Archive for category IdM

Client Seeking Senior OpenAM Engineer


A client of mine has asked me to assist them in finding a full-time Senior OpenAM Engineer.  They are a startup, based in Northern, Virginia.  They are working on some pretty cool initiatives with OAUTH2 and SAML and need an experienced engineer to lead this effort. 

If you are interested in this please feel free to reach out to me and I’ll put you in touch.

, ,

Leave a comment

2014 IDM Conference Season Planning


Looks like it’s time to start planning for the IDM conference season.  There are some great conferences planned and I need to figure out how to start budgeting for some of these.  Let me know if I have missed any conferences that should be listed.

March:

May:

June:

July:

September:

December:

, ,

Leave a comment

Finally connected the dots …


My son (10) has been asking about VPNs a lot lately. Which I thought was because of all of the news lately about the NSA. I ended up showing him tunnel bear, which he quickly installed on his laptop and iPhone. I complimented my son for his interest in security and gave a wink about sticking it to “the man”.

A few days later my wife and I were chatting about letting the kids have more access to social media and she said, “well I still have the kids convinced that you can see everything they do on our home network”.   A lightbulb immediately went on over my head.

… Apparently I am “the man”.

,

1 Comment

Cool Open Identity Stack Scripts/Utilities – GitHub Repos #ForgeRock #IDM


I was working on a few scripts to test out some of the new REST APIs in OpenAM 11.  I saved them out to GitHub and you are welcome to have at them.

I thought it might also be cool to share some of the other Repo’s that are related to ForgeRock as well.  There are some really cool scripts available for interacting with OpenAM, OpenIDM and OpenDJ.

These are freely available but not officially supported by ForgeRock or the developers of the scripts.  Just click on the person’s name to go to their GitHub repo.

OpenAM:

  • Brad Tumy (AuthNUser, checkEntitlements, listAgents *New API and Legacy API*, updatePolicy)
  • Simon Moffatt (Really cool interactive menu!)

OpenDJ:

  • Ludo Poitou (Some really handy utilities e.g.: logstat.py & filterstat.py)
  • Chris Ridd (Very handy utils e.g.: slowops: analyzes operation times in access logs)
  • Simon Moffatt

OpenIDM:

  • Simon Moffatt (Interactive mode menu for calling OpenIDM’s REST APIs)

Full OIS Stack:

  • Warren Strange (Ansible (like puppet) scripts for deploying the OIS stack to Vagrant)

I am sure there are other great repos that I have missed, so feel free to add them in the comments and I can update the post.

Disclaimer: These scripts have been very handy to me but YMMV.

 

, ,

Leave a comment

For those about to Rock! … introducing the ForgeRock Identity stack introductory bootstrap “sequester special”


I am offering an introductory special to ForgeRock’s Identity (I3) Stack.  I am calling this the “Sequester Special”. The Federales are cutting back budgets and furloughing the Air Traffic controllers (cough … why not the TSA agents at the airport instead) but this is your chance to capitalize on that.

So what’s this all about?

You get to try out the  ForgeRock Open Identity Stack (**ForgeRock support license required for binaries used in a production environment**) and you get a  reduced rate on professional services … to ease those sequester blues.

Download the information sheet here.

Sequester Special | For those about to ROCK …

ForgeRock Open Identity (I3) Stack Bootstrap Package

Tumy-Tech’s Professional Services team provides services to assist you in successfully and rapidly implementing ForgeRock’s Open Identity (I3) Stack into your environment.  The end result? A working implementation of ForgeRock’s Open Identity Stack designed to introduce you to ForgeRock’s products as well as demonstrate several common configurations requested by your many customers.

The ForgeRock Bootstrap Package Includes:

  • ForgeRock Open Identity (I3) Stack installation 
  • User Identity Reconciliation from enterprise LDAP (or AD)
  • User Provisioning & Single Sign-On (SSO) to Google Apps
  • Just-In-Time (JIT) Provisioning & SSO to Salesforce.com
  • Customized Installation & Configuration Documentation

 

Components Included:

  • OpenDJ
  • OpenIDM
  • OpenAM

Customer Requirements:

  • Customer provided servers must meet ForgeRock product specifications.
  • Customer must have an existing Google Apps for Business (or Education) account.
  • Customer must have an existing Salesforce.com account (or developer.force.com).
  • Customer installation environment must have internet connection.
  • Cost does not include travel expenses. (Remote installations are recommended; however, we can provide on-site service if you prefer.  All travel expenses will be invoiced to customer.)

 

Disclaimers (the small print):

  • Use of ForgeRock binaries, in production, require a license and subscription from ForgeRock.
  • Each product will be installed on up to one server in customer’s environment.
  • Tumy-Tech will use the most up-to-date, stable build publicly available.
  • OpenIDM will be configured to reconcile users from one existing LDAP (AD or LDAP) user store with up to 20 attributes mapped.
  • Typical bootstrap setup time: 2-3 days. (Additional requirements / use cases are welcome but may require additional time and cost.)

Call or Email our sales team, today, to schedule (240.215.4825 / info@tumy-tech.com)

, , ,

Leave a comment

OpenAM Entitlements and RESTful Web Services


I am wrapping a crazy busy week.  Probably one of my most technically in-depth week in a really long time.  So what kept me busy?  Deep-diving into OpenAM’s Entitlement’s engine, learning about it’s REST interfaces and how to extend OpenAM to leverage custom service types.  I’ll explain later since I know your thinking, “Tumy … dude, what the heck is a service type?”.

Alright, let’s jump into it …

Entitlements are policies or rules that state what you (or any user) can and can’t do.  Sounds simple right?  In Information Security entitlements usually define what resources a user can access, how they can access it, when they can access it and so on and so on.   A resource can be a web url, a banking transaction, a database record, or frankly anything you might want to protect.  Typically entitlements are expressed through XACML http://en.wikipedia.org/wiki/XACML.  Entitlements are used in access control settings and used to define fine-grained authorization rules.    This is starting to become too much of a Entitlements 101 class so let me just jump into the hand’s on stuff.

Ok, Forgerock … in their OpenAM product they have an Entitlements engine which is essentially a Policy Management Point and a Policy Decision Point (Google is your friend if you don’t know what those things are).  Out of the box OpenAM supports a few different “service types” which are essentially a set of resources and their associated actions.  For example a web url would potentially have the actions of “GET” and “POST”.  There are a couple of other service types too (a banking example and a few others).  But what happens when our resource is not a web URL and we want to have actions besides “GET” or “POST”.  What we if we wanted to have a resources defined as database table names and we wanted to have actions such as “READ”, “UPDATE”, “DELETE”.  We want to be able to create rules that we can either allow a user to read information from a specific table or deny their ability to read from a certain table.  Ok, hopefully you get the idea … if you don’t email me and we can talk about it.  OpenAM has a great set of command line tools that you can use to interface with the product, these tools have also been “web” enabled on a jsp page which is accessible through the admin console (it’s disabled by default though).

To create this new service type there are a few steps we need to take:

  • Create a custom Application Type
  • Create a custom Service Type
  • Create a custom Application
  • Create the policy, using the custom service type

4 easy steps.

The Custom Application Type is a few lines that get imported.  Let’s assume that you have enabled the web ssoadmin.jsp and have accessed it here:

https://am.ssobridge.com:8443/openam/ssoadm.jsp

You would see a page like this:

Image

Do a quick search for “create-appl-type” and you then click on it.

Fill in the form that is displayed with this information:

Application Type Name: BTPoliyService
actions=READ=true
actions=UPDATE=true
actions=DELETE=true
actions=ADD-ACCESS=true
resourceComparator=com.sun.identity.entitlement.URLResourceName
saveIndexImpl=com.sun.identity.entitlement.util.ResourceNameIndexGenerator
searchIndexImpl=com.sun.identity.entitlement.util.ResourceNameSplitter

This creates the set of actions that will be available for your resources of this type.  Save that and then you need to create the Custom Service Type.  This is created by modifying an XML file and then importing that file into a form that is similar to the one we just saw.
The service type provides a little more detail on the actions and sets the True/False values that will be displayed in the policy manager.

<?xml version=”1.0″ encoding=”UTF-8″?><!DOCTYPE ServicesConfiguration SYSTEM “jar://com/sun/identity/sm/sms.dtd”><ServicesConfiguration><Service name=”BTPolicyService” version=”1.0″>

<Schema serviceHierarchy=”/DSAMEConfig/BTPolicyService” i18nFileName=”BTPolicyService” i18nKey=”BTPolicyService”>
<Global>
<AttributeSchema name=”serviceObjectClasses” type=”list” syntax=”string” i18nKey=”BTPolicyService”/>
</Global>
<Policy>
<AttributeSchema i18nKey=”READ” name=”READ” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
<AttributeSchema i18nKey=”DELETE” name=”DELETE” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
<AttributeSchema i18nKey=”UPDATE” name=”UPDATE” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
<AttributeSchema i18nKey=”ADD-ACCESS” name=”ADD-ACCESS” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
</Policy>
</Schema>
</Service>
</ServicesConfiguration>

In the above XML file, you should notice there are several spots where I have provided the name of the service “DatabaseTablePolicyService” and then the actions and their True/False values. In the ssoadm.jsp search for “create-svc” and then copy and paste this file into that form.

Next step and last step of the “extending” part of the process. So, in the ssoadm.jsp web page, search for “create-appl”. Click on this link and it will open a form very similar to the “create-appl-type” form. Enter the following information:

actions=READ=true
actions=UPDATE=true
actions=DELETE=true
actions=ADD-ACCESS=true
applicationType=BTPolicyService
resources= table://*
entitlementCombiner=com.sun.identity.entitlement.DenyOverride
resourceComparator=com.sun.identity.entitlement.URLResourceName
conditions=com.sun.identity.admin.model.DnsNameViewCondition
subjects=com.sun.identity.admin.model.IdRepoGroupViewSubject
subjects=com.sun.identity.admin.model.IdRepoRoleViewSubject
subjects=com.sun.identity.admin.model.IdRepoUserViewSubject
subjects=com.sun.identity.admin.model.VirtualViewSubject
subjects=com.sun.identity.admin.model.AttributeViewSubject
subjects=com.sun.identity.admin.model.OrViewSubject
subjects=com.sun.identity.admin.model.AndViewSubject
subjects=com.sun.identity.admin.model.NotViewSubject
conditions=dateRange
conditions=daysOfWeek
conditions=dnsName
conditions=ipRange
conditions=timeRange
conditions=timezone
conditions=or
conditions=and
conditions=not

Notice in the above file, that I add the application name and it matches the name we have used in the other configurations. I added the actions again and finally I actually define a resource. I personally like to describe the resource type in a URL style … I can use “table://” as my resource in the policy and that will help remind me later what type of resource that is. You don’t have to prefix your resources in your policy with that … it seems to be optional.

At this point you can jump back over to the OpenAM Admin console and create a policy based on this resource, as you can see in the following screenshot.

Screen Shot 2012-12-15 at 11.27.07 PM

So, that’s pretty cool stuff … The entitlements engine is pretty robust, it’s fast and … it has a RESTful interface. I am going to do a deep-dive blog post on the RESTful services at some point but for now let’s just take a look at how you can evaluate an entitlement.

Evaluating a Privilege:

* ssoToken = Authenticated User’s Token
* iPlanetDirectoryPro = session cookie … admin users session token
* action = action user is attempting (GET, POST, READ, DELETE, etc)
* application = application type of policy (defaults to iPlanetAMWebAgentService)
* Subject (user attempting action … encoded session token)

curl -v -H “X-Query-Parameters: ssotoken:AQIC5wM2LY4SfczpL5a3M02ju3uyOd6iMj4zZvPZXB3BNQ4.*AAJTSQACMDE.*” -b “iPlanetDirectoryPro=\”AQIC5wM2LY4SfcxcPg_yUwYu-iQPHH663tv9AnoEEr6j_2k.*AAJTSQACMDE.*\”” “http://am.ssobridge.com:8080/openam/ws/1/entitlement/entitlement?action=READ&amp;resource=table://my_table_name&amp;application=BTPolicyService&amp;subject=4l18suAL/hXNCfzykwIlbV0WbtM%3D&#8221;

This will return a JSON formatted object:

{
“statusCode”:200,
“body”:{
“actionsValues”:{READ:”true”, UPDATE:”false”, DELETE:”true”, ADD-ACCESS:”false”},
“resourceName”:”table://my_table_name”},
“statusMessage”:”OK”
}

You can create a policy that would return attributes, from the user’s identity record, along with this JSON object. There are also RESTful services that will just return an allow or deny, which is great if you don’t need as much information back.

So, that was real high level and really basic but I hope that I gave you some ideas for the potential of this engine. Let me know if you have any questions or want to chat about. Also, I am available on a consulting basis to help design or implement this in your environment.

Acknowledgements:

  • There were a bunch of people at ForgeRock that help me out at various points through this.  You guys know who you are … I’ll leave your names out so that you don’t get bombarded with requests.
  • Also, there were a few non-ForgeRock guys that went through this last year and gave me some pointers along the way.  Thanks!
  • And finally … to the guys that did this first at Sun.  Thanks for building this stuff and documenting it.  I am thankful that those web pages that you created haven’t vanished yet.

,

4 Comments

OpenAM: Protecting a Web Application


In response to a post that I had written before on how to install OpenDJ and OpenAM I had someone remind me that I never came back and wrote the follow on post (which I had promised to do).  They posted the question to my other blog site (which I have since migrated over to this site).  I am going to answer the question here as this is the only blog that I am presently maintaining.

Hi,

Can you paste me the link which talks about next part of the installation.
1. Configure OpenAM to look to OpenDJ for users
2. Install a Web agent
3. Create an Access Policy to protect a web application.

I often say that I am successful by “standing on the shoulders of giants”.  There is so much great “how to” content on the ForgeRock Community wiki site and that is where I turn to when I am looking for help or advice on OpenAM, OpenDJ and OpenIDM. Take a look at the section, “OpenAM: How do I?”.  There are a number of “how-to” articles that are literally step by step with screen shots.  

The link for the article that specifically talks about how to configure OpenAM to protect a web application can be found here:  Add Authentication to a Website using OpenAM.

******** Shameless Plug Alert ************

To protect a single web site is pretty simple and straight forward but sometimes you have unusual or difficult use cases where you need another set of eyes or additional help architecting your solution.  I have a lot of experience with the ForgeRock suite and I am available to provide consulting services.  Please don’t hesitate to reach out if you are interested in contracting my services.

, ,

Leave a comment

Follow

Get every new post delivered to your Inbox.

Join 1,087 other followers

%d bloggers like this: