Monday, November 10, 2014

OpenAM . OpenUMA

In the recent IRM Summit held in Ireland, ForgeRock announced OpenUMA, an open source community initiative focused on addressing public concerns around privacy and consent in the digital age.

The initiative marries the increasingly popular technical standard, User-Managed Access (UMA), which provides a blueprint for addressing digital consent and privacy, with ForgeRock’s open source access management project, OpenAM. 

Believe it or not, weeks before the announcement of OpenUMA, I was in a customer's site based in Singapore and the IT Director was discussing with me the roadmap for OpenAM and the features he was looking for.  FYI, we have deployed OpenAM 10.0.1 for his company and are in the midst of upgrading to 10.0.2.

Most of his applications are .Net and his authentication source is Microsoft Active Directory. He is thinking of migrating to Office 365 in the near future. That makes OpenAM 12 a good candidate.

We were wondering what does "Cloud Connector Wizards - Office 365" mean? I presumed it meant OpenAM 12 can better integrate with Office 365. And that's why we were not hurry to upgrade to OpenAM 11.x. Instead, we chose to upgrade to the latest stable release of OpenAM 10.

We moved on and he told me his biggest nightmare now is every application is implementing their own authorization rules. He wanted to isolate authorization from every application and implement at a higher-level in OpenAM. OpenAM is where he saw will be the centralized Authentication & Authorization engine.

The authorization in discussion here is not coarse-grained authorization currently implemented in OpenAM policies & OpenAM Policy Agents. He is looking for an enterprise-wide access management for applications. I searched around and found Access Management 2.0 for the Enterprise to be the correct term.

There is a case study written by Eve Maler - Case Study: Access Management 2.0 for the Enterprise. By the way, I told him Eve Maler has already joined ForgeRock as vice president of innovation and emerging technology. And I even told him there should be something exciting brewing. :)

Coincidentally, weeks later, OpenUMA is announced.

The million dollar question is when will OpenUMA be fully integrated with OpenAM?


Saturday, November 8, 2014

OpenAM Security Advisory #201404

3 days ago, ForgeRock announced yet another security advisory #201404 - the 4th this year.

Good trend? Bad trend? To me, I read it as OpenAM deployment base has become larger and more people are using it for real deployments. With more eyes, more bugs will be found. That's a good thing for the community!

#201404 - Denial of Service vulnerability – CVE-2014-7246
In environments where more than one OpenAM server has been configured, it is possible that an authenticated attacker can construct and send a single request that triggers an infinite loop, occupying one or more instances in the deployment until the affected instances are restarted.

Another thing to note:

See that? The patch bundles are now distributed in .zip, instead of .jar. This better reflects what the patch bundles should be used for. To unzip, read the instruction(s) and to deploy the patches, which are usually in .classes. 

My positive feedback comes true! (See my previous blog) :) Well done! 


Wednesday, November 5, 2014

Insufficient Access Rights: You do not have sufficient privileges to perform an unindexed search

In my previous post, I mentioned that we are currently migrating OpenAM 9.5.3 to OpenAM 11.0.2 for a customer based in Singapore. At the same time, we are migrating a very old OpenDJ 2.4.3 to OpenDJ 2.6.1.

And of course, we do have customized schema in OpenDJ and customized codes in OpenAM. Which customer will not have customized requirement?

Anyway, when we run an unit test against the new setup, we encountered the error below:

11:24:50.514 [http-apr-7070-exec-1] DEBUG DEBUG - [LdapConnection - getAttributes] Getting attributes for filter (sgloginid=USERA)
11:24:50.532 [http-apr-7070-exec-1] ERROR DEBUG - Check devices command exception: Proxy User ID: USERA  User ID: USERA, Facebook ID: null, M2GW IP: x.x.x.x
org.forgerock.opendj.ldap.ErrorResultIOException: org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: You do not have sufficient privileges to perform an unindexed search

        at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext( ~[opendj-ldap-sdk-3.0.0-SNAPSHOT.jar:na]

One of my colleagues googled and directed us to OpenDJ Administration Guide Indexing Attribute Values - Determining What Needs Indexing.

A quick fix is to grant unindexed-search privilege to the account that binds to OpenDJ. But should we?

No, I do not think so.

The article says it all, in order of preference to resolve unindexed search issue:

1. If directory users tell you their client applications are getting this error, then you can work with them either to help them make their search filter specific enough to use existing indexes, or to index attributes they need indexed in order to perform their searches.

2. If you do need to allow some applications to perform unindexed searches, because they need to retrieve very large numbers of entries for example, then you can assign them the unindexed-search privilege.

In our case, we should index the attributes as sgloginid is used very frequently in OpenAM for authentication and in another customized application.


Tuesday, November 4, 2014

Unbreakable (backward-compatible) OpenAM Login Page

I am currently migrating OpenAM 9.5.3 to OpenAM 11.0.2 for a customer based in Singapore. In fact, I migrated Sun Access Manager 7.0 to OpenAM 9.5.3 few years back for the same customer. How time flies? Getting older. :)

The migration is pretty smooth so far … with a little surprise and confused me for a while.

We know the UI for OpenAM 11 looks like the one below:

But after I ported customized codes and JSP pages over, I was constantly redirected to the old OpenAM server! How can it be?!! The below was what I saw...

It took me (and my colleague too) quite a while to realize that we are in fact landing at OpenAM 11 Login Page.

See the differences below? ForgeRock logo and footer are different in OpenAM 11.

Ok lah, from backward-compatible point of view, well done man! Good job!

By the way, I ended last month with a 50-km trail race - The North Face Singapore.

Awesome run!