Archive for category Identity
I will be at the LavaJUG (Java User Group from Clermont-Ferrand, France) this Thursday from 19:00 to 21:00, presenting our experience with the OpenDJ project with building a highly scalable and high performance server in Java. The presentation is based on what I’ve already presented in a few JUG in France (AlpesJUG, MarsJUG, PoitouCharentesJUG,…) and Switzerland (JUG Lausanne), but has been updated with regards to GarbageFirst GC and the most recent HotSpot JVM.
And next week, from March Wednesday 27th to Friday 29th, you will find ForgeRock at the Devoxx France conference.
Come to our conference session about “Enterprise Security in a Cloudy and Mobile World” (the session is in French). The session is on Friday 29th, from 11:45 to 12:35, in Miles Davis room. Mark it on your calendar, and if you miss it, make sure you stop by our booth (B3) to say hello and talk with some of our engineers. We will also be present at the HackerGarten on Wednesday from 14:00 to 18:00, should you want to have fun with one of our open source projects : OpenAM, OpenDJ or OpenIDM.
This is a big milestone for ForgeRock and the OpenAM project, an open source WebSSO, Authentication, Authorization, Federation and Entitlements solution. After months of development (a few more than we anticipated), we’ve finally released OpenAM 10.0.0, a major version of the product.
OpenAM 10 brings a set of new features, including support for OAuth 2.0 client authentication, the ForgeRock Identity Gateway (built out of project OpenIG), enhanced SAML 2 identity provider capabilities, a new Risk Based Authentication module, … It also now relies on OpenDJ 2.4.5, the latest stable release of OpenDJ the open source LDAP directory server, and supports the internet-draft based LDAP password policy. You can find more details in the press announcement, or the product release notes. The documentation of the OpenAM 10 release can be read at
The OpenAM 10 release owes a lot to the OpenAM community, for the issues raised : a total of 41 issues fixed in OpenAM 10 were raised by 26 different persons, and for the generous patches offered to fix over a dozen of these issues.
To each and every contributor : THANK YOU !
Another week goes by, and it’s time for another tab sweep.
Silverpeas, a Collaborative Platform, built as open source under the GNU Affero license by the eponym company, has been supporting LDAP for authentication and authorization for some time. The documentation for setting up the LDAP domain has been updated using OpenDJ as the recommended server.
ForgeRock OpenIDM capabilities are growing. After getting OpenIDM to work with Activity to provide workflows, the team posted a experimental tutorial to integrate Jasper with OpenIDM to produce nice reports. You can find more of these tutorials in the OpenIDM How To Collection.
I’ve been traveling a little bit last week, visiting a major customer in the UK (helping with their OpenDJ based directory service that has grown from 13 Millions entries to 17 Millions in a about 6 months).
Last week was also a busy week in term of news for ForgeRock. First, we’ve announced the release of OpenIDM 2.0, a major version of our real-time identity life-cycle management, provisioning and synchronization software product. OpenIDM 2.0 is a new release, but is already running in production at a few happy customers.
ForgeRock and Qubera Solutions have announced a partnership for the delivery of Standard-based Identity Services based on ForgeRock I3 Open Platform. Qubera Solutions offers workshops and migration tools to help former Sun Microsystems customers to move away legacy software solutions.
I’ve also came across a blog post from Martin Sandren, that positions ForgeRock as one of the challengers on the Identity and Access Management market. It’s an interesting reading and it looks like the previous announcement does start to address some of his concerns.
And finally, we’re expanding and therefore we’ve published a few job postings on our web site. I’m pretty confident that these are just a few to start with and we will have more, including some in our Grenoble Engineering Center.
The conference is happening once every other year, so with the plethora of conferences here and there, it’s quite easy to forget about it. But LDAPCon 2011, the 3rd international Conference on LDAP has been announced and will take place in October 10-11 2011 in Heidelberg, Germany.
LDAPCon brings together vendors, developers, active LDAP practitioners, system administrators to share their experiences about service operations, interoperability, application development and discuss LDAP at large, in a friendly and passionated athmosphere. It’s a unique occasion to discuss with the developers of most LDAP related projects, seed them with new ideas, learn the under-documented tips and tricks about your favorite server or library, or exchange with other users and system administrators about the best practices around LDAP directory services and applications.
Don’t miss the conference, it’s only happening every 2 years. I hope I’ll see you in Heidelberg.
It’s the happy hour, with a double release day at ForgeRock.
OpenDJ 2.4.1 has also been released today. The patch release can be found on the Downloads page in various forms: Java WebStart Installer, Zip package or SVR4 package. The Release Notes have been posted on the Documentation wiki.
I just saw that my colleague Hubert Le Van Gong has been elected to replace Pat Patterson as the OpenSSO Community Lead.
It is sad to see Pat leaving Sun. Pat has been a source of inspiration in my role as OpenDS Community Manager and we’ve been collaborating in numerous occasions.
Hubert definitely has the skills and the experience to lead the OpenSSO community and oversee all Sun Identity related open source projects. Another good thing is that Hubert and I are both working out of the Grenoble Engineering Center, in France. So I’m expecting some tighter collaborations between the projects and the communities.
Welcome on the community leadership side, Hubert !
On the first week of May, I was in Munich for the European Identity Conference hosted by Kuppinger-Cole.
This was my first participation and I was delighted to meet with several of the experts in the area as well as some OpenDS customers or users, whom I’ve mostly "known" only through blogs or emails. I had discussions with Kim Cameron, Jackson Shaw and James McGovern. We shared tea with Felix Gaehtgens and Prateek Mishra. The conference was also the opportunity to talk with and listen to some of my Sun colleagues that I don’t get to see often like Fulup Ar Foll and Eve Maler. I must say that both of them did pretty interesting presentations.
Eve’s keynote on the first day of the conference brought the case for "permissioned data sharing" and was very well argued. It was the first time that I heard about User Centric identity and VRM tied together and even with a proposed solution.
On Wednesday, Fulup did a very thought provocative (and fast forward) presentation about Digital Identity in the cloud, where he explained the identity management concepts are inherited from a centralized vision of the world and they would not fit well with the cloud, nor scale to the internet. He proposes to look at how mobile operators are solving massive identity scale and to leverage existing SAML2 and Liberty defined services to build the "lazy" identity architecture.
On Thursday I was to take part of a panel discussion on the subject of "The Identity Bus" or the future of Directory Services (should I say Identity Services ?), moderated by Felix Gaehtgens. The panel was an opportunity to see again Steve Shoaff, CEO of Unboundid but previously my manager, and to meet both Dale Olds of Novell and Prateek Mishra of Oracle. I don’t know if we’ve been able to give a good idea of what this "Identity Bus" would look like, but it’s definitely "something" in between applications and the data layer, and will probably use a set of protocols like SAML2 and XACML. After the panel, James McGovern asked me when OpenDS will support IGF and CARML. Since both are abstractions and APIs for applications to express their need in term of identity related data, I don’t think they are appropriate for an LDAPv3 directory server. But I do see a layer on top of Virtual Directories or Directories that is able to consume those and translate them into appropriate functions.
Right after that Panel, Mark Craig was taking part on a panel discussion on Virtual Directories, along with Sampo Kellomäki of Symlabs, Michel Prompt of Radiant Logic and Keith Grayson of SAP.
On the Tuesday, Pat Patterson and Daniel Raskin hosted the second OpenSSO Community Day, and it was a great success, with over 50 attendees, a day packed of presentations with a very good balance of users and deployers talks vs Sun employees’ talks.
Like in New-York, I talked about OpenDS, its goals and roadmap and why it’s the perfect companion to OpenSSO as the Users identity store. Most of the presentations from the OpenSSO Community Day have been posted on the event wiki page. And if you could not make it to New-York or Munich, we’re having a 3rd OpenSSO / OpenDS / Identity Connectors Community Day in San Francisco on Sunday May 31st at the Moscone center, starting at 1pm. The event is free, but please RSVP. And I hope to see you there.
And congratulations to Pat, Daniel and the whole OpenSSO team, for the Fedlet, winner of the "Best Innovation Award".
Overall, I found the conference really good and interesting and it helped me to put back the work we’re doing in the Directory Services engineering team, in the larger picture of Identity management.
Around 2001, I was collaborating with Jamie’s team to build iPlanet Directory Server Access Manager Edition, an addition on top of the successful iPlanet Directory Server.
Many years later, after many branding changes, a tons of new functionalities and supported standards, a successful open sourcing of the code and much investment in ease of use, Sun has just released the first commercial version of the OpenSSO project : Sun OpenSSO Enterprise 8.0.
OpenSSO still makes a great use of LDAP directory servers, but has even gone one step further as it includes an embedded OpenDS directory that can be used as a user store or configuration store, providing an unmatched out of the box user experience.
Yesterday, OpenSSO Enterprise 8.0 was launched in SecondLife.
In a very well attended session, Daniel Raskins and Jamie Nelson showed how OpenSSO Enterprise 8.0, known in its last release as Sun Access Manager, adds many new features, as well as being the first commercial release from the open source OpenSSO project.
What impress me most with OpenSSO Enterprise is the amount of work that has been put on user experience, simplifying the life of developers, deployers and administrators. With new features such as the embedded OpenDS LDAP server as the configuration store, the Fedlet, the Identity Services or the Java Web Start Installer
Check out a replay of the SecondLife Launch to get a sense of all the cool new features and capabilities.
Last week a Sun Identity Management User Group meeting was held in Paris. The attendance was really good, and in fact exceeded the room capacity as several customers turned out without pre-registering. I was really impressed by the diversity of customers, and the fact that they were coming from all over Europe (Czech republic, Slovakia, Lithuania, Poland, Greece, Italy, Portugal, Germany, Netherlands, Belgium, UK, France, …).
The Identity Marketing team came in force with Andy Land, Don Bowen and Etienne Remillon (left to right).
Overall it was a good day of interaction with our customers, trying to understand their needs and their issues with our identity management products. If you’re a Sun customer, using Directory Server or other Sun Identity product, I would strongly encourage you to participate. Your feedback is important for us.
This week I was in Paris for the 63rd IETF meeting.
Though I mainly go to the IETF to work on LDAP (both with the LDAPBis working
group and as an individual contributor -for example with the LDAP
password policy- ), I often go to other working groups and BOF sessions
to get a sense of what’s going on in the Internet community (at least
in the areas that I understand).
And this time, the buz was clearly around the recent vulnerabilities
with the use of one-way hash functions such as MD5 and SHA1. With the
increasing computation power of computers and the ease of deployment of
man-in-the-middle attack, these functions are no longer considered as
secure enough. And so are authentication mechanisms based on cleartext
challenge-response exchanges. For Directory Server’s customers, this
means that the way to secure their authentication t0 LDAP is to use TLS
either via the use of StartTLS extended operation or LDAP over SSL.
Once the connection is secured, the authention could be based on the
Simple bind, Sasl Bind with Digest-MD5 mechanism or with exchanged
On the LDAP front, the participation is diminishing (mainly remains
Novell, OpenLDAP and Sun) but the work of revising the LDAPv3
specification for clarification and better interoperability is mainly
done. The last remaining issues were hammered this week (hopefully) and
we are expecting RFC publication before or around next IETF meeting.
LDAPers in IETF action: Roger, Kurt, Jim and Ludo (left to right).