Happy Holidays from TUMY | TECH

Email not displaying correctly? View it in your browser.

‘Tis the Season Spread Joy A quick holiday greeting from TUMY | TECH President Brad Tumy: I want to wish all of TUMY | TECH’s friends, family, customers, and partners a wonderful holiday season. This was a big year for TUMY | TECH as we began several new key relationships in the Identity and Access Management space. In 2015 we continued to work with great customers in a variety of sectors such as Education (K-12), Energy and Software Development/Engineering. While we continue with laser focus on implementing Identity and Access Management solutions we have began investing in other key areas such as DevOps and MicroServices. We have some great things in store for 2016 and look forward to sharing these with you as soon as they are ready. Our success is due to having amazing customers and partners whose trust and contributions are key! We wish you the best for the New Year and look forward to working with you as we ring in the new year! Brad Tumy

Have Questions? Want to know more? Contact Us Unsubscribe | Update your profile | Forward to a friend Copyright (C) 2015 Tumy Technology, Inc All rights reserved. You are receiving this letter because you opted in at our website.

learn from the netflix ninjas or fail

This is really interesting root cause analysis and definitely worth reading.

New blog Site for TUMY | TECH

To our readers,

To try and consolidate and simplify life somewhat we have migrated over to a new blog site.  The new site combines our IAM blog and corporate website.  If you had subscribed to this site as a blog follower, we have already moved your subscription over to the new site and you should continue to get updates.

I hope that you have enjoyed these blog posts, as much as we have enjoyed sharing them, and will continue to follow and interact with us over on the new site.

The newly updated (and consolidated) home of TUMY | TECH can be found here:  www.tumy-tech.com

Resetting Forgotten Passwords with @ForgeRock #OpenAM

Implementing the “Resetting Forgotten Passwords” functionality as described in the OpenAM Developer’s Guide requires some additional custom code.

It’s pretty straight forward to implement this functionality and can be done in 4 steps (per the Developer’s Guide):

1. Configure the Email Service
2. Perform an HTTP Post with the user’s id
3. OpenAM looks up email address (based on user id) and sends an email with a link to reset the password
4. Intercept the HTTP GET request to this URL when the user clicks the link.

All of this functionality is available out of the box with the exception of #4.  I wrote some really simple javascript that can be deployed to the OpenAM server that will handle this.  This code was written as a proof-of-concept and doesn’t include any data-validation or error handling but that could be added fairly easily.  This script can be deployed to the root directory of your OpenAM deployment.  Just be sure to update the Forgot Password Confirmation Email URL in the OpenAM Console under Configuration > Global > REST Security.

I have made the code available on my GitHub page and you are welcome to use it or modify it.

As described on the README:

• These files are a proof of concept to extend OpenAM’s REST-based password reset functionalit
• Add these two files to your OpenAM deployment root (e.g. /tomcat7/webapps/openam
• Modify the server urls to the appropriate servers in your environmet
• Change the REST Security settings in the OpenAM console (e.g. http://%5BAM server and port]/openam/forgotPassword.jsp)

The file resetPassword.jsp is an optional file that will display a field for the user to provide their id and will then POST to /json/users?_action=forgotPassword (Step #2 from the Developer’s Guide).

Acknowledgements:

Thanks to @Aldaris and @ScottHeger for providing advice while I was working on this.

Seeking Senior OpenAM Engineers

A client of mine has asked me to assist them in finding a full-time Senior OpenAM Engineer.  They are a startup, based in Northern, Virginia.  They are working on some pretty cool initiatives with OAUTH2 and SAML and need an experienced engineer to lead this effort. 

If you are interested in this please feel free to reach out to me and I’ll put you in touch.

2014 IDM Conference Season Planning

Looks like it’s time to start planning for the IDM conference season.  There are some great conferences planned and I need to figure out how to start budgeting for some of these.  Let me know if I have missed any conferences that should be listed.

March:

• Gartner Identity & Access Management Summit (17 – 18 March 2014 | London, UK)

May:

• European Identity & Cloud Conference (13 – 16 May 2014 | Munich, Germany)

June:

• Identity Relationship Management Summit (Arizona Biltmore | Week of June 2, 2014)
• Identity Management 2014 – 18th June 2014 – Hotel Russell, Central London

July:

• Cloud Identity Summit 2014 (Monterey, California | July 19 – 22, 2014)

September:

• Global Identity Summit 2014 (Tampa, Florida | 16 – 18 September)

December:

• Gartner Identity & Access Management Summit (2 – 4 December 2014 | Las Vegas, NV)

Finally connected the dots …

My son (10) has been asking about VPNs a lot lately. Which I thought was because of all of the news lately about the NSA. I ended up showing him tunnel bear, which he quickly installed on his laptop and iPhone. I complimented my son for his interest in security and gave a wink about sticking it to “the man”.

A few days later my wife and I were chatting about letting the kids have more access to social media and she said, “well I still have the kids convinced that you can see everything they do on our home network”.   A lightbulb immediately went on over my head.

… Apparently I am “the man”.

Cool Open Identity Stack Scripts/Utilities – GitHub Repos #ForgeRock #IDM

I was working on a few scripts to test out some of the new REST APIs in OpenAM 11.  I saved them out to GitHub and you are welcome to have at them.

I thought it might also be cool to share some of the other Repo’s that are related to ForgeRock as well.  There are some really cool scripts available for interacting with OpenAM, OpenIDM and OpenDJ.

These are freely available but not officially supported by ForgeRock or the developers of the scripts.  Just click on the person’s name to go to their GitHub repo.

OpenAM:

• Brad Tumy (AuthNUser, checkEntitlements, listAgents *New API and Legacy API*, updatePolicy)
• Simon Moffatt (Really cool interactive menu!)

OpenDJ:

• Ludo Poitou (Some really handy utilities e.g.: logstat.py & filterstat.py)
• Chris Ridd (Very handy utils e.g.: slowops: analyzes operation times in access logs)
• Simon Moffatt

OpenIDM:

• Simon Moffatt (Interactive mode menu for calling OpenIDM’s REST APIs)
  

Full OIS Stack:

• Warren Strange (Ansible (like puppet) scripts for deploying the OIS stack to Vagrant)

I am sure there are other great repos that I have missed, so feel free to add them in the comments and I can update the post.

Disclaimer: These scripts have been very handy to me but YMMV.

 

For those about to Rock! … introducing the ForgeRock Identity stack introductory bootstrap “sequester special”

I am offering an introductory special to ForgeRock’s Identity (I3) Stack.  I am calling this the “Sequester Special”. The Federales are cutting back budgets and furloughing the Air Traffic controllers (cough … why not the TSA agents at the airport instead) but this is your chance to capitalize on that.

So what’s this all about?

You get to try out the  ForgeRock Open Identity Stack (**ForgeRock support license required for binaries used in a production environment**) and you get a  reduced rate on professional services … to ease those sequester blues.

Download the information sheet here.

Sequester Special | For those about to ROCK …

ForgeRock Open Identity (I³) Stack Bootstrap Package

Tumy-Tech’s Professional Services team provides services to assist you in successfully and rapidly implementing ForgeRock’s Open Identity (I³) Stack into your environment.  The end result? A working implementation of ForgeRock’s Open Identity Stack designed to introduce you to ForgeRock’s products as well as demonstrate several common configurations requested by your many customers.

The ForgeRock Bootstrap Package Includes:

• ForgeRock Open Identity (I³) Stack installation 
• User Identity Reconciliation from enterprise LDAP (or AD)
• User Provisioning & Single Sign-On (SSO) to Google Apps
• Just-In-Time (JIT) Provisioning & SSO to Salesforce.com
• Customized Installation & Configuration Documentation

 

Components Included:

• OpenDJ
• OpenIDM
• OpenAM

Customer Requirements:

• Customer provided servers must meet ForgeRock product specifications.
• Customer must have an existing Google Apps for Business (or Education) account.
• Customer must have an existing Salesforce.com account (or developer.force.com).
• Customer installation environment must have internet connection.
• Cost does not include travel expenses. (Remote installations are recommended; however, we can provide on-site service if you prefer.  All travel expenses will be invoiced to customer.)

 

Disclaimers (the small print):

• Use of ForgeRock binaries, in production, require a license and subscription from ForgeRock.
• Each product will be installed on up to one server in customer’s environment.
• Tumy-Tech will use the most up-to-date, stable build publicly available.
• OpenIDM will be configured to reconcile users from one existing LDAP (AD or LDAP) user store with up to 20 attributes mapped.
• Typical bootstrap setup time: 2-3 days. (Additional requirements / use cases are welcome but may require additional time and cost.)

Call or Email our sales team, today, to schedule (240.215.4825 / info@tumy-tech.com)

Extending OpenAM Policy Service to support additional actions

I am wrapping a crazy busy week.  Probably one of my most technically in-depth week in a really long time.  So what kept me busy?  Deep-diving into OpenAM’s Entitlement’s engine, learning about it’s REST interfaces and how to extend OpenAM to leverage custom service types.  I’ll explain later since I know your thinking, “Tumy … dude, what the heck is a service type?”.

Alright, let’s jump into it …

Entitlements are policies or rules that state what you (or any user) can and can’t do.  Sounds simple right?  In Information Security entitlements usually define what resources a user can access, how they can access it, when they can access it and so on and so on.   A resource can be a web url, a banking transaction, a database record, or frankly anything you might want to protect.  Typically entitlements are expressed through XACML http://en.wikipedia.org/wiki/XACML.  Entitlements are used in access control settings and used to define fine-grained authorization rules.    This is starting to become too much of a Entitlements 101 class so let me just jump into the hand’s on stuff.

Ok, Forgerock … in their OpenAM product they have an Entitlements engine which is essentially a Policy Management Point and a Policy Decision Point (Google is your friend if you don’t know what those things are).  Out of the box OpenAM supports a few different “service types” which are essentially a set of resources and their associated actions.  For example a web url would potentially have the actions of “GET” and “POST”.  There are a couple of other service types too (a banking example and a few others).  But what happens when our resource is not a web URL and we want to have actions besides “GET” or “POST”.  What we if we wanted to have a resources defined as database table names and we wanted to have actions such as “READ”, “UPDATE”, “DELETE”.  (Update:  Starting in OpenAM Version 11.2 some of these additional actions are available out of the box) We want to be able to create rules that we can either allow a user to read information from a specific table or deny their ability to read from a certain table.  Ok, hopefully you get the idea … if you don’t email me and we can talk about it.  OpenAM has a great set of command line tools that you can use to interface with the product, these tools have also been “web” enabled on a jsp page which is accessible through the admin console (it’s disabled by default though).

To create this new service type there are a few steps we need to take:

• Create a custom Application Type
• Create a custom Service Type
• Create a custom Application
• Create the policy, using the custom service type

4 easy steps.

The Custom Application Type is a few lines that get imported.  Let’s assume that you have enabled the web ssoadmin.jsp and have accessed it here:

https://am.host:port/openam/ssoadm.jsp

You would see a page like this:

Do a quick search for “create-appl-type” and you then click on it.

Fill in the form that is displayed with this information:

Application Type Name: BTPoliyService
actions=READ=true
actions=UPDATE=true
actions=DELETE=true
actions=ADD-ACCESS=true
resourceComparator=com.sun.identity.entitlement.URLResourceName
saveIndexImpl=com.sun.identity.entitlement.util.ResourceNameIndexGenerator
searchIndexImpl=com.sun.identity.entitlement.util.ResourceNameSplitter

This creates the set of actions that will be available for your resources of this type.  Save that and then you need to create the Custom Service Type.  This is created by modifying an XML file and then importing that file into a form that is similar to the one we just saw.
The service type provides a little more detail on the actions and sets the True/False values that will be displayed in the policy manager.

<?xml version=”1.0″ encoding=”UTF-8″?><!DOCTYPE ServicesConfiguration SYSTEM “jar://com/sun/identity/sm/sms.dtd”><ServicesConfiguration><Service name=”BTPolicyService” version=”1.0″>

<Schema serviceHierarchy=”/DSAMEConfig/BTPolicyService” i18nFileName=”BTPolicyService” i18nKey=”BTPolicyService”>
<Global>
<AttributeSchema name=”serviceObjectClasses” type=”list” syntax=”string” i18nKey=”BTPolicyService”/>
</Global>
<Policy>
<AttributeSchema i18nKey=”READ” name=”READ” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
<AttributeSchema i18nKey=”DELETE” name=”DELETE” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
<AttributeSchema i18nKey=”UPDATE” name=”UPDATE” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
<AttributeSchema i18nKey=”ADD-ACCESS” name=”ADD-ACCESS” syntax=”boolean” type=”single” uitype=”radio” >
<IsResourceNameAllowed></IsResourceNameAllowed>
<BooleanValues>
<BooleanTrueValue>true</BooleanTrueValue>
<BooleanFalseValue>false</BooleanFalseValue>
</BooleanValues>
</AttributeSchema>
</Policy>
</Schema>
</Service>
</ServicesConfiguration>

In the above XML file, you should notice there are several spots where I have provided the name of the service “DatabaseTablePolicyService” and then the actions and their True/False values. In the ssoadm.jsp search for “create-svc” and then copy and paste this file into that form.

Next step and last step of the “extending” part of the process. So, in the ssoadm.jsp web page, search for “create-appl”. Click on this link and it will open a form very similar to the “create-appl-type” form. Enter the following information:

actions=READ=true
actions=UPDATE=true
actions=DELETE=true
actions=ADD-ACCESS=true
applicationType=BTPolicyService
resources= table://*
entitlementCombiner=com.sun.identity.entitlement.DenyOverride
resourceComparator=com.sun.identity.entitlement.URLResourceName
conditions=com.sun.identity.admin.model.DnsNameViewCondition
subjects=com.sun.identity.admin.model.IdRepoGroupViewSubject
subjects=com.sun.identity.admin.model.IdRepoRoleViewSubject
subjects=com.sun.identity.admin.model.IdRepoUserViewSubject
subjects=com.sun.identity.admin.model.VirtualViewSubject
subjects=com.sun.identity.admin.model.AttributeViewSubject
subjects=com.sun.identity.admin.model.OrViewSubject
subjects=com.sun.identity.admin.model.AndViewSubject
subjects=com.sun.identity.admin.model.NotViewSubject
conditions=dateRange
conditions=daysOfWeek
conditions=dnsName
conditions=ipRange
conditions=timeRange
conditions=timezone
conditions=or
conditions=and
conditions=not

Notice in the above file, that I add the application name and it matches the name we have used in the other configurations. I added the actions again and finally I actually define a resource. I personally like to describe the resource type in a URL style … I can use “table://” as my resource in the policy and that will help remind me later what type of resource that is. You don’t have to prefix your resources in your policy with that … it seems to be optional.

At this point you can jump back over to the OpenAM Admin console and create a policy based on this resource, as you can see in the following screenshot.

So, that’s pretty cool stuff … The entitlements engine is pretty robust, it’s fast and … it has a RESTful interface. I am going to do a deep-dive blog post on the RESTful services at some point but for now let’s just take a look at how you can evaluate an entitlement.

Evaluating a Privilege:

* ssoToken = Authenticated User’s Token
* iPlanetDirectoryPro = session cookie … admin users session token
* action = action user is attempting (GET, POST, READ, DELETE, etc)
* application = application type of policy (defaults to iPlanetAMWebAgentService)
* Subject (user attempting action … encoded session token)

curl -v -H “X-Query-Parameters: ssotoken:AQIC5wM2LY4SfczpL5a3M02ju3uyOd6iMj4zZvPZXB3BNQ4.*AAJTSQACMDE.*” -b “iPlanetDirectoryPro=\”AQIC5wM2LY4SfcxcPg_yUwYu-iQPHH663tv9AnoEEr6j_2k.*AAJTSQACMDE.*\”” “http://am.host:port/openam/ws/1/entitlement/entitlement?action=READ&amp;resource=table://my_table_name&amp;application=BTPolicyService&amp;subject=4l18suAL/hXNCfzykwIlbV0WbtM%3D&#8221;

This will return a JSON formatted object:

{
“statusCode”:200,
“body”:{
“actionsValues”:{READ:”true”, UPDATE:”false”, DELETE:”true”, ADD-ACCESS:”false”},
“resourceName”:”table://my_table_name”},
“statusMessage”:”OK”
}

You can create a policy that would return attributes, from the user’s identity record, along with this JSON object. There are also RESTful services that will just return an allow or deny, which is great if you don’t need as much information back.

So, that was real high level and really basic but I hope that I gave you some ideas for the potential of this engine. Let me know if you have any questions or want to chat about. Also, I am available on a consulting basis to help design or implement this in your environment.

Acknowledgements:

• There were a bunch of people at ForgeRock that help me out at various points through this.  You guys know who you are … I’ll leave your names out so that you don’t get bombarded with requests.

• Also, there were a few non-ForgeRock guys that went through this last year and gave me some pointers along the way.  Thanks!

• And finally … to the guys that did this first at Sun.  Thanks for building this stuff and documenting it.  I am thankful that those web pages that you created haven’t vanished yet.