Monday, 19 September 2011

Cross-domain Single Sign On with OpenAM

OpenAM is an open-source solution for access management i.e. authentication, authorization and more. It's maintained by ForgeRock, which took over the project after Sun abandoned it. When led by Sun it was called OpenSSO.

I was recently responsible for installation & configuration of OpenAM. We use it at one of the project to provide cross-domain Single Sign On (CDSSO). At first it seemed to be a complex but relatively straightforward task but as it came out later on, it can give you a serious headache when you try to achieve smth different than default.

Below is the short summary of pros & cons:

  • It's a quite mature solution that is built upon its ancestor OpenSSO
  • Experienced users can benefit from its reach configuration options
  • Built-in support for multiple user data stores (LDAP, db, ...).
  • Out-of-the-box support for SAML2 protocol
  • Portability (100% java)
  • Built-in support for multi-instance configuration (for Load Balancing)
  • Very poor documentation - most of the information about the product installation and configuration is available at the Wiki page in form of short, informal articles. Most of the useful information you find on the old OpenSSO specification pages hosted by Sun so you can never be sure if that info is still relevant with the latest version of OpenAM.
  • No community - there is actually no real community of people using that solution. This means there is no fora you can search for advise. There is only an oldschool mailing list with very limited usability
  • Not that flexible - although quite complex configuration is available sometimes I felt limited, especially when trying to implement smth different than defualt e.g. custom login screens.
As you have probably noticed I got a bit frustrated about the "Cons" and described them in much more details than "Pros" ;) I'm not saying it's a bad product but it certainly requires a lot of experience & knowledge of its features. The most painful part is the lack of decent documentation. We even got ourselves this Book but it covers only basic topics.

Be aware that doing anything different than default may require some custom tweaks or not even be possible. If you plan to implement something that is not described in basic tutorials consider other solution first.

If you want to use SAML 2.0 functionality offered by OpenAM I would recommend you to read my tutorial on how to achieve IdP initiated SSO and Identity Federation with OpenAM and SAML.

Here are some links to other useful resources:

  1. OpenAM wiki
  2. Different deployment options
  3. Troubleshooting OpenAM (recommended!)


Noman Sadiq said...

Thanks for this valuable information.Can you please share your experience that how you start OpenAm to integrate in your organization from scratch and what are the available resources on internet like discussions forums,proper technical support, Company who can give services to customize the OpenAm. Please share this information.

Filip Czaja said...

Hi Noman
As I wrote in the post there are very limited learning resources available for OpenAM. I based mainly on what I found on their website, but in many cases it was not enough so I had to learn it the hard way.
Regarding the tech support I assume that ForgeRock itself can provide some (I think that's how they earn money??) but I never used them.
I can also provide remote consultancy on some of the topics - contact me if you are interested.

Deric Ferreira said...

Hello, do you have or recommend some material to Integrate .NET applications to OpenAM?