Bending the ITIM custom adapter model

For those who have needed to create custom RMI based Tivoli Identity Manager (TIM) adaptors using Tivoli Directory Integrator (TDI), you will know that there are certain constraints that have to be adhered to. In addition to data related constraints such as naming conventions and mandatory attributes ($dn, objectclass) there are several other less obvious architectural and communications related constraints, such as:

• The target assembly line must be completely self contained - it cannot call out to child assembly lines
• For a reconciliation assembly line (full and supporting), every iteration must return one and only one object

Whilst recently working on an adapter for a customer I found that these two constraints came together to turn an otherwise straight forward and logical data synchronisation process into something much more convoluted. After some experimentation I managed to come up with a solution that satisfied the customer requirement and it all worked well in practice. Since that time some collegues of mine working on similar tasks have come up against the same contraints so I thought that a breakdown of my approach might prove useful to some.

The inspiration for my approach came from a blog post by TDI guru Eddie Hartman on the topic of TDI Connector loops, which can be found here. Using a MemoryQueueConnector and a couple of Connector loops I created an assembly line that had the following structure.

Feed:
 MemoryQueueConnector (iterator mode)
  - beforeInit: set tdi flag so that queue is not created during initialisation
  - onError: capture the initial 'queue not created' errors, create the queue, set a control flag and re-init the MemoryQueueConnector

Flow:
 if(firstCycle)
 {
  //remove any control flags
  ConnectorLoop_Outer (iterator mode) {
   //read and set some work attributes based on the current iteration
  
   ConnectorLoop_Inner (iterator mode) {
    //Map retrieved attributes to queue attributes
    //Write out work data to memory queue
    //Purge work object
   }
  }
  //pop one entry from the queue
  //one discrete entry from the queue is returned to ITIM
 }
 else
 {
  //remove any control flags
  //one discrete entry from the queue is returned to ITIM
 }


At a high-level the approach above is composed the steps:

• Create a Memory Queue, purposely get it to error during (the first) initialisation, tag it and reinit the Queue
  
• 1st cycle - fetch all required data from target systems
• 1st cycle - Push all fetched data into the memory queue
• 1st cycle - Pop one entry from the queue and return data to ITIM
  
• All other cycles - return data to ITIM as normal

As I am using a MemoryQueue I of course needed to be careful about the amount of data that gets pumped into the queue during the first cycle. For better memory management and perhaps data integrity the TDI System Store could be used to write the data into a database and then 'page' the queue data back out again.

Overall I have found that this approach is easy to debug as all the data is grabbed during one period and then read out one item at a time in a clear and concise manner. If I was expecting to get 500 data items (for example) from my backend system(s) then I can simply check the resultant queue size and ITIM to ensure that everything matches up.

Hope that this has been useful. If anyone would like to dig into any of the deeper details, please get in contact and I'd be happy to help out where I can.

Notes on building a Federated Identity Provider - Decoding SAML messages

To follow on from my last posting, I have been busy recently trying to build my own Federated Identity Provider, mostly to cement my overall understanding of Federated Identity Management at an architectural and technical level. Just this week I managed to get Federated SSO to GoogleApps working with just a handful of Java components and JSP pages!

For those who are new the area, there are several open source frameworks available to the developer who is looking to deploy their own Identity Provider (IdP) or Service Provider (SP), such as OpenSAML, Shibboleth (built on top of OpenSAML), Simplesamlphp and Lasso. At this point a couple of definitions would probably be useful.
OASIS provides the following definitions:

• Identity Provider: A kind of service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation
• Service Provider: A role donned by a system entity where the system entity provides services to principals or other system entities.

Although OpenSAML is essentially a set of SAML libraries and therefore does 'not provide a complete SAML identity or service provider' in the words of its creators, I chose this framework as it provided me with the greatest opportunity to understand the real nuts and bolts that drive Federation. Those looking for an out of the box Federation solution would do better to opt for solutions such as Shibboleth or a vendor product such as Tivoli Federated Identity Manager as these can simply be deployed, configured and run!

Back to OpenSAML, my opinion of it after one week of real hands on use, is that it is quite excellent. Despite the fact that the website is plain and straight talking, its backed up by a great deal of excellent documentation, examples and useful links. If you're like me and you want to start developing a web application using OpenSAML then the section marked 'User's Manual' is for you. The section marked 'Developer's Manual' is for those brave person's who wish to extend the OpenSAML libraries.
After downloading the OpenSAML libraries and importing them into my Java IDE (OpenSAML libraries in C are also available) I started to write a small test app that could decode and unpack an incoming Authentication Request, which would take the form of a XML (SAML) message. SAML messages can be classified as using certain 'bindings', which denotes the method of message transmission. The two most commonly used bindings are HTTP-Post and HTTP-Redirect. For my PoC/test/debug app I wanted to support both bindings, which meant that I needed to be able to accept SAML messages that result from HTTP POST and GET requests. To process messages received from these two channels natively (i.e. without using OpenSAML) is at time non-trivial as URL and Base64 (de/en)coding is required for some bindings, as well as payload (in/de)flation. Using OpenSAML to carryout this task is extremely simple as the two aptly named classes HTTPRedirectDeflateDecoder and HTTPPostDecoder do all the work for you. With a decoded SAML message in hand, and using a couple of supporting utility classes you have access to the unmarshelled SAML message, with all its useful details. The ability to decode, unpack and present an incoming SAML message in itself was (and is) very useful as it provides the ability to compare and contrast SAML tokens generated from different bindings and SPs such as GoogleApps and Force.com. All of this helps to demystify the whole area of SAML message content and communication.

At this point an example would probably come in handy I think. Here's an example of a SAML message that contains a Federated Authentication Request.
Firstly the raw unmarshalled value:

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxzYW1scDpBdXRoblJlcXVlc3Q
geG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9Im
9pY21hY2VhcG9mZWJwZ29jbG9qbWduZ2RlaGlwa21sb2ZkZmhvZmIiIFZlcnNpb249IjIuMCIgSXN
zdWVJbnN0YW50PSIyMDEwLTExLTAyVDE2OjUzOjA3WiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46
b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBQcm92aWRlck5h
bWU9Imdvb2dsZS5jb20iIElzUGFzc2l2ZT0iZmFsc2UiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZV
VSTD0iaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9hL2NvbXBhbnktZGVtby5jb20vYWNzIj4NCjxzYW
1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0a
W9uIj5nb29nbGUuY29tL2EvY29tcGFueS1kZW1vLmNvbTwvc2FtbDpJc3N1ZXI+DQo8c2FtbHA6T
mFtZUlEUG9saWN5IEFsbG93Q3JlYXRlPSJ0cnVlIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpT
QU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIiAvPg0KPC9zYW1scDpBdXRoblJlcXV
lc3Q+

After passing this value through my decoder app, I received the more readable value of:

<samlp:authnrequest samlp="urn:oasis:names:tc:SAML:2.0:protocol" id="oicmaceapofebpgoclojmgngdehipkmlofdfhofb" version="2.0" issueinstant="2010-11-02T16:53:07Z" protocolbinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" providername="google.com" ispassive="false" assertionconsumerserviceurl="https://www.google.com/a/company-demo.com/acs"><saml:issuer saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com/a/company-demo.com</saml:Issuer><samlp:nameidpolicy allowcreate="true" format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></samlp:AuthnRequest>

Looking at this example message from Google and using even a basic level of SAML knowledge, we can observe several key points regarding their Federated Identity Management solution.

• Google does not sign its outbound Authentication Request messages - The fact that these message are not signed means that it would be quite trivial for a malicious 3rd party to impersonate Google when communicating with a SP
  
• Google uses the SAML v2.0 standard and not SAML v1.0 or any of the SAML alternatives such as WS-Federation or those from the Liberty Foundation
• The naming format used by Google is unspecified (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified).
  
• Google's provider name is 'google.com'
• The Google component that is used to consume SAML messages is Google domain specific, and of the format 'https://www.google.com/a//acs'

All of this information is essential when starting the process of generating a SAML response message. The above details can be picked out of the decoded and unpack SAML message using OpenSAML classes such as AuthnRequest, which provides the methods 'isSigned()', 'getAssertionConsumerServiceURL()' and 'getProviderName()', amongst many others.

At this point within my development process and within my app I had a process that could fully interpret and understand an inbound SAML authentication request from Google. The next task was to use this information, and that specified on the Google site to generate a SAML response message that could not only be understood by Google, but also used to carryout Federated SSO for my target user.
All of this and more will be picked up in my next posting on this topic.
Bye for now.

Getting back into the swing of it

It’s been a while since my last blog entry so I thought I'd post get back into the swing of things with a posting on the topics that have been occupying me over the last few months.

• Federated Single Sign On - with and without TFIM

Over the last 6 to 9 months I've been getting more involved with Federation, specifically within the context of Identity Management and Single Sign On. I've been interested in this area for some time now, mostly because of the Identity Management challenges it can solve, as well as its ability to knit together applications that have a requirement to interoperate regardless of their geographic or DNS location.
Since gaining my 'IBM Tivoli Federated Identity Manager v6.1 deployment professional' certification in June'10 I've tried to increase the breadth of my understanding in this area and learn about the other complementary technologies and standards. This has given me the opportunity to study XACML (externalised application authorisation processing), OAUTH, Federated Provisioning and Cloud application integration (e.g. GoogleApps, Force.com, Zoho). The culmination of all this study generated a wish to create my own Federated Identity Provider, which would be a great development and learning tool. To build this Identity Provider I chose to use the OpenSAML framework.

This is one area about which I will be adding blog entries in the coming weeks as the SAML standard alone is quite rich and I've already learnt a great deal. Hopefully this will all be of interest to anyone getting into the area of Federation and/or the OpenSAML framework.

• Setting up custom ITIM workflows and ITDI adapters

As part of my role as a security consultant for Pirean, I am currently working on a very large identity management deployment, which involves ITIM. As you'd expect, a single product can never cater for every requirement, so where there have been gaps in the product I have needed to design and build several customised components. Where I can, I'll be posting any useful details on these, including those that I've already built.

• Setting up a network based music system at home and adopting HD audio

A couple of years ago I invested in a Network Attached Storage drive (a Netgear ReadyNAS Duo if you're curious), which I used to store all my photos (i.e. wedding) documents and music files. After a while I pulled out the default western digital 500 GB disk and replaced it with a pair of 1.5TB Samsung F2 eco drives, which the NAS allowed me to setup as a mirrored pair. The result of all this was that I now had around 1.4TB of disk space that would survive any single disk failure. With this in hand I took on the task of centralising and (yawn) cataloguing my entire music collection. This led me to question:

1. how could listen to my music in the easiest and most portable manner that allowed me to avoid having to turn on my 'generic mp3 music player'
2. Was I getting the best audio quality from my music collection

Again in the coming weeks I hope to add some posts on the setup I've created at home and also try and give some useful pointers to help out anyone who may be thinking of doing something similar in future

• DLNA and 3D TV

Finally, in a similar vein to the previous point, I've been interested for some time about if and how it could be possible to digitise, and therefore remove the need for, any physical media in one's life i.e. no more CDs, DVDs, Blu-Rays or Vinyl. Using my NAS drive, a PS3 and a Samsung LED TV I've created what I think it quite a nifty system that attempts to realise the aspirations of the Digital Lifestyle Network Alliance (DLNA). As an extension to this I've recently taken ownership of a Samsung LED 3D TV (ue40c8000 for those that are curious) which I'm only now getting used to. As before, I intend to add posts around the DLNA setup I have at home, my experience with 3DTV and any pointers/lessons I've picked up on the way.

Quite a lot there as you can see, which now makes me wonder why I didn't start this earlier?
Now..... where to start?

Thoughts on....... possible future of personal computing

Hi,

A thought that has recently occupied my mind is what shape personal computing might take in the near future. In particular this involves the application of virtualization, specifically Cloud, to the type of computing that both you and I carryout every day, instead of those large and critical business processes that are currently so readily reported on. I am certain that there are many articles out there on the web about this very scenario, but here's my own angle on it for those who are interested.

As part of my role within the IT security field, I regularly need to connect to remote and/or virtualized customer systems. I won't go in the whole ethos of virtualization here as that's been done to death, however suffice to say that the occasions when I have need to connect to 'local' systems has been very rare indeed. In addition I am increasing making use of systems that are hosted within Elastic (Cloud based) server environments.
Taken as a whole these types of environments can provide their users with benefits such as:
• Fault tolerate
• Lower carbon footprint (specifically in relation to Elastic computing)
• Always available systems
• Automatic application of critical systems patches
• Automatic execution of virus, malware and intrusion detection scanning
• Ready to install software products
• Globally accessible
• Automatic execution of system backup procedures
When considered in the context of personal computing, very few (even those of us who are more technically aware) would be able to setup the same processes for our home computers. To put the above list into scenarios we would all recognize, consider the following:

• How many times has you personal computer locked up with no obvious reason, or failed to startup at all?
• Many many times have you left your personal computer plugged into the mains running and/or charging even though it wasn't being used? Or used it constantly as its highest power level?
• How regularly do you turn on your personal computer for one thing and then turn it off soon after? (for example check a train timetable, send an email, read a recipe, check the weather?
• Are critical system patches applied to your own personal computer, or those of your friends and family, as soon as they come out?
• Is your personal computer checked for new and existing viruses and malware (or even in real-time)?
• How often have you spent hours (or days in some circumstances) trying to get a particular software product installed onto your personal computer?
• How many times have you been away from your personal computer and had a need to access software or files on it?
• Do you backup the important files on your personal computer regularly? What about the personal computers your friends and family own?

This is not an exhaustive list of course, but I hope that it illustrates the fact that if personal computing was pulled into the new world of Cloud computing, specifically Platform-As-A-Service (PaaS), the IT-illiterate common man on the street would see massive benefits.

Playing devil’s advocate for a moment firstly let me say that of course what I'm suggesting here would not come for free. To take out all the services offered by a PaaS company who provides such as service would not come cheap (although you could take on tasks like virus scanning yourself to save money). On the flip side, consider that if there was no need for you to purchase a new powerful personal computer every 18 months (as described excellently on my Pirean colleague Ryan's blog) surely this would offset the cost of this service? Especially when you consider the personal (incalculable) time spent trying to coax your computer to do something it doesn't want to carry out.
Secondly I understand that just because a PC is virtualized, does not mean that all the common issues I describe here disappear. It does mean though that PaaS companies providing such as service would be able to use economies of scale and automated service management systems to help alleviate them.

Stepping away from the merits, lets now consider that my personal computer has been virtualized into the Cloud, and this is being backed up, virus scanned and managed for a monthly fee. How, you would wonder, do I connect to this and use it? Well I'm glad you asked. The only requirements at this point would be:

• A (very) fast internet connection, with no monthly data limits
• A thin interface that has excellent connectivity (peripherals, network) and screen resolution
• An application that allows me to connect to my virtualized personal computer

Returning to my own setup, the above three items describes what I currently have at home; a 20 MB/s ADSL line, my laptop (1GBps network card, many USB sockets, fairly good screen), and Putty/RDP/telnet etc. Devices such as Tablet PCs, iPads, smartphones and IP enabled home entertainment systems, if properly configured by their manufactures, would allow in my opinion users to do away with their desktop/laptop and embrace what could be a new and exciting landscape for personal computer.

Thanks for listening. Any thoughts and comments would be warmly welcomed.

One giant leap for ...... me I suppose

So my first blog and also blog entry. What to say? Something insightful on the world, life and mankind perhaps?
Err no, instead I'll try and restrict myself to three less-weighty areas to hopefully avoid rambling. These will be:

• What I actually understand and know about (probably most likely to be IT/tech related)
• What I find interesting
• What I wonder about during those spare moments in life, such as when you're waiting for the train to stop and its doors to open

At the very least I hope to use this blog to siphon off my thoughts so that I (1) don't forget some of the useful/interesting stuff I learn through my work, and (2) get some more sleep as I won't be sitting there wondering about something I've read online.

So that's the sum of it. Now, where to start...