OpenAM is an open source continuation of the OpenSSO project that was taken over, and later scrapped, by Oracle. OpenAM is the only commercial-grade, feature-rich web application that provides SSO solutions. It has a variety of features and a powerful Single Sign-On (SSO) capability, but the implementation can be tricky, and the unorganized and incoherent online documentation is not very helpful.
The OpenAM book will serve as a guide to everything you need to know to get started with implementing Single Sign-On using OpenAM to protect your web applications, along with real-world examples.
The author's extensive experience in testing and troubleshooting OpenAM enables him to share insights on how the product works, its strengths, its weaknesses, and some inside information.
If you are reading this, you probably want to protect your web application using OpenAM. The book starts off with an introduction to OpenAM and describes the core features and the kinds of problems that can be solved by OpenAM. Then it provides you with detailed instructions on how to protect your web applications by using the OpenAM server and policy agents. You will also learn about the user interface elements in order to manage OpenAM successfully. You'll understand the concepts of identity web services provided by OpenAM. There are examples in the book that describe how the REST-based identity services can be invoked and utilized. In the final chapters, you will find detailed discussions about backup, recovery, and audit logging.
The book concludes by discussing some of the common OpenAM problems and tips to troubleshoot them. Although the project name has changed from OpenSSO to OpenAM, the product screen and file names still reflect OpenSSO. Hence, you will encounter the term "OpenSSO" throughout the book.
This practical, hands-on guide will teach you how to protect your web applications by implementing Single Sign-On using OpenAM.
Chapter 1, Getting Started, covers the history of OpenSSO that dates back to early 2000 when Sun Microsystems started this as a Directory Server Access Management Edition (DSAME). It underwent multiple identity changes before fixing on OpenSSO.
Chapter 2, OpenSSO Deployment and Configuration, teaches the basic environmental requirements for deploying the OpenSSO web application. OpenSSO provides both browser-based configurators for the web comfortable users and command line-based interfaces for the system administrators who are fond of doing things the command line way.
Chapter 3, Administrating OpenSSO, introduces to OpenSSO administration interfaces: a browser-based administrative console, and a command line interface called ssoadm.
Chapter 4, Authentication and Session Service, teaches at length about various authentication mechanisms supported by the OpenSSO server. It also teaches a lot about the session service, and SSO token structure and properties. Session high availability and constraints are one of the critical features to implement production level SSO deployments.
Chapter 5, Password Reset and Account Management, explains that OpenSSO provides a decent level of identity provisioning and management features. To circumvent the denial of service type attacks, OpenSSO employs various lockout mechanisms—a permanent and temporary lockout which customers could deploy in their specific environments. Another salient feature that is embedded as part of the OpenSSO server application is the password reset application.
Chapter 6, Protecting a Simple Web Application to Provide SSO, covers the basic principles of protecting a web application and providing a single login for multiple resources.
Chapter 7, Integrating Salesforce and Google Apps, covers extensively the idea behind the SaaS-based applications and how those applications can be integrated with the OpenSSO identity provider environment. It specifically discusses the detailed procedures for integrating the Salesforce.com applications and hosted Google Apps.
Chapter 8, Identity Stores, shows how OpenSSO is designed to support the commercially available LDAP servers. It also shows the caching and notification-related properties that form the key to achieving the optimal performance of the overall system.
Chapter 9, RESTful Identity Services, covers most of the supported REST interfaces of OpenSSO identity web services. It provides decent support for the operations that are typically consumed by the client-side programs.
Chapter 10, Backup, Recovery, and Logging, explains how it is critical to safeguard the configuration data to reconstruct the system from unexpected system crashes. It is also good practice to periodically backup the system for archival and audit purposes.
Chapter 11, Troubleshooting and Diagnostics, discusses how one can troubleshoot the configuration and deployment problems by using the OpenSSO diagnostic tools. This tool provides a means to identify and isolate the static configuration and deployment issues. Without this tool, identifying the root cause of the problems could be cumbersome.
It is assumed that the reader has access to one of the supported Operating Systems by OpenSSO, for example Redhat Linux 4. You'll also need:
Apache Tomcat server 6.0.18+
OpenSSO/OpenAM build 9 binary opensso.zip either built from the express build 9 branch or downloaded from http://forgerock.com/downloads.html
OpenSSO Policy Agents 3.0 for Apache Tomcat from http://forgerock.com/downloads.html
OpenDS 2.2 downloaded from http://www.opends.org/
Java SDK 1.6 from http://www.oracle.com/technetwork/java/index.html
There are other software that may be required to try out the exercises in this book, such as MySQL for audit logging, OpenLDAP for user store, and Google Apps/Salesforce accounts for the SaaS-based SSO with OpenSSO
If you are a security architect or a solution developer responsible for the design and development of web-based enterprise applications that need to provide authentication, authorization, and audit facilities along with SSO capabilities, then this book is for you. You do not require any prior knowledge of OpenAM to read this book. Familiarity with Java would be helpful, but is not essential.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Verify that the output of the sha1sum returns the same value as of the check sum file downloaded from the OpenSSO site."
A block of code is set as follows:
" # OpenSSO Users Policy, Password Policies, config " dn: cn=OpenSSO Users Policy,cn=Password Policies,cn=config? " objectClass: ds-cfg-password-policy?
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
<Property name="AMCtxId" value="690a7ce6a5ed5ab401"></Property> <Property name="am.protected.SSO.token.mail" value="[email protected]"></Property> <Property name="am.protected.SSO.token.commonname" value="Indirajith Thangasamy"></Property> <Property name="authInstant" value="2010-01-18T20:32:59Z"></Property>
Any command line input or output is written as follows:
cvs -d :pserver:memberName @cvs.dev.java.net:/cvs checkout opensso
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "However, the next option Custom Configuration is meant for advanced deployment.".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Tip
Downloading the example code for this book
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.