Thursday, October 31, 2013

Mobile Device Management

I blogged about New Paradigm for the Modern Web few months ago when I came back from ForgeRock Open Identity Summit in San Francisco. 

Few weeks after I came back from the US, I attended the 1st Compuware APM User Conference in Singapore. I then blogged about New Paradigm for the Modern Web - Part II

I concluded that Cloud, Mobile, Social is not going to go away anytime soon. They will just get bigger, and we should better prepared ourselves for them.

Mobile - yes, this is the tiny little gadget that is getting very hot these days. Every company is finding ways to have corporate applications installed on the mobile devices so as to increase the productivity and mobility of their workforce. 

But security is the top issue. 

This morning, I came across an article from Citrix and looked further into XenMobile.

XenMobile delivers enterprise grade MDM with role-based management, configuration, security and support for corporate and employee-owned devices. Users enroll their devices, enabling IT to provision policies and apps to those devices automatically, blacklist or whitelist apps, detect and protect against jailbroken devices, troubleshoot device and app issues, and wipe or selectively wipe a device that is lost, stolen or out of compliance. Users can use any device they choose, while IT can ensure compliance of corporate assets and secure corporate content on the device.

This is the Mobile Device Management (MDM) offering from Citrix. Quite typical of any MDM product out there in the market.

But XenMobile attempts to offer more features…

The XenMobile App Controller is a SAML-compliant identity provider that connects to the enterprise directory, reads the authorization policies configured and provides the appropriate secure SAML tokens for user sign-on to federation-enabled applications. To interoperate with older applications that do not support SAML, XenMobile can act as a password manager, storing user credentials and providing them securely so users don’t have to remember their app credentials. Built into XenMobile is a long list of “connectors” for applications that have all the required interaction logic leveraging APIs that the applications expose; for example, APIs to create user accounts within those applications based on authorization policies. With App Controller, authorized applications are exposed to users through Worx Home, forming an enterprise app store and providing users a single place to authenticate and get access to all their enterprise applications. 

Pretty cool.

This gets me thinking … currently, we have ForgeRock Bridge SPE (of course, there is now the famous SalesForce Identity Connect) that helps Cloud Service Providers to federate identities between enterprise customers and the services they offer.

The next feature will definitely be able to bridge the gap between identities from enterprise customers (most likely, in-house Microsoft Active Directory) and MDM products. I do not think we should cross the path of building a MDM product from scratch. That would be too far-fetching.

This would be a one-stop solution.

Just my thought. What's your view?


Tuesday, October 29, 2013

OpenID Connect - Nutshell - Part III

I was cleaning up my Dropbox this morning and came across this presentation slide from Forrester - ForgeRock Webinar - Portable Identity Makes IT a Business Enabler.

This compares OpenID Connect against the traditional SAML 2.0 / OpenID 2.0 and the recently more popular OAuth 2.0.

Pretty good.


Friday, October 25, 2013

ForgeRock Customer Support Services

I have customers asking me what are the types of support they can get from ForgeRock Subscription.

I might as well share it here.

Read Customer Support Data Sheet for detail.


Wednesday, October 23, 2013

Get open on GitHub for the Government?

I think by now almost anyone in the Identity world has heard of the Obamacare's Website glitch which happened few weeks ago. Read here and here and there are so many websites there that reported the incident. Just google it.

The White House’s Chief Technology Officer even said that “at lower volumes, it would work fine”. This must be the greatest joke I have ever heard!!

Today, I came across this article Governments get open on GitHub.

It's a good move! If the Singapore government can think alike, the open source community will be really happy. It might take a real long time, given the current state. Hopefully, it will happen...


Tuesday, October 22, 2013

JIRA JDBC Authentication Module

We have an internal request to configure our OpenAM to authenticate against the JIRA internal user store. 

I thought it was fairly easy and all I have to do is to write a custom password transformation class that implements JDBCPasswordSyntaxTransform. 

As easy as that. No.

By the way, the words underlined with blue are wrong. It should be "transform the clear-text password entered by user".

After exploring how the password is stored in JIRA internal user store (in our case, a Postgres database) , I realised passwords are encrypted with some kind of a salt such that a series of same clear-text passwords is represented differently after encryption.

As such, the only way to determine whether a clear-text password is the same as the one that is stored in the JIRA internal user store is to use a method isValidPassword in the PasswordEncoder class which is packaged in

So this means I am left with no choice but to create a new authentication module for JIRA.

Not too much of a hassle though. What I did was to check out the source code of JDBC class from ForgeRock SVN.

Did nothing much, but to add the following code segment towards the end of process method.

        // for JIRA password comparison, we are expecting clear text to be used 
        // against JIRA API         
        if (!transform.equals(DEFAULT_TRANSFORM)) {
            if (debug.messageEnabled()) {
                debug.message("Syntax Transform Exception: ClearTextTransform expected!");
            throw new AuthLoginException(amAuthJDBC, "ClearTextTransform expected",null);

// Get an instance of JIRA password encoder which is based on PKCS5S2
PasswordEncoder pe = DefaultPasswordEncoder.getDefaultInstance();

        // see if the passwords match
        if (password != null && pe.isValidPassword(password, resultPassword)) {            
            userTokenId = userName;
            return ISAuthConstants.LOGIN_SUCCEED;
        } else {           
            debug.message("password not match. Auth failed.");
            throw new InvalidPasswordException(amAuthJDBC, "loginFailed",
                null, userName, null);


Monday, October 21, 2013

OpenDJ LDIF File Access

I was reading up on OpenDJ REST API and came across this section in the documentation - LDIF File Access.

The LDIF connection handler lets you make changes to directory data by placing LDIF in a file system directory that OpenDJ server regularly polls for changes.

I admit I did not know such a feature exist. :)

Nevertheless, I personally think this feature is useful for some deployments where integration with legacy systems are required but there is no endpoint to connect to.

Yes, the good old days of file-exchanges! :> It worked like a charm, wasn't it? to a certain extent ...


Sunday, October 20, 2013

Commercial Open Source from ForgeRock

A check with Wikipedia refers Commercial Open Source as follows:

This model primarily involves offering a "core" or feature limited version of a software product as free and open-source software, while offering "commercial" versions or add-ons as proprietary software, or offering other services for the open source version in a similar manner.

In short, potential customers need to understand Commercial Open Source != Open Source.

I do not understand why there is no question asked when customers purchase Linux Operating Systems from RedHat.

However, when it comes to asking for a subscription from any of ForgeRock Open Identity Stack, there will be a long list of questions. :)

The only reason I can think of is the subscription for ForgeRock Open Identity Stack will never be as cheap as that for RedHat Operating System, for the same number of users. Come on, let's compare apple-with-apple. How can one compare an Operating System with a Identity Management software?

Instead, customers should at least ring up the sales from similar Identity Management companies and get quotations from them. Then, sit down and be amazed by how relatively cheaper is the subscription from ForgeRock.  (Well, sometimes it might not be cheaper. Customers need to compare features-by-features as well.) 

The point is to compare an apple with an apple. And then features by features.

Recently, there is this article on the web where the U.S. Department of Defense made their stand on Open Source software.

It is clear that even the organisation that requires the most secured environment in the world does not oppose to using Open Source software. (as long as there is commercial support for the Open Source software, i supposed. Make sense?)

I like to flash the following to potential customers showing them the differences it make when one subscribe to ForgeRock support.

We are now talking about support for Enterprise-ready products  - real Identity Management software for the Enterprise for every day use ... 24x7.

Not forgetting there is this trend of deploying the Open Identity Stack for the Modern Web, which is a huge deployment on the cloud for millions of users. How can one go about deploying the Open Identity Stack without valid subscriptions? :>

Lastly, I like to congratulate ForgeRock on their new WINS which was recently announced in the ForgeRock European Summit!

GEICO, a recent win, has a really huge OpenAM deployment out there. (I will definitely get a case study from my counterpart in ForgeRock for GEICO) 

Thomson Reuters has been a long-time customer of ForgeRock using OpenAM and has recently migrated all their Sun Directory Servers to OpenDJ.

SalesForce - do I need to say much? :>  Read here.

McKesson has deployed various OpenAM/OpenDJ/OpenIdM solutions to the healthcare systems in the United States.

The big names are paying for ForgeRock subscriptions. They do value the support services that ForgRock provides.

So, is Commercial Open Source == Open Source?

Think again!


Saturday, October 19, 2013

OpenID Connect - Nutshell - Part II

There you are.. in ForgeRock European Summit, OpenID Connect is one of the OpenAM 11.0 Highlights. 

Below is another slide showing how OpenID Connect works...

By the way, OpenAM 11.0 will be released in a few weeks time. Stay tuned!


Friday, October 18, 2013

Scaling for Modern Web

I saw this slide in ForgeRock European Summit this week in France.

This is the type of scale OpenAM is built to support the Modern Web. Yes.

How many products out there can claim to perform at the same scale? Of course, please compare apple-to-apple. Play fair and not compare by adding in enormous number of high-end gigantic hardwares.

PS: By the way, 100M users only requires roughly 2,500 AuthN/sec.

What am I doing here?

I already told my customer 10,000 AuthN/sec is almost 99.999% unlikely to happen in their environment. They insisted. *Sigh*

But it again proves that OpenSSO/OpenAM is built to be highly scalable.


Wednesday, October 16, 2013

Salesforce Identity Connect . ForgeRock Bridge SPE

Here I am attending ForgeRock European Summit in France this week, and I am glad Salesforce has chosen ForgeRock Bridge Service Provider Edition (Bridge SPE) to deliver Salesforce Identity Connect to create a bridge between existing on-premise directory solutions and Salesforce.

You can read the press release here

This is great! The momentum has finally caught on... Time to move faster! :)


Tuesday, October 15, 2013

OpenID Connect - Nutshell

In the next release of OpenAM 11.0, we'll see OpenID Connect being rolled out.

There has been a little bit of a hype trying to roll out OpenID Connect, even though the Standard Specification 1.0 is still at Draft 21 as of July 5, 2013. Read here. I'm not saying OpenAM in particular, but many others. :>

So what's OpenID Connect actually?

I found these 2 links from Nat Sakimura a good read to get started with:

1. Dummy’s guide for the Difference between OAuth Authentication and OpenID
2. OpenID Connect in a nutshell


Monday, October 14, 2013

Mobile Access Gateway

So CA has bought over Layer 7 Technologies in April.2013. How time flies?

While waiting for a friend in Paris CDG airport, I came across an article from CA Layer 7 regarding its recently released Mobile Access Gateway 2.0.

Secure Backend Systems & Ensure Seamless Access for Authorized Users
The Gateway comes with a Mobile SDK for enterprise app developers, which enables:
  •  Secure consumption of backend APIs through configuration of mutual SSL between the Gateway and the mobile device
  •   Single SignOn (SSO) to mobile apps via enterprise IAM systems or social login, to maintain a seamless end user experience
    The Mobile SDK uses key standards like OAuth, OpenID Connect and JWT to leverage the underlying security in mobile operating systems, making it simple for developers to add SSO to their apps. The SDK offers clientside libraries for iOS 6 and Android 4, plus sample code and documentation. 

Mobile SSO is definitely a hot topic these days. Watch out!


Thursday, October 3, 2013

How to tune caches in OpenAM

I have been busy with performance tunings for large OpenSSO/OpenAM deployments these few weeks.   

This wiki from ForgeRock OpenAM comes in at the right time - Tune Caches in OpenAM. It's a good read!