Book CoverIt is one of my childhood ambition to write books and see my writings on the print.  I have written few articles in Tamil and English but those are not more than 10 pages. I kind of believed that I have a penchant for writing, in the past I have authored lot of technical documents as part of my job for customers consumption.

When the editors at Packt publications approached me about the possibility of authoring a book on OpenSSO, I have readily accepted the offer hoping to complete the book in couple of months. Later realized it took a month to even scope out contents of the book, There are lot of information that can be shared about OpenSSO/OpenAM, I have rather decided to focus on the access management features before jumping on to web services security or a full fledged federation services. There are many items that are in the book not available in the public documentation, I grew from the ranks to a senior manager in the Access Management organization served almost a decade on OpenSSO and its predecessors alone, so I had to condense my ten years of technical experience in to 200 pages book, that was one big challenge.  Original plan was to complete  the book in 8 months, but it took little over a year, partially the delay was attributed to Oracle/Sun acquisition where I had to undergo another round of approval from Oracle management to pursue on this book. Most of my Sun blog http://blogs.sun.com/indira contents are in the book.

I would like to thank every one including the Packt publishers team, Forgerock Team,the people I have worked with, Oracle Management,my friends,colleagues and family for their support. I have thanked and acknowledged them appropriately in the book:-).

What is this book about?

Well, pretty much all you want to know about the OpenAM, the open source version of  Sun’s OpenSSO  product, now backed by Forgerock.com who(my sincere thanks to these people for keeping the  project alive, otherwise this book would  not have much  readership) provide support and services for the OpenAM/OpenSSO deployments. Oracle continue provide support for the OpenSSO 8.0 Enterprise deployments. This book is written and tested based on the OpenSSO Express build 9 source code branch, this build is no longer accessible  in its binary form(but the source code is) for the external opens ource community. Forgerock provide the equivalent build(built from the OpenSSO expressbuild 9 source code branch) under the code name OpenAM Snapshot 9 which can be downloaded from http://www.forgerock.org/downloads/openam_release9_20100207.zip

There are subtle variations with forgerock build with respect to the Orginal OpenSSO Express 9 primarily  the version,. The forgerock version “ForgeRock OpenAM Express Build 9(2010-February-07 13:29)” is known to work with the examples mentioned in this book. In some of the Screen shots the version might be referencing the OpenSSO Express other than that functionally both should be equivalent.

Some of the chapters like the password reset,Backup/Restore,logging and identity stores(except the new types like ADAM) will be applicable for the OpenSSO 8 enterprise as well.

Table of Contents of the book

Introduction

  • History of OpenAM
  • OpenSSO Vs OpenAM
  • OpenAM – An Overview
  • OpenAM – Services
  • Federation Services
  • Web Services Security and Secure Token Service(STS)
  • OpenAM Entitlements Service
  • What kind of problems does OpenAM Solve?
  • Access Management
  • Federation
  • Securing Web Services
  • Entitlements
  • Summary


OpenAM Deployment and Configuration

  • Deployment Requirements for OpenAM Web Application
  • Containers and Operating Systems Support
  • Java SDK Support
  • Disk and Memory Requirements
  • Browser Requirements
  • Configuration Store versus Identity Store
  • Configuration Store
  • Embedded Configuration Store
  • External Sun Directory Server Enterprise Edition Configuration Store
  • Identity Store
  • How to Obtain OpenAM
  • Building OpenAM from Source
  • Downloading OpenAM Binary
  • Configuring OpenAM
  • Install and Configure Apache Tomcat 6.0.20
  • OpenAM One Click Configuration
  • Verifying OpenAM Configuration
  • What Just Happened
  • OpenAM Configuration Choices
  • Single Server Configuration – Using Embedded Configuration Store
  • Layout of the configuration directory
  • Single Server Configuration – Using External Configuration Store
  • Multi Server Configuration –  Embedded Configuration Store
  • Prerequisites for multi-server Configuration Adding OpenAM to an existing deployment
  • Verification of Multi Server Deployment Configuring using Command Line Configurator
  • Configuring OpenAM with SSL/TLS
  • Configuring Command Line Tools
  • UnInstall OpenAM
  • OpenAM Release and Support Model
  • Summary

OpenAM Administration

  • Administration Interfaces
  • Accessing Administrative Console
  • Console Views and Privileges
  • Console Landing Page-Common Tasks
  • Access Control Tab
  • General
  • Authentication
  • Service
  • Data Stores
  • Privileges
  • Policies
  • Subjects
  • Managing users from Command Line Tool
  • Managing Groups from Command Line Tool
  • Agents
  • Configuration
  • Retrieving All the Server Properties
  • Updating Server Configuration Properties
  • Removing Properties from Server Configuration
  • Sessions Tab
  • Managing Sessions using ssoadm
  • Console Customization
  • Extending LDAP Schema
  • Customizing OpenAM User Service
  • Adding attributes to amUser.xml
  • Removing User Service Schema
  • Adding the updated User Service Schema
  • Adding the Labels
  • Adding the Custom Attributes to Data Store configurations
  • Updating Privileges
  • Testing the Changes
  • Summary

Authentication and Session Service

  • Authentication Process
  • Cookies in OpenAM
  • Authentication Types and URL parameters
  • Module
  • Level
  • Service
  • User
  • Role
  • Realm
  • Resource
  • Other Authentication URL Parameters
  • IDToken Parameter
  • goto  and gotoOnFail Parameter
  • locale Parameter
  • arg Parameter
  • iPSPCookie Parameter
  • ForceAuth Parameter
  • PersistAMCookie Parameter
  • Authentication Modules Instances and Chains
  • LDAP Authentication
  • Creating Authentication Instance
  • Updating Authentication Instance
  • Reading Authentication Instance
  • Using Authentication Instance
  • Deleting Authentication Instance
  • Authentication Chains
  • Creating Authentication Chain
  • Updating Authentication Chain
  • Reading Authentication Chain
  • Using Authentication Chain
  • Performing User Based Authentication
  • Deleting Authentication Chain
  • Authentication Modules
  • LDAP
  • Active Directory
  • Data Store
  • Anonymous
  • Certificate(X.509)
  • HTTP Basic
  • Membership
  • JDBC
  • HOTP
  • SecurID
  • SafeWord
  • RADIUS
  • Unix
  • Windows NT
  • Windows Desktop SSO
  • Core
  • User Profile Requirement
  • Setting User Profile attributes in SSO Token
  • Adding Custom Authentication Modules
  • Session Service
  • Session Service Schema
  • Updating Session Service
  • Session Life Cycle
  • Structure of a Session
  • Session State Transition
  • Session Properties
  • Session Change Notification and Polling
  • Session Persistence and Constraints
  • Summary

Password Reset

  • Account Lockout
  • Configuring Account Lockout
  • Physical Lockout
  • In-Memory Lockout
  • Password Reset Application
  • Prerequisites
  • Configure the Password Reset Service in OpenAM
  • Assign Service and Update Service Attributes
  • Creating and Assigning OpenDS Password Policy
  • Creating OpenDS Policy
  • Assigning the policy to a user
  • Forcing Password Change After Reset
  • Behind the Scenes
  • Where are the secret questions?
  • Summary

Protecting Web application using OpenAM

  • Protecting Sample Application on Tomcat
  • Creating the Agent Profile
  • Installing and Configuring the Agents
  • Deploying and Configuring the Java application
  • Create the Policies and associated identities
  • Testing the SSO
  • Fetching User Profile Attributes
  • Summary

Integrating OpenAM with Salesforce and Google Apps

  • Integrating with Salesforce Applications
  • Configuring Hosted Identity Provider and Circle of Trust
  • Configuring OpenAM Meta Data for Salesforce.com
  • Provisioning of User Identities
  • Verifying the SSO
  • Integrating With Google Apps
  • Configuring the Hosted Identity Provider
  • Configuring SSO parameters at Google Apps
  • Provisioning User Identities
  • SSO Verification
  • Summary

Identity Stores

  • Identity Repository Schema
  • Identity Store Types
  • Caching and Notification
  • Persistent Search based Notification
  • Time-To-Live (TTL) based Notification
  • TTL Specific Properties for Identity Repository Cache
  • Supported Identity Stores
  • User Schema
  • Access Manager Repository Plug-in
  • Creating Access Manager Repository Plug-in Data Store
  • Displaying the Data Store Properties
  • Updating Data Store Properties
  • Deleting Data Stores
  • Removing the Access Manager Repository Plugin
  • Oracle Directory Server Enterprise Edition
  • Creating Data Store for Oracle DSEE
  • Updating the Data Store
  • Deleting the Data Store
  • Data Store for OpenDS
  • Data Store for Tivoli DS
  • Data Store For Active Directory
  • Data Store For Active Directory Application Mode
  • Datastore for OpenLDAP
  • Configuring OpenLDAP Suffix
  • Extending the Schema
  • Preparing the Suffix with Necessary Entries
  • Creating OpenLDAP Data Store
  • Testing the Data Store
  • Multiple Data Stores
  • Summary

OpenAM – RESTful Identity Services

  • Prerequisites
  • Invoking REST Interfaces
  • Authentication
  • Authenticate with URL parameters
  • Validating SSO Token
  • Invalidating Session(Logout)
  • Creating Log Events
  • Authorization
  • Identity CRUD Operations
  • Searching Identities
  • Searching  for User Identities
  • Searching Groups
  • Searching for Agents
  • Retrieving Identity Attributes
  • Creating Agent Identities
  • Creating User Identities
  • Creating Group Identities
  • Updating Identities
  • Deleting Identities
  • Deleting User Identities
  • Deleting Group Identities
  • Deleting the Agent Identities
  • Other REST Interfaces
  • Summary

OpenAM Backup,Restore and Logging

  • Backup of Configuration Data
  • Backing up OpenAM Configuration files
  • Backing up the OpenAM Configuration Data
  • Crash Recovery and Restore
  • Test to Production
  • How to Perform the Configuration Change
  • Export Test Server Configuration
  • Configure OpenAM on the Production Server
  • Adapt the Test Configuration Data
  • Importing in to Production System
  • OpenAM Audit and Logging
  • Enabling Debug (Trace) level Logging
  • Audit Logging
  • Enabling and Disabling Audit logging
  • File Based Logging
  • Database Logging
  • Oracle
  • MySQL
  • Remote Logging
  • Secure Logging
  • Creating the Keystore
  • How to verify
  • Summary

Troubleshooting and Diagnostics

  • OpenAM Diagnostic Tools
  • Installing and Configuring the Tool
  • Invoking the Tool
  • Troubleshooting
  • Installation and Configuration
  • Scenario 1:
  • Scenario 2
  • Scenario 3
  • How to Fix
  • Scenario 4
  • Authentication and Session
  • Scenario 1:
  • Scenario 2
  • Scenario 3
  • Scenario 4
  • Identity Repository and Password Reset
  • Scenario 1
  • Scenario 2
  • Scenario 3
  • Scenario 4
  • Scenario 5
  • Policy and Agents
  • Scenario 1
  • Scenario 2
  • Scenario 3:
  • Command Line Tools
  • Scenario 1
  • Scenario 2
  • Summary

Loads of source code and scripts available for download from the packtpubs website as part of code bundle, you need to have this to run many of the sample quoted in the book. If you have any comments/questions, leave them in the comments section, I will try to respond to them.