OpenAM

Last updated
OpenAM
Initial releaseNovember 11, 2008 (2008-11-11) (OpenSSO)
February 7, 2010 (2010-02-07) (Forgerock OpenAM)
March 1, 2018 (2018-03-01) (OpenAM Community)
Stable release
Release 15.0.0 [1] / May 21, 2024 (2024-05-21)
Repository https://github.com/OpenIdentityPlatform/OpenAM
Written in Java
Operating system Linux, Solaris, Windows, Mac OS, AIX
Available inEnglish, French, German, Spanish, Japanese, Korean, Simplified Chinese and Traditional Chinese
Type Identity and access management
License CDDL
Website github.com/OpenIdentityPlatform/OpenAM/

OpenAM is an open-source access management, entitlements and federation server platform. Now it is supported by Open Identity Platform Community. [2]

Contents

OpenAM (Open Access Management) originated as OpenSSO, (Open Single Sign-On) an access management system created by Sun Microsystems and now owned by Oracle Corporation. OpenAM is a fork which was initiated following Oracle's purchase of Sun.

History

Announced by Sun Microsystems in July 2005, [3] OpenSSO was based on Sun Java System Access Manager, and was the core of Sun's commercial access management and federation product, OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager).

In July 2008, Sun announced paid support for regular "Express" builds of OpenSSO. Sun's stated intent was that express builds would be released approximately every three months, allowing customers early access to new features. [4]

In September 2008, Sun announced OpenSSO Enterprise 8.0, the first commercial product derived from the OpenSSO project. [5] OpenSSO Enterprise 8.0 was released in November 2008. [6]

OpenSSO Enterprise won the "Security" category of the Developer.com Product of the Year 2009 awards. [7]

In May 2009, shortly after Oracle's acquisition of Sun was announced, OpenSSO Enterprise 8.0 Update 1 was released.

Oracle completed their acquisition of Sun Microsystems in February 2010, and shortly thereafter removed OpenSSO downloads from their website in an unannounced policy change. OpenSSO was forked as OpenAM, developed and supported by ForgeRock. [8]

ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO from Sun now that Oracle had chosen to discontinue development on the project. [9] ForgeRock renamed the product to OpenAM as Oracle retained the rights to the name OpenSSO. ForgeRock also announced that they would continue delivering on the original Sun Microsystems roadmap. [10] [11] It was sponsored by ForgeRock until 2016. [12] [13]

In November 2016, without any official statement, ForgeRock closed OpenAM source code, renamed OpenAM to ForgeRock Access Management and began distributing source code under a paid, commercial license. [12]

Several free and open-source forks of OpenAM now exist under the Common Development and Distribution License:

Features

OpenAM supports the following features: [14]

Authentication
OpenAM supports more than 20 authentication methods out-of-the-box. OpenAM has the flexibility to chain methods together along with Adaptive Risk scoring, setup Multi-factor authentication or to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard. Integrated Windows Authentication is also supported to enable a completely seamless, heterogeneous OS and Web application SSO environment.
Authorization
OpenAM provides authorization policy from basic, simple, coarse-grained rules to highly advanced, fine-grained entitlements based on XACML (eXtensible Access Control Mark-Up Language). Authorization policies are abstracted from the application, allowing developers to quickly add or change policy as needed without modification to the underlying application.
Adaptive risk authentication
The adaptive risk authentication module is used to assess risks during the authentication process, and to determine whether to require that the user complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they log in. For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain.
Federation
Federation services securely share identity information across heterogeneous systems or domain boundaries using standard identity protocols (SAML, WS-Federation, OpenID Connect). Quickly set up and configure service provider or cloud service connections through the Fedlet, OAuth2 Client, OAuth2 Provider, or OpenIG Federation Gateway. The OpenIG Federation Gateway is a component of OpenAM providing a SAML2 compliant enforcement point and allows businesses to quickly add SAML2 support to their applications with little to no knowledge of the standard. In addition, there is no need to modify the application or install any plugin or agent on the application container. Out-of the-box tools enable simple task-based configuration of G Suite, ADFS2, along with many other integration targets. OpenAM can also act as a multiprotocol hub, translating for providers who rely on other, older standards. OAuth2 support is an open standard for modern federation and authorization, allowing users to share their private resources with tokens instead of credentials.
Single sign-on (SSO)
OpenAM provides multiple mechanisms for SSO, whether the requirement is enabling cross-domain SSO for a single organization, or SSO across multiple organizations through the Federation Service. OpenAM supports multiple options for enforcing policy and protecting resources, including policy agents that reside on web or application servers, a proxy server, or the OpenIG (Identity Gateway). OpenIG runs as a self-contained gateway and protects web applications where installing a policy agent is not possible.
High availability
To enable high availability for large-scale and mission-critical deployments, OpenAM provides both system failover and session failover. These two key features help to ensure that no single point of failure exists in the deployment, and that the OpenAM service is always available to end-users. Redundant OpenAM servers, policy agents, and load balancers prevent a single point of failure. Session failover ensures the user's session continues uninterrupted, and no user data is lost.
Developer access
OpenAM provides client application programming interfaces with Java and C APIs and a RESTful API that can return JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using REST clients in their language of choice. OAuth2 also provides a REST Interface for the modern, lightweight federation and authorization protocol.

See also

Related Research Articles

<span class="mw-page-title-main">Sun Microsystems</span> American computer company, 1982–2010

Sun Microsystems, Inc. was an American technology company that sold computers, computer components, software, and information technology services and created the Java programming language, the Solaris operating system, ZFS, the Network File System (NFS), and SPARC microprocessors. Sun contributed significantly to the evolution of several key computing technologies, among them Unix, RISC processors, thin client computing, and virtualized computing. Notable Sun acquisitions include Cray Business Systems Division, Storagetek, and Innotek GmbH, creators of VirtualBox. Sun was founded on February 24, 1982. At its height, the Sun headquarters were in Santa Clara, California, on the former west campus of the Agnews Developmental Center.

<span class="mw-page-title-main">Pluggable authentication module</span> Flexible mechanism for authenticating users

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone open-source infrastructure, PAM first appeared in Red Hat Linux 3.0.4 in August 1996 in the Linux PAM project. PAM is currently supported in the AIX operating system, DragonFly BSD, FreeBSD, HP-UX, Linux, macOS, NetBSD and Solaris.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

<span class="mw-page-title-main">Liberty Alliance</span> Computer trade group

The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems. It grew to more than 150 organizations, including technology vendors, consumer-facing companies, educational organizations and governments. It released frameworks for federation, identity assurance, an Identity Governance Framework, and Identity Web Services.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

Oracle Secure Global Desktop (SGD) software provides secure access to both published applications and published desktops running on Microsoft Windows, Unix, mainframe and IBM i systems via a variety of clients ranging from fat PCs to thin clients such as Sun Rays.

Open Wonderland is an open-source toolkit written in Java for creating collaborative 3D virtual worlds. Within those worlds, users can communicate with high-fidelity, immersive audio, share live desktop applications and documents and conduct real business. Open Wonderland is completely extensible; developers and graphic artists can extend its functionality to create entirely new worlds including adding new features to existing worlds.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

Security patterns can be applied to achieve goals in the area of security. All of the classical design patterns have different instantiations to fulfill some information security goal: such as confidentiality, integrity, and availability. Additionally, one can create a new design pattern to specifically achieve some security goal.

Web access management (WAM) is a form of identity management that controls access to web resources, providing authentication management, policy-based authorizations, audit and reporting services (optional) and single sign-on convenience.

In FOSS development communities, a forge is a web-based collaborative software platform for both developing and sharing computer applications.

<span class="mw-page-title-main">OpenDJ</span>

OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2). Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.

WebID is a method for internet services and members to know who they are communicating with. The WebID specifications define a set of editor's drafts to prepare the process of standardization for identity, identification and authentication on HTTP-based networks. WebID-based protocols offer a new way to log into internet services. Instead of using a password, for example, the member refers to another web address which can vouch for it. WebID is not a specific service or product.

Security Assertion Markup Language (SAML) is a set of specifications that encompasses the XML-format for security tokens containing assertions to pass information about a user and protocols and profiles to implement authentication and authorization scenarios. This article has a focus on software and services in the category of identity management infrastructure, which enable building Web-SSO solutions using the SAML protocol in an interoperable fashion. Software and services that are only SAML-enabled do not go here.

User-Managed Access (UMA) is an OAuth-based access management protocol standard for party-to-party authorization. Version 1.0 of the standard was approved by the Kantara Initiative on March 23, 2015.

<span class="mw-page-title-main">ForgeRock</span> Identity management software company

ForgeRock, Inc. is an identity and access management software company headquartered in San Francisco. On August 23, 2023, Thoma Bravo announced that it had completed the acquisition of the company for approximately $2.3 billion. Additionally, it reported that ForgeRock has been integrated into its portfolio company Ping Identity.

References

  1. "OpenAM Downloads". GitHub .
  2. "Open Identity Platform Community". GitHub .
  3. "Sun Microsystems Extends Leadership Position in Identity Management — First Vendor To Open Source Web Single Sign-On Technology". Sun Microsystems. 2005-07-13.
  4. "Sun Microsystems Announces Sun OpenSSO Express". Sun Microsystems. 2008-07-23.
  5. "Sun Microsystems Unveils OpenSSO Enterprise — Next-Generation Access Management, Federation and Secure Web Services Solution". Sun Microsystems. 2008-09-30.
  6. "Sun OpenSSO Enterprise 8.0 Revenue Release (RR) is official". Sun Microsystems. 2008-11-11.[ permanent dead link ]
  7. "Winners of the Developer.com Product of the Year 2009 Are Announced". Developer.com. 2009-01-14. Archived from the original on 2011-12-13. Retrieved 2016-08-28.
  8. "Oracle kills OpenSSO Express - ForgeRock steps in". The H. 24 February 2010. Archived from the original on 8 December 2013.
  9. "ForgeRock Extending Sun's OpenSSO Platform - InternetNews".
  10. OpenSSO, neglected by Oracle, gets second life Archived 2012-10-15 at the Wayback Machine
  11. "ForgeRock Picks Up Sun's Open Source Identity - Datamation".
  12. 1 2 "ForgeRock has shuttered the open-source community, and no longer allows new development on their platform under a permissive license". timeforafork. June 1, 2017. Archived from the original on 2017-10-03. Retrieved 2022-11-01.
  13. "OpenAM product no longer being publicly developed by ForgeRock". stackoverflow.com.
  14. "ForgeRock Access Management (OpenAM fork)".