Monday, December 17, 2012

Removed Functionality in OpenAM 10.0.1

OpenAM 10.0.1 was released late last week. This is not OpenAM 10.1 Xpress, do not be confused. :)




With this release, the following functionalities are removed:

1. OpenAM 10.0.1 does not include the amtune command.

2. OpenAM console only mode is no longer supported. Console only mode is likely to be replaced with a different solution in a future release.

3. The Test Beta Console has been removed. Its functionality is currently available through the ssoadm command.

4. OpenAM no longer includes the SafeWord and Unix authentication modules.


Will they be missed? No. :)


.

Friday, December 14, 2012

Oracle Mobile and Social Access Management

Sometimes it's good to look around what others are doing in the market. It helps, really.

So, what's the hype these days? Cloud, Mobile, Social. You can't run away from these 3 themes.


Today, I came across Oracle Mobile and Social Access Management.



We should chop it into 2 components:

  • Mobile Access Management; and
  • Social Access Management

Social Access Management is nothing but OAuth and OpenID authentication. OMSS (Oracle Mobile and Social Server) now supports Google, Yahoo, Facebook, Twitter, or LinkedIn. (so besides OAuth 2.0, it does support OAuth 1.0)

Mobile Access Management is something like a ESSO on a mobile platform.



Yes, I know traditional WSSO people will be very much against developing something that is beyond web. But, hey, what are the 3 current themes these days?  Cloud, Mobile, Social.

If we are going to survive, we should adopt the trend and not stay away from it.

Yes, it's troublesome to develop a SDK for iOS and yet another SDK for Android. But this is what customers want. Who are the potential customers?

I can foresee big insurance companies wanting to adopt this solution for their multiple mobile applications for insurance agents who are always on the mobile. These applications would need to be single-sign-on so as to save the agents's time while serving customers.

I can also foresee big banks waiting to adopt this solution for their mobile applications for the private bankers who are also always on the move.

These are big customers who do not need features rich Single Sign-On solutions, but specific needs to their critical and money-making applications for their mobile employees. And not forgetting, these are good willing paying customers. :)

.
 


Sunday, December 9, 2012

HTTPOnly Cookies in OpenAM Policy Agent 3.0.5

Good news out there! With OpenAM Policy Agent 3.0.5, one can configure OpenAM to transmit only HTTPOnly cookies to the browsers (Read here).




HTTPOnly Cookies (Not yet in OpenAM console) 
As of version 3.0.5, web policy agents with this property set to true mark cookies as HTTPOnly, to prevent scripts and third-party programs from accessing the cookies. Property: com.sun.identity.cookie.httponly


We know the security teams in customers' sites are super paranoid about cookies. Yes, cookies that stay in users' browsers and can be hijacked easily!

More about HTTPOnly Cookies here. Note from Wikipedia - This restriction mitigates but does not eliminate the threat of session cookie theft. 

Better than not doing anything, right?


.