Sun puts its money where its mouth is with OpenDS and OpenSSO
It was over a year ago when I
commented on Sun's initial foray into open source identity management with the Open Web Single Sign-On (OpenSSO) project. Now more than a year later, whilst I was braving the British summer under canvas on the south coast, the project has been formally launched. Sun has been true to its word with OpenSSO and is releasing the source code for significant chunks of its Java System Access Manager required for web-based single sign-on, including session management, policy and federation as well as administration capabilities. I have seen nothing at the OpenSSO
project site to change my original analysis:
This is a smart move by Sun. First, it continues the ‘participation age’ theme promoted by COO Jonathan Schwartz and manifested in its recent rebranding. Second, whilst web single sign-on is valuable both in terms of simplifying the user experience and easing user administration, the real opportunity lies in user provisioning, federated identity management, auditing for compliance etc. Eric Leach, a Sun product manager is quoted as saying “"The idea is that we're going to give developers the tools they need to build basic security into their internal Web infrastructures without additional cost,". In other words, OpenSSO provides customers with a free platform for Intranet-based single sign-on from which Sun can then build with its suite of identity management products offering higher value identity management capabilities.Irrespective of Sun's motivations, organisations with any reasonably significant identity management initiative should dedicate at least a small amount of resource to investigate the project. Whether or not that investigation leads to deployment (and who knows, even contribution!), organisations that make that small investment should enhance their understanding based on exposure to what is a comprehensive and well-proven product in Access Manager.
But Sun didn't stop there. The company has also announced the
OpenDS directory service project. Following the same logic as with OpenSSO and Access Manager, I assumed that OpenDS is the open sourcing of Sun's Java System Directory Server. My assumption was wrong! Whilst OpenDS sets out to deliver a similar set of capabilities:
The directory service includes not only the Directory Server, but also other essential directory-related services like directory proxy, virtual directory, namespace distribution and data synchronization. The Directory Server is a network-accessible database that is able to store information in a hierarchical form. Clients may communicate with it using standard network protocols (at present LDAP and DSML are supported) to retrieve and update information in a variety of ways. the project is starting from scratch. It is not exploiting its own Directory Server code base or other open source directory server initiatives, such as
OpenLDAP,
ApacheDS and
Red Hat Fedora Directory Server. The
project FAQ provides some justification for these decisions, which can be boiled down to a combination of scope, licensing and implementation language.
OpenDS is a very ambitious undertaking, extending as it does beyond the core identity data repository to provide capabilities, such as virtual directory and data synchronisation, required for the identity data management layer I discuss in
our identity management report. It's going to be years, rather than months, before the project is completed, so it comes as no surprise that Sun will continue to develop Directory Server and does not anticipate releasing any products based on OpenDS for at least 18 months (and even then they won't be part of the Java Enterprise System).
My thoughts on OpenDS mirror those for OpenSSO. It furthers the company's open source commitments whilst providing a foundation for its higher value identity management suite and is something which organisations should at least investigate.
As I have previously discussed
here,
here and
here, there's an awful lot of open source activity in the world of identity management, what with Higgins, Bandit, Heraldry and OSIS. It will be interesting to see where these projects from Sun fit. The fact that Higgins (elements of which are part of Bandit) is an Eclipse project certainly won't make things easy with Sun dogmatically pursuing its NetBeans alternative.
