machines where resources are unknown. They are fully passing on 2 or more CPU machines.


Filed under: Directory Services, Java Tagged: directory-server, ForgeRock, java, ldap, opendj, openjdk, openjdk8, opensource, testing

OpenDJ : Visualizing the Replication Topology

My coworker Chris Ridd has spent a little bit of spare time writing a small utility that can parse the output of OpenDJ monitoring information to extract the details of the replication topology. Give the output to some graphical tool and here’s the result (based on one of our biggest customer -anonymized- data) :

ReplTopo

This is a worldwide deployment with many directory services in 4 regions and 8 replication services fully connected. Each directory service is connected to a single replication server, but can failover in matter of seconds, by priority in the same region.

If you want to give it a try on your own replication topology, it’s simple. The tool is open source and part of the OpenDJ utilities that Chris has pushed to GitHub. Just feed it with the output of ldapsearch on cn=monitor.


Filed under: Directory Services Tagged: directory-server, ForgeRock, java, ldap, opendj, opensource, replication, utilities, visualization

ForgeRock Open Identity Summit comes to Europe…

Join us for the Open Identity Stack Summit Europe, on 14-16 October 2013 at the Domaine de Béhoust, France.

We will be gathering at ForgeRock’s luxe Chateau, Domaine de Béhoust (just outside Paris), where our Open Identity Stack community will delve into OpenAM, OpenIDM, and OpenDJ best practices, use cases, how-tos, and more.

We’ve been saying for a long time that identity & access management (IAM) must be reconstructed to adapt to today’s problems. Modern APIs, standards, scale, speed, and modular architecture are all needed for successful modern IAM deployments. The agenda will include dynamic working sessions addressing the latest IAM developments, including mobility, identity bridge, and customer case studies.

A call for papers is open. If you are doing something interesting with the Open Identity Stack and you would like to share the experience by presenting a session at the summit, send your proposal by September 4.

ForgeRock’s chateau is large, but registration is limited. Therefore, I encourage you to reserve your spot and register quickly !

If you want to get a feel of the atmosphere of the conference, check the photo album from the first ForgeRock Open Identity Summit or get a glimpse at the skills of one of our keynote speakers :
LP0_8856I hope to see you at ForgeRock’s chateau in October !

 


Filed under: General Tagged: conference, europe, ForgeRock, france, identity, openam, opendj, OpenIdentityStack, openidm, opensource, summit

OpenDJ 2.6.0 is now available

OpenDJ-300x100I am really happy to announce the general availability of OpenDJ 2.6.0, a major update of ForgeRock  directory service product, built from the tag 2.6.0 (revision 9086 in our SVN repository).

OpenDJ 2.6.0 brings a lot of added value, including :

- A REST to LDAP service, allowing an easy access to directory data using HTTP/JSON. The service can be run either embedded in the server or as a standalone web application.

- A new upgrade process to ease transition from OpenDJ 2.4.5 or newer to 2.6.

- New Linux native packages (RPM and Debian) to facilitate the automatic deployment of OpenDJ in the private and public cloud.

- OpenDJ can be configured to delegate authentication to a Microsoft Active Directory service, providing tighter integration with Microsoft environment without the burden of synchronizing passwords.

- An optional extension to remove specific attributes from updates, making it more flexible and easier to deal with legacy applications and migration tasks.

- A way to synchronize SAMBA password attributes with the user’s password.

- Some improvements on the integrity of references, that is now enforced at creation or on update.

- More flexible and efficient audit logs.

- A Java based LDAP software development kit.

- An official stable documentation.

For the complete list of new features, enhancements and fixed defects, please read the release notes.

The binaries can be downloaded from ForgeRock Downloads.

Over the course of the development of OpenDJ, we’ve received many contributions, in form of code, issues raised in our JIRA, documentation… We address our deepest thanks to all the contributors and developers :

Aiman Tahboub, Alan Evans, Arturo V Sanchez, Auke Schrijnen, Bernhard Thalmayr, Brent Palmer, Bruno Vernay, Chris Dowey, Chris Ridd, Christophe Sovant, Dan Gardner, Danny Turner, Darin Perusich, Donal Duane, Elliot Kendall, Eswar Moorthy, Fred Voss, Gael Allioux, Gary Williams, German Parente, Göran Odmyr, Ian McGlothlin, Jamie Nelson, Jean-Noël Rouvignac, Jeff Blaine, Jeffrey Crawford, Jens Elkner, Lana Frost, Laurent Bristiel, Ludovic Poitou, Manuel Gaupp, Manuel Schallar, Mark Craig, Mark Gibson, Marko Harjula, Martin Sperle, Matthew Stevenson, Matthew Swift, Miroslav Fadrhonc, Mitch Silverstein, Nemanja Lukić, Nicholas Sushkin , Nikolay Belaevski, Per-Olov Sjoholm, Peter Major, Rauli Ikonen, Sachiko Wallace, Slavomir Katuscak, Tomas Forsman, Vanessa Richie, Violette Roche, Willi Burmeister

Happy 4th of July everyone !


Filed under: Directory Services Tagged: directory, directory-server, ForgeRock, java, Json, ldap, opendj, opensource, release, REST

Thanks to all participants of the 1st ForgeRock Open Identity Summit !

ForgeRock Open Identity Summit opening

I hope all attendees enjoyed the summit as much as I have. It’s been a real pleasure to meet face to face some of the project members, customers and partners I’ve interacted with, over emails and phone for the last 3 years, and to see again colleagues, ex-coworkers…

All the photos that I’ve captured during the summit are now publicly available on Flickr.

See you at the next summit !

[Update on June 19] The presentations from the summit are now online. Goto the Summit page and click on the Agenda.

LP0_8918LP0_8901LP0_8817


Filed under: General Tagged: conference, ForgeRock, identity, ois13, openam, opendj, openidm, photography, photos

Subject to change – JAAS to JASPI

The move from JAAS to JASPI subtly changes how we interact with identities. In the world of JAAS we deal with Subjects who are the entities making a request, typically a user, whilst Java EE deals with Principals, the representation of that entity such as a username. The difference may not seem great, but a Subject may have several Principals and this has caused some headaches when using JAAS, leaving determination of the relevant Principal to the implementation.

The days of JAAS have long been numbered however, and JSR-196 (also known as JASPI or JASPIC) is emerging at last; inclusion in JEE6 has definitely helped to push JASPI beyond just Glassfish support.

One of the changes is using the CallerPrincipalCallback to present to the container which Principal is applicable; and which is then available in the ServletRequest using getUserPrincipal(…).

Some background music for mulling over Subjects and Principals: Subject’s theme from Aldo Nova

Gathering no moss

The ForgeRock is a rolling stone at the moment and gathering no moss. Here are some of the things we have been up to recently:

As it happens, our Rock is at the top of a big hill and we are still picking up speed :-)

What’s in a name?

Names come in all forms and sizes; official and informal, first middle and last, identifiers and labels. And here is a new type of the name: the ForgeRock name.

As Joe Brockmeier discussed in a blog entry last year, Open Source does not normally say anything about the trademarks that may apply to the software. The current situation in Sun-Oracle may leave a number of Open Source projects out in the cold – and when crunch time comes (is it here already?) then this may be a hot issue.

As Oracle recently removed all open downloads from opensso.org, ForgeRock are the new home of binary downloads for the OpenSSO community, providing essentially the same compiled code as before. Except for the name.

So – OpenAM is the new OpenSSO. Remember the name next time you need a build :-)

The start of all things

Everything starts somewhere, and this blog is starting for a reason. We at ForgeRock have recently launched our business and have a lot to say – this blog is one of those ways :-)

So I can start off by saying that the purchase of Sun by Oracle took a long time but was finally completed on January 27th. As you will see from www.forgerock.com, ForgeRock has it’s roots in the software side of Sun, with almost all our employees having a background from Sun. Naturally we have been interested to see how the takeover would play out, especially with regards to Sun’s open source strategy. Oracle has made several statements about the direction they will be taking including these webcasts.

One of open source products we are particularly involved in is OpenSSO – a fully-featured, enterprise-class product for authentication, authorization, federation and much more. Oracle has said that OpenSSO will continue as an open source project but that Oracle Access Manager will be their strategic product for web single sign-on, and Oracle Federated Identity Manager for federated single sign-on.

What does the “strategic” product choice mean in practice? Nishant Kaushik (architect for Identity Management products at Oracle) in his blog answers like this:

“Strategic” means that this is the product that we will be innovating and developing new features for.

So according to this Oracle will not be innovating and developing new features for OpenSSO, but still hosting the open source project. This can also be seen on the employee side of Oracle where key players from the OpenSSO team are apparently either no longer working there or have been transferred to other teams.

What is the next step for OpenSSO then?

ForgeRock