open source identity management

We are in the process of completing integration between Fedora DS and Penrose. We created a Java-Backend plug-in that can be installed as a Fedora DS Plug-ins module (Fedora DS is very well documented. Kudos to the Redhat team). The configuration instruction is here.

How does virtual directory relate to single-sign on solution ? Why do you need a virtual directory when you have SSO ?

They say a picture is worth 1,000 words. So here are four pictures for you.
Picture 1: before SSO

Picture 2: After SSO

As you can clearly see, an SSO solution removes multiple authentications so that a user doesn’t need to type (present) his credentials every time he accesses an application.

The nature of SSO implies that there will be only one central repository for user information and credential, preferably within an LDAP server. So, any additions, modifications, etc. of user information and credentials will have to be performed within this central store.

The reality is far from this simple concept, as described in this excellent blog from Radovan’s single directory paradigm.

This is where virtual directory technology comes to the rescue.

Picture 3: Here’s the picture before a virtual directory

Picture 4: Here’s after a virtual directory

The ultimate goal of a virtual directory is to create a single account (virtualized/centralized) for a user, which is obviously a real improvement.

Single account (end goal of a virtual directory) is not equal to single authentication (end goal of an SSO solution).

Make sense? Please feel free to chime in.

Open source Identity Management Map (Dec 2006 edition) is now available online.

Highlights:

• Improved mapping Engine
• Performance enhancements
• Improved LDAP listeners using the latest version of ApacheDS and OpenLDAP
• Support of operational attributes
• Numerous bug fixes
• Penrose Studio proxy/snapshot wizards

Download link

There are quite a few additions to this October 2006 edition, namely Whobar, Zxid and BBAuth.

Identity Management Software is an enterprise software. It is considered as one of “top of the food-chain” software. Our industry is still in the -you’re-not-going-get-fired-when-you-buy-*name your big vendor here*- paradigm, when it comes to Identity Management software.

We maintain and publish open source identity management software map. The goal of this map is to give a quick snapshot of the current state of Identity Management software from an open source perspective.

Is it possible to build an open source Identity Management software stack that is analogous to LAMP (Linux/Apache/MySQL/PHP) stack? The question is not whether open source identity management stack will happen, but just when the technology will reach critical mass. We believe this will happen sooner than later. Our prediction is that many of the initiatives on our IdM map will have a massive adoption in the next two years.

P.S: We will do our best to “separate the wheat from the chaf” in our next version of the identity map based on the popularity/project adoption rate.

Identicentric folks release SimAXS. Most Access management application use HTTP headers to pass login id, roles, group lists, profile data, and identity information using the same mechanism. This handy tool can pass header variables directly to IdM applications saving your developer a valuable “billable” time. Grab it now while it’s still $399.

Here is a high-level overview of simAXS.

Starting from version 1.0.4, Penrose virtual directory services can be run under OpenLDAP using back-java backend. Here is the complete instruction.

UPDATE: Java Backend for OpenLDAP is now available for download.

Here is a high-level overview of Pass-through Authentication.

Stephen Lombardo from Identicentric wrote:

” +1 for virtual directory pass-through authentication.

It’s definitely technically feasible and works very well to drive consolidation of authentication services. From past experience it’s one of the most powerful benefits of virtual directory technology. In fact, this feature was key to the value proposition and purchasing decision for several of the prominent deployments I’ve worked on. ”

UPDATED: We added wizards in Penrose Studio to automatically configure Penrose server to allow pass authentication requests back to Active Directory.

UPDATED: We currently support three different modes of PTA, namely:

• Default mode: Penrose initially binds to the target directory to check the credentials, then to switch to a proxy account for all further operations on the connection. This is by far the most common scenario.
• Full mode: Penrose binds to the target directory check credentials and then holds the connection open to process all directory operations for that connection. In this mode the same credentials you supplied during bind will continue to be used when you perform the subsequent operations. This mode is the most valuable in a security conscious directory environment that makes heavy use of ACLs. In that kind of environment the use of default mode might be undesirable.
• Disabled mode: In this mode, Penrose doesn’t allow passthrough at all. It always operates on the back end directory with a proxy account. All bind operations against the target server are rejected. Any other operations will be executed using the proxy account specified in its xml config.

Let say your company utilizes CRM system which contains all your customers information. Penrose allows you to repurpose that informaton and turn-it into a global address list (GAL).
You can then use your favorite e-mail client, such as Microsoft Outlook or Mozilla Thunderbird, to use that global address list as a central/shared address book.

• How to configure Penrose as GAL server.
• How to configure your Microsoft Outlook to use Penrose as GAL (through LDAP)