Open Identity Guide
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Open Identity Guide as PDF for free.
More details
- Words: 5,309
- Pages: 16
GUIDE TO OPEN-SOURCE
IDENTITY MANAGEMENT SOFTWARE Open Identity White Paper April 2009
Abstract Today’s enterprise needs an identity and access management infrastructure that aligns with its business strategies and enables future growth—all while keeping costs low. Sun provides a range of open-source identity management software solutions that offer the flexibility and innovations that businesses need at a lower cost than proprietary alternatives. Based on proven, market-leading software, Sun’s open-source solutions are helping enterprises around the world to expand, streamline, and simplify their identity management systems.
Sun Microsystems, Inc.
Table of Contents Executive Summary......................................................................................... 1 Identity Management in an Expanding Enterprise.............................................. 1 Access and Directories.......................................................................................... 2 Open Source for Identity Management.............................................................. 3 Sun’s Industry-Leading Identity Source.............................................................. 4 Project OpenSSO.................................................................................................. 5 Project OpenDS.................................................................................................... 7 What’s Next for Identity Source............................................................................ 9 Looking Ahead................................................................................................... 10 How to Get Started with Sun’s Open-Source Identity Management....................... 10 Sun Identity Customer Success Stories............................................................. 11 Equifax Cuts Costs, Increases Revenue, and Streamlines Audits with Sun Technologies....................................................................................... 11 Leveraging Open-Source Federation With Google Apps......................................... 11 OpenSSO Helps Simplify Merger of Two Financial Institutions............................... 12 Telco Network Provider EOLs Internal Web Access Management Software in favor of OpenSSO........................................................................................... 13
1
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Executive Summary Identity management is a critical component of an enterprise’s IT infrastructure— particularly as more enterprise applications and systems are being leveraged across extranets. As the number of users grows exponentially, enterprises must ensure that they can meet their increasingly complex identity management needs while keeping the organization in compliance and keeping costs low. Today, enterprises have the option of choosing open-source solutions to meet their identity management requirements. This chapter explores the advantages of opensource identity software and provides a look at Sun Identity Source, our open-source identity initiative, which currently includes OpenSSO and OpenDS. OpenSSO, the world’s largest open-source identity management project, provides highly scalable, high-performance capabilities for single sign-on (SSO), access management, federation, and secure Web services. OpenDS is an open-source community project focused on building a free, comprehensive, next-generation directory service based on LDAP and DSML standards.
Identity Management in an Expanding Enterprise
.
Enterprise IT is moving from enterprise-focused applications to extranet-focused applications, from dealing with thousands of users to hundreds of millions of users if not more. The applications that enterprise IT staffs need to deploy, protect, and secure have quickly gone up the scale—as has the number of users, roles, regulatory requirements, and resources that they have to manage. The more an application scales, the more risk there is of exposing data—particularly data outside the corporate boundaries. The challenge for enterprises is developing an identity infrastructure that centralizes security and has a repeatable, scalable, sustainable process that allows developers to create applications without having to worry about security, all while providing the organization with the transparency and compliance adherence it needs. Identity demands will continue to grow, and the need for scalability will continue to increase as well. As an enterprise adds more and more identity management capabilities—from directory services to access management to provisioning to role management to authentication—it becomes increasingly complex to deploy and to manage. And because most access management solutions today were designed for the enterprise and internal users, not the extranet and external users, enterprises must find a way to address both internal and external needs without overcomplicating the technology infrastructure or overtaxing the IT budget or staff in the process. Enterprises are also challenged to extend the organization’s reach to more partners, vendors, customers, and others outside the enterprise in more ways—while still controlling the amount of risk to which the organization is exposed as a result.
2
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Additionally, enterprises need an acceptable return on the technology that is used to achieve the right risk/reach ratio.
Access and Directories Two key components of an enterprise identity management initiative are access management and directory services. Access Management Focused on controlling and streamlining access to key applications and data, single sign-on (SSO) capabilities (which include include federation, secure Web services, and entitlement enforcement) enable enterprises to both expand and better manage access while maintaining a high level of security. • Federation provides the ability to make identity portable across multiple domains in a standards-based manner, creating opportunities to expand business reach by building federated connections to Software-as-a-Service (SaaS) applications, partner services, affiliate services, acquisitions, subsidiaries, business process outsourcing, and third-party hosted portals and to accommodate sign-on for Web services. To make it work in the long term requires standards-based technology to enable repeatable, scalable processes for easily accommodating growing numbers of external entities. • While many enterprises have invested considerably in centralized authentication and authorization for applications, few have done the same for Web services. Now, however, more are recognizing the importance of abstracting Web services away from the developer as part of an effort to standardize their security model across the organization. • Security risks can be reduced by centralizing and enforcing entitlement policies both for internal Web applications and extranet authentication. Directory Services To provide secure, reliable access to digital identities and their credentials, identity architectures depend on directory services. In today’s increasingly networked environments, a directory must offer a repository for identity data as well as: • Provide easy yet secure access to information in multiple repositories • Maintain the highest possible levels of availability • Be able to scale dramatically to keep pace with constantly growing and changing groups of internal and external users A directory that is only a data repository cannot possibly address all these challenges. For this reason, many enterprises have turned to multiple point solutions to provide all the directory-related functionality they need. This can result in an unnecessarily complex directory environment that can be extremely costly to deploy and to administer.
3
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Open Source for Identity Management Obviously, identity management is a highly complex challenge that can easily require advanced skills and knowledge to administer. Open source provides an advantage because in order to be open, the product has to be highly usable and intuitive—or there won’t be a large community that is able to work on it. What open source does in the identity space is change the bar from having really complex products that are not very intuitive to focusing more on ease of use, making it easier to deploy and configure and use the different features. In turn, open source identity software projects put pressure on proprietary vendors to start making their identity management products easier to use, more accessible, and more intuitive with the features that customers need delivered at a faster pace. Since 2002, identity management tasks—particularly those designed to cross security domains—have benefited from standard protocols that allow applications built on radically different stacks to communicate. For example, important standards such as SAML for federation, XACML for access control, SPML for provisioning, and the WS-* family for Web services have come from the Organization for the Advancement of Structured Information Standards (OASIS). The XML Signature and XML Encryption standards on which many of these standards are based were developed at the World Wide Web Consortium (W3C). And the comprehensive identity Web services framework standard called ID-WSF was developed at the Liberty Alliance. Key open standards projects focused on identity management include: • Lasso (http://lasso.entrouvert.org/), which provides open-source Liberty and SAML federation support. • The OpenLiberty Project (http://openliberty.org/) from the Liberty Alliance, which offers open-source implementations of ID-WSF for identity-consuming applications (the Wakame project) and a set of standards called the Identity Governance Framework (the Aristotle project). • The Higgins Project (http://www.eclipse.org/higgins/), which offers an opensource framework for integrating different identity data sources. • OpenSAML (http://OpenSAML.org) from the Internet2 higher-education community, which implements basic SAML assertion write/read functionality, and the Shibboleth implementation (http://shibboleth.internet2.edu/), which provides support for that community’s particular flavor of SAML-based federation. In addition to open standards, enterprises exploring the best products to meet their identity management requirements should also look at the work of the strongest and most active open-source communities in this space, including: • The OpenLDAP Project (http://www.openldap.org/), started in 1998, which is building a suite of directory software that includes an LDAP server, LDAP client libraries, and other utilities. Based on the original LDAP reference implementation from the University of Michigan, OpenLDAP software is included with several Linux
4
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
distributions. • OpenSSO (https://opensso.dev.java.net/), founded in 2005, a Sun-sponsored opensource project that offers core identity capabilities, including security for Web applications, SSO, federation, and identity services. Based on Sun Java System Access Manager, the project is the foundation for the Sun OpenSSO Enterprise 8.0 commercial product, which was released in November 2008. Each month, OpenSSO is downloaded roughly 1500 times and about 60 new members join. • OpenDS (http://www.opends.org/), another Sun-sponsored open-source project, is centered on an LDAP server implemented in Java. The first OpenDS code was publicly released in 2006, and a commercial version, Sun OpenDS Standard Edition (SE) 1.0, was launched in July 2008. Each month, OpenDS is downloaded roughly 1500 times and about 50 new members join. • SimpleSAMLphp, a simple application written in native PHP that supports several federation protocols and authentication mechanisms and can be used for local authentication, as a service provider, or as an identity provider. Now a fully featured PHP federation server, it won a Liberty Alliance ‘IDDY’ award in August 2008 for ‘Emerging Application.’ While proprietary, closed identity products may also adhere to established standards, enterprises that deploy them often find that the costs of maintenance, integration and upgrades is much higher than initial estimates. Because of this, an increasing number of enterprises are seeing the advantages of Sun’s open source identity management products, which offer transparency into the product’s code and road map as well as predictable, subscription-based licensing and maintenance costs.
Sun’s Industry-Leading Identity Source Identity Source is the umbrella name for Sun’s open-source identity initiatives. It is not a product, but rather a way of developing products. With Identity Source, the products are based on source code that has already been proven in the marketplace; each project’s worldwide community then builds onto the code iteratively and out in the open. Although the community is building the next iterations, not every contribution gets accepted into the binary code; there is a rigorous process applied that involves reviewing the code, identifying what will go into the actual binary, and what’s going to be included in separate external libraries. In addition to using open standards, Sun’s open-source projects provide access and transparency into the source code, product road maps, and the ability to address issues quickly and participate in the future direction of the product.
5
Thinking of implementing SSO in your enterprise? • Keep it simple. Choose a technology approach that addresses every stage in the evolution of SSO so you can deal with immediate and future problems without also dealing with separate licenses, infrastructures, and products—and the solution will grow incrementally with your business needs. • Look for a flexible, modular architecture. An ideal solution should address all areas of SSO without requiring the enterprise to deploy every capability. A modular architecture enables enterprises to roll out capabilities as they are needed. • Focus on integration. Choose an open, agnostic architecture that’s designed to be easily integrated into existing environments and to interoperate with third-party identity products without substantial customization or programmatic development. • Think about scalability. A standardsbased approach that scales as the number of external users grows will decrease operational costs by providing a repeatable, scalable approach to onboarding new applications, Web services, and partners. Also, being able to quickly integrate new partner services that directly enhance customer value can increase revenue and provide competitive differentiation. • Beware hidden costs. The last thing you need to worry about is making sure licenses are in compliance every time more partners or applications are added. To avoid this hassle, choose a solution that provides a subscription model that is all-inclusive; look out for solutions that have hidden costs in the form of additional agents or modules that are necessary for business growth. • Vendor expertise is important. Choose a vendor that understands the interrelationships among core identity challenges—including provisioning, role management, directory services, and compliance management—and that can guide you in building an identity infrastructure that can scale and evolve to extend your reach and manage your risk over the long term.1
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Project OpenSSO The OpenSSO project is based on the code released as Sun Java™ System Access Manager 7.0 (including components under development for 7.1) and Sun Java System Federation Manager, market-leading products that had been deployed successfully at more than 2000 enterprises worldwide. With a community that has grown to more than 1,000 developers and Sun engineers, OpenSSO is the world’s largest open-source identity management project providing highly scalable, highperformance capabilities for SSO, access management, federation, and secure Web services. The work of the OpenSSO community resulted in the November 2008 commercial release of Sun OpenSSO Enterprise 8.0, a 100% Pure Java™ solution that enforces a comprehensive security policy for Web applications and services across the enterprise rather than relying on developers to come up with ad-hoc ways to secure services as they develop them. Because it is based on Java technology, OpenSSO Enterprise is easy to deploy on any operating system platform, including the Solaris™ Operating System, Red Hat, Ubuntu, AIX, Microsoft, and Macintosh OS10. It also offers broad container support, running on the GlassFish™ application server, Sun Web Server, Apache Tomcat, Apache Geronimo, Oracle Application Server, BEA Weblogic, IBM WebSphere, and JBoss Application Server. OpenSSO Enterprise is the only access management solution to provide intranet and extranet access management, support federation, and enable Web services security—without the need for separate products or licenses. With OpenSSO Enterprise, organizations can centralize and enforce SSO and security policy both for internal Web applications and extranet authentication—and do so in a repeatable, scalable manner, reducing security risk and decreasing operational expenses. Other identity management vendors require enterprises to purchase a broad number of products to gain this range of capabilities—which increases license and maintenance costs. • For example, an enterprise that buys OpenSSO Enterprise for fewer than 25,000 users would pay a $40,000 flat fee to leverage access management, federation and secure Web services capabilities. • With Oracle, an enterprise would need to license: • Oracle Access Manager (internal users = $25/per user; external users = $6/per user) • Oracle Identity Federation ($35,000/processor) • Oracle Web Services Manager ($920/named user; $46,000/processor)
1 Best Practices: Negotiating with Oracle by Duncan Jones with Andrew Parker and Varun Sedov, Forrester Research,
February 29, 2008.
6
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
“There’s going to be a breaking point soon where customers say they’re spending too much on maintenance and not getting enough value.”
In short, customers need to purchase many standalone products to match the same capability as OpenSSO Enterprise. However, this example does not take into consideration integration costs. As the Wall Street Journal reported in March 2009*,
Source: Forrester Research analyst R. Ray Wang quoted in Wall Street Journal, “Rethinking Software Support: Recession Puts New Focus on Oracle Maintenance Contracts,” by Jessica Hodgson, March 12, 2009.
“Investors love Oracle’s maintenance and service contracts, which generate margins of roughly 85%, according to analysts. Oracle charges a fixed 22% of the price of a software package, which can cost hundreds of thousands of dollars, for maintenance.” In the same article, Forrester analyst R. Ray Wang noted that, “There’s going to be a breaking point soon where customers say they’re spending too much on maintenance and not getting enough value.” Many competitors of OpenSSO Enterprise emphasize that they have complete stacks that also include ESSO, risk-based AuthN, and entitlement enforcement, but these products are standalone and have little to no integration. In addition to its current offering, OpenSSO Enterprise is adding entitlement enforcement, ESSO and twofactor authentication to deliver a fully integrated solution that provides the lowest TCO of any offering available. OpenSSO Enterprise
Oracle Access Manager
CA Siteminder
Tivoli Access Manager
a
a
a
a
a
Oracle Identity Federation
CA Federation Manager
Federated Identity Manager
Web Services Security
a
Web Services Manager
CA Web Services Manager
Federated Identity Manager
Entitlement Enforcement
Summer 2009
Oracle Entitlements Manager
CA Entitlements Manager
Security Policy Manager
ESSO
Fall 2009
OEM: Passlogix
CA Single Sign-on
Access Manager for ESSO
Access Management
Federation
To get the capabilities available in OpenSSO Enterprise, most SSO vendors require enterprises to purchase multiple, unintegrated products—which substantially increases TCO.
* Source: Wall Street Journal, “Rethinking Software Support: Recession Puts New Focus on Oracle Maintenance Contracts,” by Jessica Hodgson, March 12, 2009, http://online.wsj.com/article/SB123678331925895543.html.
7
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Because of the complexity of any identity management deployment, transparency into the code is key to enabling enterprises to integrate the software with their existing infrastructure. Some open-source projects only release some of the source code, but a typical identity management software deployment requires a moderate to high level of customization—and having access to only the limited API that a vendor wants them to see is not enough for enterprise developers to integrate the software effectively. Sun released the entire source code for OpenSSO, including the source code as well as the APIs and SDKs, so that developers can understand the product in far more detail. This approach makes customization easier, increases developer productivity, lowers TCO, and also attracts a bigger community of developers contributing to and deploying the software in their companies—which results in more innovative features and faster issue resolution. For developers who not only want to customize an application but actually build extensions for it, having access to the source code, APIs, and SDKs provides more opportunity to do creative things. Within the OpenSSO community, for example, members built an extension for PHP to meet a specific need that they’d identified in their own environment, offered it to the community, and that extension got so popular that a whole new community was formed around it—and users are continuing to see benefits. In fact, Sun’s open-source identity products have a number of features unmatched by the competition that were developed in the community. The Fedlet, a lightweight (8.5 MB package) way for service providers to quickly federate with an identity provider without any configuration required, provides a big advantage for small service providers. While large service providers have long been able to deploy products such as OpenSSO to federation-enable their applications, those running a single application couldn’t take on that much infrastructure overhead. Because a number of such small service providers in the OpenSSO community expressed the need for a more lightweight approach to federation, a Sun engineer was able to quickly build a prototype Fedlet implementation, release it via OpenSSO, and refine it based on community feedback. Just a few months later, the Fedlet was featured in the commercial release of OpenSSO Enterprise 8.0.
Project OpenDS Sun’s OpenDS is based on Sun Directory Server, which has a 40% market share and more than 4 billion user entries worldwide. The OpenDS charter is to focus on moving extranet directory scalability from hundreds of millions of user entries to billions of user entries—a move driven by the surge in cloud computing and the massive scaling requirements of hosted services over the next 10 years. OpenDS was released under the open-source Common Development and Distribution License (CDDL) with a goal of attracting a community of developers to help build
8
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
comprehensive, next-generation directory service software. The OpenDS project enables community members to deploy standardized, authenticated directory services for Internet-based applications used inside and outside their organization. Internet applications that rely on directory services include high-traffic Web sites like email, calendar, instant messaging, network naming services, AAA solutions in telco environments, and portals for employees, customers, and partners. Currently, OpenDS supports a large number of operating system platforms, including Windows, Solaris, OpenSolaris™, Ubuntu, Redhat, and HPUX. A Sun partner and community member has also undertaken the task to port the code to the AIX platform as well. When that work is complete, the code will be contributed back to the project as an extension—which will further extend the flexibility of the software. Because OpenDS is a small-footprint directory server that is freely available and can run on many different platforms, developers can easily download it and embed it in their applications. Most proprietary software vendors require developers to purchase or agree to special licenses before installing software in development environments, which can prevent developers from proving application capabilities to the market or to the enterprise. A department manager had two interns with free time on their hands. He asked them to do an evaluation of OpenDS and OpenSSO for a single sign-on and identity consolidation project the organization was considering funding in the next budget cycle. He expected the interns to come back in a week with a presentation providing a feature comparison, cost-benefit analysis and a recommendation. Instead, the interns quickly developed a working prototype that allowed them to prove the solution against the business requirements. Because the software was not proprietary and was freely available, the interns were able to collapse the evaluation and proof-of-concept phase and provide the decision makers with a much faster and more complete evaluation. Compared to a typical sales cycle that typically includes a sales call, presentation, requirements communication, and negotiations over access to beta or evaluation licenses—all before the real work even begins—the open access to OpenDS and OpenSSO enabled the company to reduce the risk of the decision and the operational costs by decreasing the time and resources needed to complete the evaluation. In 2008, Sun released the Sun OpenDS Standard Edition 1.0, a limited-footprint, commercial, fully supported directory server designed for easy installation, embedding, and configuration that is based on the OpenDS community project. With OpenDS Standard Edition, enterprises can enjoy significant savings in licensing costs over proprietary alternatives. OpenDS has a free right to use under the CDDL license. To get full support from Sun, enterprises can purchase a either a subscription or a perpetual license for OpenDS Standard Edition software at a cost of $1.25 per user. A company that
9
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
purchases a license for 25,000 users would pay $31,250 and get enterprise-class support. If that company later adds CPUs or memory to increase computing power, its license costs for OpenDS Standard Edition will not increase. Additionally, the roadmap for OpenDS includes features like virtual directory, proxy server, directory editor, identity synchronization for Windows (which will synch with Active Directory instances), and Namefinder—all of which will be included in the OpenDS Standard Edition license. As the OpenDS community continues to progress on the project roadmap and add additional capabilities, the cost advantages of OpenDS over proprietary alternatives like Oracle will become even more significant.
What’s Next for Identity Source Sun is committed to open sourcing all of its identity management software products by early 2011. Using the same model as when it successfully open sourced its access management, federated SSO, and secure service-oriented architecture products (as OpenSSO), and directory services products (as OpenDS), Sun will ensure: • The products are based on a 100% Pure Java platform, providing interoperability, integration, and the flexibility to run on virtually any container or platform • Simplicity, minimizing the number of products needed for comprehensive identity management to reduce ongoing maintenance, support, and training costs The next phases of Sun’s open-source identity management initiative will expand the offerings to include extranet user management and user roles. Each new identity open source project will emphasize scalability, with a goal of enabling extranet deployments for hundreds of millions of users, as well as ease of use.
10
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Looking Ahead A Full Range of Solutions for the Enterprise Open-Source Solutions:
Level of Difficulty of Deploying Key Capabilities
Easy
Moderate
Advanced
More Advanced
Access Management
Internal Authentication
Internal Authorization
Extranet Authentication
Access Entitlements
Federated SSO
Single Partner Federation
Multi-Partner Federation
Scalable/Repeatable Federation
Federated Entitlements
Secure SOA
Internal Web Services
Security Token Service
Scalable/Repeatable Web Services
Web Services Entitlements
Employee Whitepages/ Embeddable Directory
Application/ Authentication Store
Identity Consolidation
Global Extranet/Partner /Telco Portal
Current Offerings
Directory Services Open-Source Solutions:
Level of Difficulty of Deploying Key Capabilities
Coming in 2011
Easy
Moderate
Advanced
More Advanced
Identity Administration
Password Management
Automated Deprovisioning
Role Management/ Provisioning
Extranet Provisioning
Identity Compliance
Entitlements Warehouse
Automated Access Certification and SOD
Compliance Provisioning
User Activity Monitoring
As Sun continues to expand its open-source identity management offerings, enterprises will be able to take advantage of the flexibility and transparency that open source provides while leveraging market-leading technology that has been proven in organizations worldwide.
How to Get Started with Sun’s Open-Source Identity Management 1. If they haven’t already, ask your developers to download and experiment with Sun’s open-source identity management software, including: a. OpenSSO from https://opensso.dev.java.net/ b. OpenDS from http://www.opends.org/ 2. For OpenSSO, developers can take advantage of free training that takes them through a complex OpenSSO deployment. Available at: http://slslabs.sun.com/course/wspl-am-3508-d 3. If either OpenSSO or OpenDS prove to be a good fit, you can easily migrate to Sun’s fully supported commercial versions, which include all of the features in the latest stable build as well as additional features specifically designed to address even more of the demands faced by today’s enterprise. For more information on Sun’s commercial identity offerings, go to sun.com/identity.
11
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Sun Identity Customer Success Stories Equifax Cuts Costs, Increases Revenue, and Streamlines Audits with Sun Technologies A global leader in information solutions, Equifax Inc. provides consumers and businesses with a range of services, including credit intelligence, portfolio management, marketing tools, and data analysis. To provide these offerings, Equifax manages one of the world’s largest databases of consumer and commercial data supported by 8,000 servers that run a variety of operating systems. The high licensing costs of its application servers had become an issue for the company. In addition, Equifax needed the flexibility of a portal server to accelerate the deployment and customization of services, but it could not justify its cost. With the help of Sun Professional Services, Equifax built a flexible business-tobusiness portal using Sun Java System Portal Server and an integrated identity management solution using Sun Identity Manager and Sun OpenSSO Enterprise. Equifax launched its new portal and identity management systems in October 2007. The company was able to support 170,000 users on its new business portal and the identity management solution provided for enterprise-wide access control, automated provisioning, global directories, and accelerated audits. Overall, the new technologies from Sun have boosted productivity, provided for greater levels of integration, and improved data access.
Leveraging Open-Source Federation With Google Apps In France, an independent industrial group that designs, produces, and sells components and integrated systems for cars and trucks decided to replace IBM’s Lotus collaborative platform with Google Apps for over 30,000 employees. Google Apps is a suite of applications that includes Gmail, Google Calendar (shared calendaring), Google Talk (instant messaging and voice over IP), Google Docs & Spreadsheets (online document hosting and collaboration), Google Sites (team site creation and publishing), Start Page (a single, customizable access point for all applications), Google Video, and Google Security & Compliance. After discovering OpenSSO through the OpenSSO Project, the organization selected the technology to handle SAML-based federation between the organization’s internal applications and partner applications. Using OpenSSO federated single sign-on capabilities, the company enabled employees to log in to the internal infrastructure and immediately have access to Google Apps tools without having to reauthenticate. The federation technology was particularly attractive because it allowed the secure authentication of employees without sharing employee data
12
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
or provisioning employees into the Google infrastructure. The company’s IT group implemented the solution without any Sun support and without a license. Once the solution was in production and working, the organization decided it was the right time to purchase OpenSSO Enterprise for product support and legal indemnification. Given that employee logon is mission critical, the question was not whether to buy an OpenSSO Enterprise license, but when. The OpenSSO model allowed the company to evaluate the product, develop and deploy a solution leveraging open-source components, and purchase a license when it was ready. The Google Apps/OpenSSO implementation lowered the company’s TCO by reducing license costs, decreasing configuration and labor costs, and eliminating infrastructure maintenance costs. Through OpenSSO federation, the firm was also able to make partner authentication repeatable and scalable, reducing time to market and ultimately saving money. Finally, the advantage of not having to share employee data meant the company didn’t incur the cost of de-provisioning users when they left the organization, which also increased data security.
OpenSSO Helps Simplify Merger of Two Financial Institutions When two major North American financial institutions merged, the combined institutions became the largest U.S. bank by branches. With the merger, the firms needed to combine their information technology systems in a quick and seamless manner. The firm adopted OpenSSO Enterprise to provide a standard way to onboard acquisition and partner services in a repeatable, scalable manner. OpenSSO Enterprise enabled the company to easily handle single sign-on, account linking, and global logout among both institutions’ applications. Rather than burden internal employees with separate passwords between both infrastructures, employees could still maintain one login to access all of their applications. Although the institution had little to no interest in open-source models, it fully leveraged the benefits of open source during the evaluation period. First, the organization was able to evaluate OpenSSO Enterprise 8 (released November 2008) six months prior to its availability. It also evaluated stable builds of OpenSSO and was able to compare it to other federation products, including one offered by Ping Identity. This access enabled the firm to determine that the next commercial release of OpenSSO had all the capabilities it wanted and that it outperformed competitive offerings. Through hands-on experience, the firm’s IT department was able to use the capabilities of OpenSSO and conduct a thorough proof of concept on its own time frame and in its own environment before purchasing a license—a huge advantage over proprietary alternatives.
13
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Telco Network Provider EOLs Internal Web Access Management Software in favor of OpenSSO A telco network provider that sells solutions to major telco providers worldwide had built and was maintaining an in-house Web access management solution. However, that home-grown solution had significant overhead and distracted the company’s developers from focusing on more strategic telco technologies. After downloading and testing OpenSSO, the company chose to leverage the opensource solution for its Web access management needs and focus developer time and energy on building additional, vertical features to provide traditional telcos with SSO and federation capabilities to integrate partner content. As a result, the company was able to EOL its internal solution. Additionally, it was able to leverage OpenSSO’s general federation solutions and commit telco-specific code back to the OpenSSO community. Telco capabilities that could be generalized were adopted by the OpenSSO project and productized in the core product, and those that could not be generalized were maintained by the telco company.
.
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN (9786) Web sun.com © 2009 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, the Sun logo, Java, 100% Pure Java, Solaris, OpenSolaris, and GlassFish are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the United States and other countries. Information subject to change without notice. Printed in USA 04/09 #56122
IDENTITY MANAGEMENT SOFTWARE Open Identity White Paper April 2009
Abstract Today’s enterprise needs an identity and access management infrastructure that aligns with its business strategies and enables future growth—all while keeping costs low. Sun provides a range of open-source identity management software solutions that offer the flexibility and innovations that businesses need at a lower cost than proprietary alternatives. Based on proven, market-leading software, Sun’s open-source solutions are helping enterprises around the world to expand, streamline, and simplify their identity management systems.
Sun Microsystems, Inc.
Table of Contents Executive Summary......................................................................................... 1 Identity Management in an Expanding Enterprise.............................................. 1 Access and Directories.......................................................................................... 2 Open Source for Identity Management.............................................................. 3 Sun’s Industry-Leading Identity Source.............................................................. 4 Project OpenSSO.................................................................................................. 5 Project OpenDS.................................................................................................... 7 What’s Next for Identity Source............................................................................ 9 Looking Ahead................................................................................................... 10 How to Get Started with Sun’s Open-Source Identity Management....................... 10 Sun Identity Customer Success Stories............................................................. 11 Equifax Cuts Costs, Increases Revenue, and Streamlines Audits with Sun Technologies....................................................................................... 11 Leveraging Open-Source Federation With Google Apps......................................... 11 OpenSSO Helps Simplify Merger of Two Financial Institutions............................... 12 Telco Network Provider EOLs Internal Web Access Management Software in favor of OpenSSO........................................................................................... 13
1
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Executive Summary Identity management is a critical component of an enterprise’s IT infrastructure— particularly as more enterprise applications and systems are being leveraged across extranets. As the number of users grows exponentially, enterprises must ensure that they can meet their increasingly complex identity management needs while keeping the organization in compliance and keeping costs low. Today, enterprises have the option of choosing open-source solutions to meet their identity management requirements. This chapter explores the advantages of opensource identity software and provides a look at Sun Identity Source, our open-source identity initiative, which currently includes OpenSSO and OpenDS. OpenSSO, the world’s largest open-source identity management project, provides highly scalable, high-performance capabilities for single sign-on (SSO), access management, federation, and secure Web services. OpenDS is an open-source community project focused on building a free, comprehensive, next-generation directory service based on LDAP and DSML standards.
Identity Management in an Expanding Enterprise
.
Enterprise IT is moving from enterprise-focused applications to extranet-focused applications, from dealing with thousands of users to hundreds of millions of users if not more. The applications that enterprise IT staffs need to deploy, protect, and secure have quickly gone up the scale—as has the number of users, roles, regulatory requirements, and resources that they have to manage. The more an application scales, the more risk there is of exposing data—particularly data outside the corporate boundaries. The challenge for enterprises is developing an identity infrastructure that centralizes security and has a repeatable, scalable, sustainable process that allows developers to create applications without having to worry about security, all while providing the organization with the transparency and compliance adherence it needs. Identity demands will continue to grow, and the need for scalability will continue to increase as well. As an enterprise adds more and more identity management capabilities—from directory services to access management to provisioning to role management to authentication—it becomes increasingly complex to deploy and to manage. And because most access management solutions today were designed for the enterprise and internal users, not the extranet and external users, enterprises must find a way to address both internal and external needs without overcomplicating the technology infrastructure or overtaxing the IT budget or staff in the process. Enterprises are also challenged to extend the organization’s reach to more partners, vendors, customers, and others outside the enterprise in more ways—while still controlling the amount of risk to which the organization is exposed as a result.
2
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Additionally, enterprises need an acceptable return on the technology that is used to achieve the right risk/reach ratio.
Access and Directories Two key components of an enterprise identity management initiative are access management and directory services. Access Management Focused on controlling and streamlining access to key applications and data, single sign-on (SSO) capabilities (which include include federation, secure Web services, and entitlement enforcement) enable enterprises to both expand and better manage access while maintaining a high level of security. • Federation provides the ability to make identity portable across multiple domains in a standards-based manner, creating opportunities to expand business reach by building federated connections to Software-as-a-Service (SaaS) applications, partner services, affiliate services, acquisitions, subsidiaries, business process outsourcing, and third-party hosted portals and to accommodate sign-on for Web services. To make it work in the long term requires standards-based technology to enable repeatable, scalable processes for easily accommodating growing numbers of external entities. • While many enterprises have invested considerably in centralized authentication and authorization for applications, few have done the same for Web services. Now, however, more are recognizing the importance of abstracting Web services away from the developer as part of an effort to standardize their security model across the organization. • Security risks can be reduced by centralizing and enforcing entitlement policies both for internal Web applications and extranet authentication. Directory Services To provide secure, reliable access to digital identities and their credentials, identity architectures depend on directory services. In today’s increasingly networked environments, a directory must offer a repository for identity data as well as: • Provide easy yet secure access to information in multiple repositories • Maintain the highest possible levels of availability • Be able to scale dramatically to keep pace with constantly growing and changing groups of internal and external users A directory that is only a data repository cannot possibly address all these challenges. For this reason, many enterprises have turned to multiple point solutions to provide all the directory-related functionality they need. This can result in an unnecessarily complex directory environment that can be extremely costly to deploy and to administer.
3
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Open Source for Identity Management Obviously, identity management is a highly complex challenge that can easily require advanced skills and knowledge to administer. Open source provides an advantage because in order to be open, the product has to be highly usable and intuitive—or there won’t be a large community that is able to work on it. What open source does in the identity space is change the bar from having really complex products that are not very intuitive to focusing more on ease of use, making it easier to deploy and configure and use the different features. In turn, open source identity software projects put pressure on proprietary vendors to start making their identity management products easier to use, more accessible, and more intuitive with the features that customers need delivered at a faster pace. Since 2002, identity management tasks—particularly those designed to cross security domains—have benefited from standard protocols that allow applications built on radically different stacks to communicate. For example, important standards such as SAML for federation, XACML for access control, SPML for provisioning, and the WS-* family for Web services have come from the Organization for the Advancement of Structured Information Standards (OASIS). The XML Signature and XML Encryption standards on which many of these standards are based were developed at the World Wide Web Consortium (W3C). And the comprehensive identity Web services framework standard called ID-WSF was developed at the Liberty Alliance. Key open standards projects focused on identity management include: • Lasso (http://lasso.entrouvert.org/), which provides open-source Liberty and SAML federation support. • The OpenLiberty Project (http://openliberty.org/) from the Liberty Alliance, which offers open-source implementations of ID-WSF for identity-consuming applications (the Wakame project) and a set of standards called the Identity Governance Framework (the Aristotle project). • The Higgins Project (http://www.eclipse.org/higgins/), which offers an opensource framework for integrating different identity data sources. • OpenSAML (http://OpenSAML.org) from the Internet2 higher-education community, which implements basic SAML assertion write/read functionality, and the Shibboleth implementation (http://shibboleth.internet2.edu/), which provides support for that community’s particular flavor of SAML-based federation. In addition to open standards, enterprises exploring the best products to meet their identity management requirements should also look at the work of the strongest and most active open-source communities in this space, including: • The OpenLDAP Project (http://www.openldap.org/), started in 1998, which is building a suite of directory software that includes an LDAP server, LDAP client libraries, and other utilities. Based on the original LDAP reference implementation from the University of Michigan, OpenLDAP software is included with several Linux
4
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
distributions. • OpenSSO (https://opensso.dev.java.net/), founded in 2005, a Sun-sponsored opensource project that offers core identity capabilities, including security for Web applications, SSO, federation, and identity services. Based on Sun Java System Access Manager, the project is the foundation for the Sun OpenSSO Enterprise 8.0 commercial product, which was released in November 2008. Each month, OpenSSO is downloaded roughly 1500 times and about 60 new members join. • OpenDS (http://www.opends.org/), another Sun-sponsored open-source project, is centered on an LDAP server implemented in Java. The first OpenDS code was publicly released in 2006, and a commercial version, Sun OpenDS Standard Edition (SE) 1.0, was launched in July 2008. Each month, OpenDS is downloaded roughly 1500 times and about 50 new members join. • SimpleSAMLphp, a simple application written in native PHP that supports several federation protocols and authentication mechanisms and can be used for local authentication, as a service provider, or as an identity provider. Now a fully featured PHP federation server, it won a Liberty Alliance ‘IDDY’ award in August 2008 for ‘Emerging Application.’ While proprietary, closed identity products may also adhere to established standards, enterprises that deploy them often find that the costs of maintenance, integration and upgrades is much higher than initial estimates. Because of this, an increasing number of enterprises are seeing the advantages of Sun’s open source identity management products, which offer transparency into the product’s code and road map as well as predictable, subscription-based licensing and maintenance costs.
Sun’s Industry-Leading Identity Source Identity Source is the umbrella name for Sun’s open-source identity initiatives. It is not a product, but rather a way of developing products. With Identity Source, the products are based on source code that has already been proven in the marketplace; each project’s worldwide community then builds onto the code iteratively and out in the open. Although the community is building the next iterations, not every contribution gets accepted into the binary code; there is a rigorous process applied that involves reviewing the code, identifying what will go into the actual binary, and what’s going to be included in separate external libraries. In addition to using open standards, Sun’s open-source projects provide access and transparency into the source code, product road maps, and the ability to address issues quickly and participate in the future direction of the product.
5
Thinking of implementing SSO in your enterprise? • Keep it simple. Choose a technology approach that addresses every stage in the evolution of SSO so you can deal with immediate and future problems without also dealing with separate licenses, infrastructures, and products—and the solution will grow incrementally with your business needs. • Look for a flexible, modular architecture. An ideal solution should address all areas of SSO without requiring the enterprise to deploy every capability. A modular architecture enables enterprises to roll out capabilities as they are needed. • Focus on integration. Choose an open, agnostic architecture that’s designed to be easily integrated into existing environments and to interoperate with third-party identity products without substantial customization or programmatic development. • Think about scalability. A standardsbased approach that scales as the number of external users grows will decrease operational costs by providing a repeatable, scalable approach to onboarding new applications, Web services, and partners. Also, being able to quickly integrate new partner services that directly enhance customer value can increase revenue and provide competitive differentiation. • Beware hidden costs. The last thing you need to worry about is making sure licenses are in compliance every time more partners or applications are added. To avoid this hassle, choose a solution that provides a subscription model that is all-inclusive; look out for solutions that have hidden costs in the form of additional agents or modules that are necessary for business growth. • Vendor expertise is important. Choose a vendor that understands the interrelationships among core identity challenges—including provisioning, role management, directory services, and compliance management—and that can guide you in building an identity infrastructure that can scale and evolve to extend your reach and manage your risk over the long term.1
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Project OpenSSO The OpenSSO project is based on the code released as Sun Java™ System Access Manager 7.0 (including components under development for 7.1) and Sun Java System Federation Manager, market-leading products that had been deployed successfully at more than 2000 enterprises worldwide. With a community that has grown to more than 1,000 developers and Sun engineers, OpenSSO is the world’s largest open-source identity management project providing highly scalable, highperformance capabilities for SSO, access management, federation, and secure Web services. The work of the OpenSSO community resulted in the November 2008 commercial release of Sun OpenSSO Enterprise 8.0, a 100% Pure Java™ solution that enforces a comprehensive security policy for Web applications and services across the enterprise rather than relying on developers to come up with ad-hoc ways to secure services as they develop them. Because it is based on Java technology, OpenSSO Enterprise is easy to deploy on any operating system platform, including the Solaris™ Operating System, Red Hat, Ubuntu, AIX, Microsoft, and Macintosh OS10. It also offers broad container support, running on the GlassFish™ application server, Sun Web Server, Apache Tomcat, Apache Geronimo, Oracle Application Server, BEA Weblogic, IBM WebSphere, and JBoss Application Server. OpenSSO Enterprise is the only access management solution to provide intranet and extranet access management, support federation, and enable Web services security—without the need for separate products or licenses. With OpenSSO Enterprise, organizations can centralize and enforce SSO and security policy both for internal Web applications and extranet authentication—and do so in a repeatable, scalable manner, reducing security risk and decreasing operational expenses. Other identity management vendors require enterprises to purchase a broad number of products to gain this range of capabilities—which increases license and maintenance costs. • For example, an enterprise that buys OpenSSO Enterprise for fewer than 25,000 users would pay a $40,000 flat fee to leverage access management, federation and secure Web services capabilities. • With Oracle, an enterprise would need to license: • Oracle Access Manager (internal users = $25/per user; external users = $6/per user) • Oracle Identity Federation ($35,000/processor) • Oracle Web Services Manager ($920/named user; $46,000/processor)
1 Best Practices: Negotiating with Oracle by Duncan Jones with Andrew Parker and Varun Sedov, Forrester Research,
February 29, 2008.
6
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
“There’s going to be a breaking point soon where customers say they’re spending too much on maintenance and not getting enough value.”
In short, customers need to purchase many standalone products to match the same capability as OpenSSO Enterprise. However, this example does not take into consideration integration costs. As the Wall Street Journal reported in March 2009*,
Source: Forrester Research analyst R. Ray Wang quoted in Wall Street Journal, “Rethinking Software Support: Recession Puts New Focus on Oracle Maintenance Contracts,” by Jessica Hodgson, March 12, 2009.
“Investors love Oracle’s maintenance and service contracts, which generate margins of roughly 85%, according to analysts. Oracle charges a fixed 22% of the price of a software package, which can cost hundreds of thousands of dollars, for maintenance.” In the same article, Forrester analyst R. Ray Wang noted that, “There’s going to be a breaking point soon where customers say they’re spending too much on maintenance and not getting enough value.” Many competitors of OpenSSO Enterprise emphasize that they have complete stacks that also include ESSO, risk-based AuthN, and entitlement enforcement, but these products are standalone and have little to no integration. In addition to its current offering, OpenSSO Enterprise is adding entitlement enforcement, ESSO and twofactor authentication to deliver a fully integrated solution that provides the lowest TCO of any offering available. OpenSSO Enterprise
Oracle Access Manager
CA Siteminder
Tivoli Access Manager
a
a
a
a
a
Oracle Identity Federation
CA Federation Manager
Federated Identity Manager
Web Services Security
a
Web Services Manager
CA Web Services Manager
Federated Identity Manager
Entitlement Enforcement
Summer 2009
Oracle Entitlements Manager
CA Entitlements Manager
Security Policy Manager
ESSO
Fall 2009
OEM: Passlogix
CA Single Sign-on
Access Manager for ESSO
Access Management
Federation
To get the capabilities available in OpenSSO Enterprise, most SSO vendors require enterprises to purchase multiple, unintegrated products—which substantially increases TCO.
* Source: Wall Street Journal, “Rethinking Software Support: Recession Puts New Focus on Oracle Maintenance Contracts,” by Jessica Hodgson, March 12, 2009, http://online.wsj.com/article/SB123678331925895543.html.
7
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Because of the complexity of any identity management deployment, transparency into the code is key to enabling enterprises to integrate the software with their existing infrastructure. Some open-source projects only release some of the source code, but a typical identity management software deployment requires a moderate to high level of customization—and having access to only the limited API that a vendor wants them to see is not enough for enterprise developers to integrate the software effectively. Sun released the entire source code for OpenSSO, including the source code as well as the APIs and SDKs, so that developers can understand the product in far more detail. This approach makes customization easier, increases developer productivity, lowers TCO, and also attracts a bigger community of developers contributing to and deploying the software in their companies—which results in more innovative features and faster issue resolution. For developers who not only want to customize an application but actually build extensions for it, having access to the source code, APIs, and SDKs provides more opportunity to do creative things. Within the OpenSSO community, for example, members built an extension for PHP to meet a specific need that they’d identified in their own environment, offered it to the community, and that extension got so popular that a whole new community was formed around it—and users are continuing to see benefits. In fact, Sun’s open-source identity products have a number of features unmatched by the competition that were developed in the community. The Fedlet, a lightweight (8.5 MB package) way for service providers to quickly federate with an identity provider without any configuration required, provides a big advantage for small service providers. While large service providers have long been able to deploy products such as OpenSSO to federation-enable their applications, those running a single application couldn’t take on that much infrastructure overhead. Because a number of such small service providers in the OpenSSO community expressed the need for a more lightweight approach to federation, a Sun engineer was able to quickly build a prototype Fedlet implementation, release it via OpenSSO, and refine it based on community feedback. Just a few months later, the Fedlet was featured in the commercial release of OpenSSO Enterprise 8.0.
Project OpenDS Sun’s OpenDS is based on Sun Directory Server, which has a 40% market share and more than 4 billion user entries worldwide. The OpenDS charter is to focus on moving extranet directory scalability from hundreds of millions of user entries to billions of user entries—a move driven by the surge in cloud computing and the massive scaling requirements of hosted services over the next 10 years. OpenDS was released under the open-source Common Development and Distribution License (CDDL) with a goal of attracting a community of developers to help build
8
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
comprehensive, next-generation directory service software. The OpenDS project enables community members to deploy standardized, authenticated directory services for Internet-based applications used inside and outside their organization. Internet applications that rely on directory services include high-traffic Web sites like email, calendar, instant messaging, network naming services, AAA solutions in telco environments, and portals for employees, customers, and partners. Currently, OpenDS supports a large number of operating system platforms, including Windows, Solaris, OpenSolaris™, Ubuntu, Redhat, and HPUX. A Sun partner and community member has also undertaken the task to port the code to the AIX platform as well. When that work is complete, the code will be contributed back to the project as an extension—which will further extend the flexibility of the software. Because OpenDS is a small-footprint directory server that is freely available and can run on many different platforms, developers can easily download it and embed it in their applications. Most proprietary software vendors require developers to purchase or agree to special licenses before installing software in development environments, which can prevent developers from proving application capabilities to the market or to the enterprise. A department manager had two interns with free time on their hands. He asked them to do an evaluation of OpenDS and OpenSSO for a single sign-on and identity consolidation project the organization was considering funding in the next budget cycle. He expected the interns to come back in a week with a presentation providing a feature comparison, cost-benefit analysis and a recommendation. Instead, the interns quickly developed a working prototype that allowed them to prove the solution against the business requirements. Because the software was not proprietary and was freely available, the interns were able to collapse the evaluation and proof-of-concept phase and provide the decision makers with a much faster and more complete evaluation. Compared to a typical sales cycle that typically includes a sales call, presentation, requirements communication, and negotiations over access to beta or evaluation licenses—all before the real work even begins—the open access to OpenDS and OpenSSO enabled the company to reduce the risk of the decision and the operational costs by decreasing the time and resources needed to complete the evaluation. In 2008, Sun released the Sun OpenDS Standard Edition 1.0, a limited-footprint, commercial, fully supported directory server designed for easy installation, embedding, and configuration that is based on the OpenDS community project. With OpenDS Standard Edition, enterprises can enjoy significant savings in licensing costs over proprietary alternatives. OpenDS has a free right to use under the CDDL license. To get full support from Sun, enterprises can purchase a either a subscription or a perpetual license for OpenDS Standard Edition software at a cost of $1.25 per user. A company that
9
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
purchases a license for 25,000 users would pay $31,250 and get enterprise-class support. If that company later adds CPUs or memory to increase computing power, its license costs for OpenDS Standard Edition will not increase. Additionally, the roadmap for OpenDS includes features like virtual directory, proxy server, directory editor, identity synchronization for Windows (which will synch with Active Directory instances), and Namefinder—all of which will be included in the OpenDS Standard Edition license. As the OpenDS community continues to progress on the project roadmap and add additional capabilities, the cost advantages of OpenDS over proprietary alternatives like Oracle will become even more significant.
What’s Next for Identity Source Sun is committed to open sourcing all of its identity management software products by early 2011. Using the same model as when it successfully open sourced its access management, federated SSO, and secure service-oriented architecture products (as OpenSSO), and directory services products (as OpenDS), Sun will ensure: • The products are based on a 100% Pure Java platform, providing interoperability, integration, and the flexibility to run on virtually any container or platform • Simplicity, minimizing the number of products needed for comprehensive identity management to reduce ongoing maintenance, support, and training costs The next phases of Sun’s open-source identity management initiative will expand the offerings to include extranet user management and user roles. Each new identity open source project will emphasize scalability, with a goal of enabling extranet deployments for hundreds of millions of users, as well as ease of use.
10
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Looking Ahead A Full Range of Solutions for the Enterprise Open-Source Solutions:
Level of Difficulty of Deploying Key Capabilities
Easy
Moderate
Advanced
More Advanced
Access Management
Internal Authentication
Internal Authorization
Extranet Authentication
Access Entitlements
Federated SSO
Single Partner Federation
Multi-Partner Federation
Scalable/Repeatable Federation
Federated Entitlements
Secure SOA
Internal Web Services
Security Token Service
Scalable/Repeatable Web Services
Web Services Entitlements
Employee Whitepages/ Embeddable Directory
Application/ Authentication Store
Identity Consolidation
Global Extranet/Partner /Telco Portal
Current Offerings
Directory Services Open-Source Solutions:
Level of Difficulty of Deploying Key Capabilities
Coming in 2011
Easy
Moderate
Advanced
More Advanced
Identity Administration
Password Management
Automated Deprovisioning
Role Management/ Provisioning
Extranet Provisioning
Identity Compliance
Entitlements Warehouse
Automated Access Certification and SOD
Compliance Provisioning
User Activity Monitoring
As Sun continues to expand its open-source identity management offerings, enterprises will be able to take advantage of the flexibility and transparency that open source provides while leveraging market-leading technology that has been proven in organizations worldwide.
How to Get Started with Sun’s Open-Source Identity Management 1. If they haven’t already, ask your developers to download and experiment with Sun’s open-source identity management software, including: a. OpenSSO from https://opensso.dev.java.net/ b. OpenDS from http://www.opends.org/ 2. For OpenSSO, developers can take advantage of free training that takes them through a complex OpenSSO deployment. Available at: http://slslabs.sun.com/course/wspl-am-3508-d 3. If either OpenSSO or OpenDS prove to be a good fit, you can easily migrate to Sun’s fully supported commercial versions, which include all of the features in the latest stable build as well as additional features specifically designed to address even more of the demands faced by today’s enterprise. For more information on Sun’s commercial identity offerings, go to sun.com/identity.
11
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Sun Identity Customer Success Stories Equifax Cuts Costs, Increases Revenue, and Streamlines Audits with Sun Technologies A global leader in information solutions, Equifax Inc. provides consumers and businesses with a range of services, including credit intelligence, portfolio management, marketing tools, and data analysis. To provide these offerings, Equifax manages one of the world’s largest databases of consumer and commercial data supported by 8,000 servers that run a variety of operating systems. The high licensing costs of its application servers had become an issue for the company. In addition, Equifax needed the flexibility of a portal server to accelerate the deployment and customization of services, but it could not justify its cost. With the help of Sun Professional Services, Equifax built a flexible business-tobusiness portal using Sun Java System Portal Server and an integrated identity management solution using Sun Identity Manager and Sun OpenSSO Enterprise. Equifax launched its new portal and identity management systems in October 2007. The company was able to support 170,000 users on its new business portal and the identity management solution provided for enterprise-wide access control, automated provisioning, global directories, and accelerated audits. Overall, the new technologies from Sun have boosted productivity, provided for greater levels of integration, and improved data access.
Leveraging Open-Source Federation With Google Apps In France, an independent industrial group that designs, produces, and sells components and integrated systems for cars and trucks decided to replace IBM’s Lotus collaborative platform with Google Apps for over 30,000 employees. Google Apps is a suite of applications that includes Gmail, Google Calendar (shared calendaring), Google Talk (instant messaging and voice over IP), Google Docs & Spreadsheets (online document hosting and collaboration), Google Sites (team site creation and publishing), Start Page (a single, customizable access point for all applications), Google Video, and Google Security & Compliance. After discovering OpenSSO through the OpenSSO Project, the organization selected the technology to handle SAML-based federation between the organization’s internal applications and partner applications. Using OpenSSO federated single sign-on capabilities, the company enabled employees to log in to the internal infrastructure and immediately have access to Google Apps tools without having to reauthenticate. The federation technology was particularly attractive because it allowed the secure authentication of employees without sharing employee data
12
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
or provisioning employees into the Google infrastructure. The company’s IT group implemented the solution without any Sun support and without a license. Once the solution was in production and working, the organization decided it was the right time to purchase OpenSSO Enterprise for product support and legal indemnification. Given that employee logon is mission critical, the question was not whether to buy an OpenSSO Enterprise license, but when. The OpenSSO model allowed the company to evaluate the product, develop and deploy a solution leveraging open-source components, and purchase a license when it was ready. The Google Apps/OpenSSO implementation lowered the company’s TCO by reducing license costs, decreasing configuration and labor costs, and eliminating infrastructure maintenance costs. Through OpenSSO federation, the firm was also able to make partner authentication repeatable and scalable, reducing time to market and ultimately saving money. Finally, the advantage of not having to share employee data meant the company didn’t incur the cost of de-provisioning users when they left the organization, which also increased data security.
OpenSSO Helps Simplify Merger of Two Financial Institutions When two major North American financial institutions merged, the combined institutions became the largest U.S. bank by branches. With the merger, the firms needed to combine their information technology systems in a quick and seamless manner. The firm adopted OpenSSO Enterprise to provide a standard way to onboard acquisition and partner services in a repeatable, scalable manner. OpenSSO Enterprise enabled the company to easily handle single sign-on, account linking, and global logout among both institutions’ applications. Rather than burden internal employees with separate passwords between both infrastructures, employees could still maintain one login to access all of their applications. Although the institution had little to no interest in open-source models, it fully leveraged the benefits of open source during the evaluation period. First, the organization was able to evaluate OpenSSO Enterprise 8 (released November 2008) six months prior to its availability. It also evaluated stable builds of OpenSSO and was able to compare it to other federation products, including one offered by Ping Identity. This access enabled the firm to determine that the next commercial release of OpenSSO had all the capabilities it wanted and that it outperformed competitive offerings. Through hands-on experience, the firm’s IT department was able to use the capabilities of OpenSSO and conduct a thorough proof of concept on its own time frame and in its own environment before purchasing a license—a huge advantage over proprietary alternatives.
13
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Telco Network Provider EOLs Internal Web Access Management Software in favor of OpenSSO A telco network provider that sells solutions to major telco providers worldwide had built and was maintaining an in-house Web access management solution. However, that home-grown solution had significant overhead and distracted the company’s developers from focusing on more strategic telco technologies. After downloading and testing OpenSSO, the company chose to leverage the opensource solution for its Web access management needs and focus developer time and energy on building additional, vertical features to provide traditional telcos with SSO and federation capabilities to integrate partner content. As a result, the company was able to EOL its internal solution. Additionally, it was able to leverage OpenSSO’s general federation solutions and commit telco-specific code back to the OpenSSO community. Telco capabilities that could be generalized were adopted by the OpenSSO project and productized in the core product, and those that could not be generalized were maintained by the telco company.
.
Leveraging Open-Source for Enterprise Identity Management
Sun Microsystems, Inc.
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN (9786) Web sun.com © 2009 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, the Sun logo, Java, 100% Pure Java, Solaris, OpenSolaris, and GlassFish are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the United States and other countries. Information subject to change without notice. Printed in USA 04/09 #56122
Related Documents
Open Identity Guide
June 2020 21
Identity
November 2019 52
Open Workbench User Guide
June 2020 6
Open Office Impress Guide
April 2020 13
Open Transport User Guide
April 2020 4
Open Adder Guide
August 2019 8More Documents from ""
Tamil Cinema
June 2020 14
Open Identity Guide
June 2020 21
Name: Class:
June 2020 6
Aptitude Questions With Answers For Time[1]
May 2020 7
Invitation For Workshop
May 2020 7