open source identity management

Good news! We’ve launched our final release version of Penrose Virtual Directory Server. This release is a direct result of the awesome support from the Safehaus and Apache Directory communities… so thanks again to all of our 50+ beta testers. Download Penrose 1.0 now.

There is a clear and mutual relationship of Open Standards with Open Source Software (OSS).

Excerpt above is lifted from David A. Wheeler presentation (Open Standards and Security)

While some companies are spending their engineers time to participate in working groups and standards setting organizations, our industry is a better place today because of the significant OSS contributions of all of the hardworking individuals from ASF, Mozilla, Codehaus and other open source communities.

One of the goals of federation is to provide a global sign-sign on for the end users. Identities from multiple organizations must be shared. As a consequence, federation projects must now work together with other companies while dealing with internal federation issues (involving the integration of internal identities). A Virtual Directory Server solves these common barriers when it:

Acts as an Authentication Server:
In federation, a user can sign on to a trusted server to get a security token (identifier). This Authentication server has to aggregate multiple identities from possibly many external sources.

Acts as an Attribute Server:
Federation, involves the association of your various accounts from site to site. A small identifier containing a minimal set of information about you maintains the associations. Exposing this minimal attribute, requires an attribute server to allow sites to obtain more information about the user based on the token held by the attribute. The challenge of building an attribute server rests in the ability to search all attributes from external databases/directories quickly. Virtual directories dynamically access and store entries within a cache engine to aggregate user attributes from various places.

Acts as an Authentication Authority Server:
Virtual directory can bring in various policies from different data sources.

UPDATED 5/9/06: We just announced partnership with Ping Identity. PingFederate can use identity information within Penrose through its LDAP attribute selection and mapping feature.

Asyncweb, a non-blocking Java HTTP engine project from Safehaus, was accepted for O’reilly. Here is the session’s link - Building a High Performance XML Router with AsyncWeb and XFire

Triplesec, a strong authentication project from Safehaus, has been accepted for JavaOne 2006. Here is the session’s link - Mass Market Two-Factor Authentication Using Java™ ME and Java EE Technologies

UPDATED: Triplesec team has been busy cranking out code and demo preparing for JavaOne. Check out their latest demo. The free SMS account explanation is here.

UPDATED: JavaOne Presentation is now available.

Aside manageability and robustness, companies are buying an LDAP server for its performance. A directory server traditionally is used as a centralized lookup service, or an identity backbone. With the recent release, we are now marrying the performance of commercial LDAP server with the versatility of a virtual directory by way of persistent cache feature. The basic concept of persistent cache is quite simple. By storing the cached entries in a disk-based mechanism, those entries will survive a sudden-loss of power (recycle). Since we can store those entries on any LDAP or database servers, it also gains an unlimited storage capacity.

(Illustration diagrams)

UPDATED: A complete documentation and etrust module JAR file is now online.

Penrose can leverage Sun Java Directory Server to store its persistent cache. Here is the HOW-TO.

Penrose supports Mult-target Writeback where a single LDAP operation against Penrose server would be translated to many write operations to the backend stores (multitarget). If all back-end stores are XA-aware, Penrose can execute XA-write back (for example, System 1 and System 2 must update, or the entire transaction rolls back). This feature is quite useful for provisioning multiple accounts.

You can now run Penrose inside Jboss. While we’re at this topic, I want to discuss the licensing compatibility. As you know GPL and LGPL licensed software don’t mix. In Penrose case, we made an exception for LGPL-based software, including Jboss.

see our FAQ

Can my BSD/LGPL licensed software includes Penrose without violating your GPL license?
Yes, you CAN. We created a FLOSS exception to address this concern. Jboss (LGPL License) can embed Penrose without worrying about license compatibility.
However, It would be illegal for a commercial vendor to re-distribute/re-sell Jboss with Penrose inside.

It is easy to create a mapping from a database column to an LDAP entry and conversely from LDAP entry to a database column using Penrose Studio point-and-click mapping UI. The process can be broken down into three steps:
1. connect your desired data source, this could be a directory or a database,
2. create a virtual schema for your desired LDAP views.
3. Publish and deploy your virtual schema into Penrose server.

It is based on Eclipse RCP PDE (Plugin Development Environment).