Entitlements Service

I am among the team of 4 engineers who work on designing and implementing the entitlements service for OpenSSO project for a year. And we are happy to see that entitlements service is the key feature in OpenSSO Express 9 (see our press release).

Followings are the key things that we have done (I wrote about 80% of the SDK so it is ok to blame me if things are not working)

  1. Improve scalability.
    We use indexes in LDAP server to locate policies for evaluation. This fast and heuristic approach helps us to eliminate most of unrelated policies and retrieve the related ones rapidly. Our latest test shows that we can handle over 1 million policies.
  2. Improve performance.
    We use multi-threading, re-entrance read-write lock (Java concurrency package) and LDAP indexes to speed up policy evaluation. The performance has improved significantly as we benchmark it against the previous policy evaluation engine. We are in the process of tuning the caching system. And better results would be expected.
  3. REST interfaces
    We have REST interfaces for policy evaluation and management. This means that non Java (such as PHP and Python) clients can make policy evaluation requests. State of art, Jersey is used for our REST implementation; and JSON is used too.
  4. User friendly UI
    My co-worker has developed a nice set of entitlements services UI using icefaces
  5. XACML support
    Able to import and export XACML.

Currently, we are working with technical writers on documenting entitlement services. You should be able to see these document early next year when OpenSSO Express 9 is shipped.

Well, year 2009 is coming to an end. It has been a fun year working on entitlements service (among my other doings). Sleepless nights, long meetings, ranting and hanging my head on the keyboard (just kidding) are part of the fun :-). I hope that 2010 will be more exciting.

Advertisements

OpenSSO Diagnostic Tool

From the creator of OpenSSO Diagnostic Tool

We have developed an initial version of Diagnostic Tool to assist in identifying possible OpenSSO configuration issues. The current Beta version is bundled inside ssoExternalTools.zip and is available under the nightly builds for download. Even though this Beta version is not officially supported as yet, any comments/suggestions/issues are welcome to assist in enhancing the tool.

Download location : here
Documentation: here

Example on how to get Group attributes from REST

<html>

<body>
<form action="http://www.example.com:8080/opensso/identity/read" >
<input name="name"  value="group1"/>
<input name="attributes_names"  value="objecttype"/>
<input name="attributes_names"  value="realm"/>
<input name="attributes_values_objecttype"  value="Group"/>
<input name="attributes_values_realm"  value="/"/>
<input name="admin" 
value="AQIC5wM2LY4SfcwHRXo4oE+yuHQ0BPQD+GZ1/Qd5tCzO9X8=@AAJTSQACMDE=#" />
<input type="submit" />
</form>
</body>
</html>

OpenSSO on Glassfish v3 Prelude

You will run into issue when you deploy opensso.war on
Glassfish v3 prelude (I think even Sun Web Server 7 update 3)

After you have successfully login to console, the request
is redirected back to the Login page.

Several people have already reported this problem.

Here is what happen. OpenSSO sets a cookie with value containing “=”. and Glassfish truncates the cookie value. Since OpenSSO server cannot get the entire cookie value, SSO Token cannot be created.

An issue is filed on Glassfish.

Support for sub realm, module and authentication chain for REST authentication

We’re working on support REST authentication for sub realm, module, and authentication chain.

  1. Support sub realm, add uri=realm%3D<sub realm name> e.g.
    http://www.example.com:8080/opensso/identity/authenticate?
    username=demo&password=changeit&uri=realm%3D/sub

  2. Support authentication module, add uri=module%3D<module name> e.g. http://www.example.com:8080/opensso/identity/authenticate?
    username=demo&password=changeit&uri=module%3DDataStore

  3. Support authentication chain add uri=service%3D<authentication chain name> e.g. http://www.example.com:8080/opensso/identity/authenticate?
    username=demo&password=changeit&uri=service%3DldapService

Hence you can login to a sub realm with a authentication module like this
http://www.example.com:8080/opensso/identity/authenticate?
username=demo&password=changeit&
uri=realm%3D/sub%26module%3DDataStore

This support shall be made available to you soon.

When is Sun OpenSSO Enterprise 8.0 ready?

“When is Sun OpenSSO Enterprise 8.0 ready?”

This question has popped up in opensso email aliases few times. Here is where we are now.

  1. Bits are ready.
  2. We are busy reviewing documents for the past few weeks.
  3. I think that we should have everything ready on its official release date which is November 11, 2008.
  4. Bits shall be made available on OpenSSO’s download page. Look for image like this one.
    download OpenSSO Enterprise 8.0
  5. The next OpenSSO official release is OpenSSO Express. ETA is early 2009.

OpenSSO source repository – in a couple of days

As we are putting the finishing touch on the release OpenSSO Enterprise 8.0, The trunk of OpenSSO source repository is limited to code put back for critical issues. In couple of days, we are going to create a CVS branch for OpenSSO Enterprise 8.0; and open the CVS trunk to code back for all issues.

                        +---------------- Enterprise 8.0
                        |
-------------------+----x--------------------------- Trunk
                   ^
                   we are here now