Monthly Archive for April, 2009

Connecting OpenSSO IDP with SimpleSAMLphp SP

Published on April 25, 2009 in Identity Management. Closed Tags: opensso, simplesamlphp.

Giving OpenSSO a go? I recommend OpenSSO Enterprise 8.0. For the web container, Glassfish Enterprise V2.1 seems to work well for me.

I had various problems with OpenSSO Express 7 and Glassfish V3 Prelude. Your luck may vary here.

If you are deploying OpenSSO on Glassfish, don’t forget to change the following JVM settings:

-client to -server
-Xmx512m to -Xmx1024m
I had various problems logging in and getting redirected to the login page. Try adding -Dcom.iplanet.am.cookie.c66Encode=true to your JVM settings

Next, deploy OpenSSO. I normally deploy to /opensso, but that’s just me.

After deploying configure OpenSSO. I normally pick Custom configuration, and for the purpose of this Demo, I install both the configuration and user information into the inbuilt data store. Finish configuration and log in.

Next head to Create Hosted Identity Provider. Leave all the settings default except change the signing key to Test. Give your Circle of Trust a name. Under attribute mapping, I normally enter cn=cn. We can add other settings, and it’s better to have a SAML assertion with something in it (since SimpleSAMLphp will reject empty assertions).

Install SimpleSAMLphp as a SP. Once set up you should be able to go to:

http://webserver/simplesaml/saml2/sp/metadata.php

And have your SP metadata.

In OpenSSO click Register Remote Identity Provider. Enter the URL above in the box for the metadata URL in OpenSSO. Select the circle of trust to add this to. Click configure.

Next go to:

http://webserver/opensso/saml2/jsp/exportmetadata.jsp

And copy that XML. Head to:

http://webserver/simplesaml/admin/metadata-converter.php

And paste the OpenSSO IDP metadata into that box and click Parse.

Take the result and copy into:

<simpleSAMLphp>\metadata\saml20-idp-remote.php

You’ll have to change the top line from:

'http://webserver/opensso' => array (

To:

$metadata['http://webserver/opensso'] = array (

And don’t forget to change the comma at the end of the block you just pasted into a semicolon. Save saml20-idp-remote.php.

Head back to OpenSSO. Click the Test Federation Connectivity link. Select your circle of trust. Click Start Test. You can use the username “demo” and the password “changeit”.

The test should work correctly. If it does you’ve got SAML connectivity between an OpenSSO IDP and a SimpleSAMLphp SP.

Some things could go wrong though, so we need to think about what’s happening here:

Is the OpenSSO IDP configured correctly?
Is the SimpleSAMLphp SP configured correctly?
Does the OpenSSO IDP trust the SimpleSAMLphp SP?
Does the SimpleSAMLphp SP trust the OpenSSO IDP?

The problem is one of those four things. Good luck.

SAML IDP Metadata with OpenSSO

Published on April 25, 2009 in Identity Management. Closed Tags: metadata, opensso, opensso idp, opensso metadata, saml idp.

Looking for your SAML IDP Metadata in OpenSSO? Fear not, you can find it at:

http://domain:port/opensso/saml2/jsp/exportmetadata.jsp

If you deployed opensso at /opensso.

A fond farewell and a new beginning

Published on April 24, 2009 in Career Development. Closed Tags: farewell.

I have been working for the Ministry of Education over the past year now working in the area of Identity Management.

So a big thank you to all those people who made a different in my professional and social life, you will all be missed, as will the fine city of Wellington.

I am now moving to Hamilton to take up a position as a Systems Analyst at the Hamilton City Council, and looking increasingly into how organisations manage their identity data.

Great idea: solar powered wireless routers in a mesh network

Published on April 23, 2009 in Great Ideas. Closed Tags: emergency, great idea, mesh, solar wireless.

Imagine a mesh network of solar-powered wireless routers that have a battery backup. This network would generally route traffic and provide internet access to the general public. In an emergency, communications would still flow through the routers that were connected to each other, hopefully providing enough coverage for IP information which could be more useful in an emergency than just voice. QoS would ensure that this emergency traffic would take priority.

Round The World airfares with oneworld

Published on April 22, 2009 in Observations from the Web. Closed Tags: oneworld, oneworld explorer, round the world.

I’ve been looking into Round The World airfares. One of the best ones I’ve found is through oneworld, called oneworld Explorer. The neat thing is that there’s a flash based tool that lets you plan and book your trip online. I think that’s pretty neat to have all that complexity of ticketing conditions bundled into a easy to use Flash application.

I planned a flight from:

Auckland New Zealand > Los Angeles USA > Miami USA > Kingston Jamaica > Miami USA > New York USA > London England > Cairo Egypt > Amman Jordan > Bangkok Thailand > Tokyo Japan > Sydney Australia > Auckland New Zealand.

And the total cost was $4,760NZD, which seems pretty reasonable.

Great idea: touchscreen kiosks in liquor stores giving wine tips

Published on April 22, 2009 in Great Ideas. 2 Comments Tags: great idea, point of sale, touchscreen, wine.

Here’s an idea, have touchscreen kiosks in wine stores that give information about particular wines, including what wines suit what meals. Make sure that people could say “I’m buying this wine, what meal should I have?” as well as “I’m having this meal, what wines do you recommend?”. Combine with a loyalty card system to get a greater profile of the customer, and better tailor deals to that person.

Great idea: travel website based on money available to spend

Published on April 22, 2009 in E-Commerce and Great Ideas. Closed Tags: great idea, travel, website.

When people go shopping for travel, they have only a finite amount of money to spend. Instead of focusing on where people can go, why not focus on where people can afford to go? One package can be for 10 days in 2 star accommodation, the other package could be for 5 days in 4 star accommodation. Include all meals, connections, transfers, entertainment. Call the site 3K for travel under $3K, or 5K for travel under $5K.

Great Idea: On the fly printing of greeting cards at airports/hospitals

Published on April 22, 2009 in Great Ideas. Closed Tags: great idea, greeting cards.

What about the creation of greeting cards at airports and hospitals? All it takes is a touch screen computer, a high quality inkjet printer, and you’ve got an instant personalised greeting card.

Sun GlassFish Enterprise Server v3 Prelude – A first glance

Published on April 19, 2009 in Development and Identity Management. 2 Comments Tags: Enterprise Server, GlassFish, sun, Sun GlassFish Enterprise Server v3 Prelude.

I’m a big fan of Tomcat. It’s sweet. It’s pretty quick. A little lightweight on administration, but fairly simple to install (extract the zip), and Bob’s your father’s brother.

So Sun’s been working on application servers for quite some time now, and the latest incarnation is Glassfish. This article reviews GlassFish Enterprise Server v3 Prelude.

One of the great things about Sun’s software model is that the software is a free download. This is understandable because you really won’t get that far without Sun support in a production-like environment. First point of call is to download Glassfish.

It’s a pretty light download, 27Mb for the English Windows version.

Installing is a snap, just double click on the installer. You’ll need a Java JDK. If you’re doing any enterprise stuff with Sun products you’ll probably need a Java JDK.

The installer lets you pick the ports for the admin interface (4848 by default) and the http port (8080 by default). The interface neatly checks to see if those ports are free, and warns you if they’re not. You can choose to pick a username and password for the admin interface, or leave it as anonymous.

The rest of the installation went smoothly. After installation you have the option to fire up the server. Next port of call is heading to the admin interface (http://localhost:4848). There’s a bit of a delay while Glassfish installs the admin application on the server, but then you’re at the GUI admin screen.

There’s no way to restart the server from the GUI screen. You’ll need to head to the command line and type:

asadmin stop-domain

asadmin start-domain

I’m sure there are other methods of restarting the application server, but that’s what I’ve been doing. If you leave the domain off the command, it’ll default to domain1.

If you’re used to the Tomcat’s admin interface (which is sparse), then you’ll be in for a treat with Glassfish. It’s deep. There’s a lot to look at.

At only 27Mb, it’s a quick download. Give it a go and see how you feel.

OpenSSO Enterprise 8.0 doesn’t log in correctly – the fix

Published on April 17, 2009 in Identity Management. 1 Comment Tags: fix, glasshfish, opensso.

Hi there,

If you’ve installed OpenSSO Enterprise 8.0 on Glassfish, you may have the following problem:

After installation of OpenSSO, you try and login.
Using the correct username and password you are redirected back to the login screen.

The fix is to add the line

-Dcom.iplanet.am.cookie.c66Encode=true

As a JVM option in Glassfish, when changing the other JVM options (like -client to -server).

Source: Sun.com.