As we had already commented two months ago, we like Sun's strategic shift towards openness in the development cycle of its software, and believe that it offers several benefits. For one, customers have a very direct interaction with the developers who make themselves available regularly, and can often be found on internet relay chat. This itself is not to be underestimated and a very welcome alternative to some of Sun's competitors who keep developers in the organisational equivalent of an ancient sultan's harem - completely inaccessible to the outside. Secondly, anyone is free to join the development effort and contribute to the products by submitting code additions and patches (these are then, in order to maintain quality standards, evaluated by "committers" before actually making it into the products). Some are criticising this model because, when compared to traditional freeware under the Gnu Public License or similar freeware licenses, the Sun Community License has Sun retaining overall control of the code. Then again, for a commercial product this is to be expected. OpenSSO is free to use - even for production purposes. In order to get commercial support, a license needs to be acquired.
So what about the transition of Access Manager to OpenSSO Enterprise? It is helpful to remember that OpenSSO comes in two editions: OpenSSO Express and Enterprise. Both are from the same code base, and the difference is in the release cycles: for Express it is three months, and for the Enterprise version it is roughly 12 months. Hotfixes are available for the Enterprise version but not for the Express version - Express users can get the latest fixes and additions by downloading the latest build which is available on a daily basis. Sun supports both versions equally, and organisations are indeed encouraged to mix and match - several of Sun's customers are running OpenSSO Express in their development and pre-production environment, and the Enterprise version in production.
Sun is rather successful in pitching its identity technology to the technical community and is closing a good number of deals through the "bottom-up" approach. Indeed, the OpenSSO community is very active and accessible. Because OpenSSO is free to use, it is popular to be used by technical staff for proof of concepts, and when these work well, a shift to production suggests, but does not mandate the product to be licensed in order to receive commercial support.
To launch OpenSSO Enterprise, Sun has arranged a publicity stunt: the actual announcement will be done in "Second Life", an internet-based 3D virtual world. Sun's Senior product line manager Daniel Raskin will harness the virtual identity of the "Identicat" to make the announcement. Had Daniel not briefed us beforehand this would have put us in somewhat of a tight spot - whilst some of our kids may be enjoying Second Life, they typically are typically not very interested in OpenSSO and vice versa.
So stunts aside - where is the meat behind the announcement? Apart from the obvious advantages that we see with Sun embracing community development and support model in parallel to a commercially supported version, OpenSSO Enterprise comes with a set of new features compared to Access Manager 7.1. These features have already existed in OpenSSO Express, hence the new release of OpenSSO Enterprise is bringing it up to par with the Express version. Within the last twelve months, much has been added and underlines a vibrant and dynamic product development. The latest features fall into the categories of Web access management, federation and web services (or SOA, for Service Oriented Architecture) security. Addressing past criticism for being difficult to deploy and administrate, Sun has put much effort into revamping the administrative interface and the installation procedure. The latter is demonstrated by another publicity stunt by Daniel Raskin, who features in a video on the Sun site in which he creates from scratch a federation with two instances of OpenSSO and one instance of the Fedlet, all in the length of an accompanying tune by the rock band "Guns and Roses". Server and agent configuration is now centralised through the administrative console - no more configuration files all over the place. OpenSSO now provides web services for authentication, authorisation, auditing and logging. In terms of interoperability, and XACML is supported for requests between an external policy enforcement point (PEP) and OpenSSO acting as the policy decision point (PDP), and a very interesting feature is that OpenSSO can now consume and translate third-party tokens from other major access management solutions, such as CA Siteminder, Oracle Access Manager and RSA Cleartrust (support for IBM Tivoli Access Manager tokens is currently under development).
On the federation side, OpenSSO Enterprise can now act as a federation hub, supporting all major standards such as SAML 1.1, 2.0, WS-Federation, ID-FF, WS-Trust, WS-Security and WS-Policy. Protocol translation is supported, hence a federated circle-of-trust can have partners using a mix of any of these protocols. For connecting partners into the federation network, the "Fedlet" is provided, an 8.5 Mb package that allows service providers to create a fully configured trust network based on SAML 2.0. When an organisation acquires commercial support through licensing and uses OpenSSO as an identity provider (IdP), all partners that participate as service providers (SPs) in the federation are automatically covered by the same support agreement without any additional fee, and can choose whether to run the Fedlet or OpenSSO as a SP instance. At this point it makes sense to mention again that running and OpenSSO or Fedlet software is always free of charge (even in production environments) and needs to be licensed only if professional support by Sun is desired.
For securing web services in a SOA environment, the features carried over from OpenSSO Express include a security token service that can handle token issuance, validation and translation via WS-Trust, and that can be deployed as an integrated, or stand-alone solution. Out-of-the-box tooling for the Netbeans integrated development environment, and Glassfish (Sun's open source application server) is also available. For other applications servers such as Oracle BEA Weblogic, IBM Websphere, Tomcat and JBOSS, policy enforcement plug-ins have already been available since some time, and have now been enhanced to support secure web services.
At Kuppinger Cole we have noticed a substantial leap in OpenSSO's features and product quality, that Sun attributes to the open development model. Access Manager used to have a reputation of being somewhat "rough around the edges" in terms of installation and administration, and this criticism has been well addressed. The feature set around federation is one of the most innovative in the industry. General web access management is addressed reasonably in OpenSSO Enterprise, although we still see some room for improvement there. Web services security is still an emerging area for the whole industry and not yet fully mature, and we expect Sun and other vendors not just to continue to expand their feature sets in this area, but also to help defining the technology as a whole.
Sun has already confirmed that its intention is to eventually place its other identity products, namely Role Manager and Identity Manager under the same model. OpenDS, Sun's future directory server, is already there. The open development model has given a boost to OpenSSO, and if this continues and can be replicated for the other identity and access management products, Sun's future in that field looks very bright.
With some sarcasm, many IT professional note that "Express" is a synonym for "limited" and "Enterprise" is a synonym for "Expensive". Sun will have to educate its customers that this is certainly not the case for OpenSSO.
Created: 29.09.08, modified: 20.10.08