I will be away for a week taking in some sunshine and some much-needed rest.
I found the following blog an interesting read. It discusses the changing approach to identity and access management brought about by the adoption of cloud technology:
http://www.identropy.com/blog/bid/85441/The-2012-IAM-Playbook-Part-1-of-3
The season is over and Arsenal limped into third place with a great deal of help from West Brom’s dodgy keeper.
The game followed a familiar pattern. Arsenal scored, West Brom equalized and then took the lead. I was so certain that this was going to happen that I didn’t even get upset I just wondered whether we’d have the bottle to fight back and win the game? We did but it was a close run thing.
Why does Arsenal concede so many goals? The goals conceded over the last five years doesn’t make for pleasant reading: 31, 37 , 41 , 43 and 49. It’s obvious that our defending is getting worse but nothing has been done to rectify the problem.
Are our defenders really bad? Actually I don’t think so. Individually, we have some good defenders the problem is that collectively we have a bad defense. Does anyone actually practice defending at Arsenal? The emphasis seems to be on attack with our defenders regularly in advanced positions in midfield and attack. This is borne out by the number of times our defenders are caught too far forward allowing the opposition to launch rapid counter-attacks that often result in a goal conceded.
I’ve come to the conclusion that any team in relegation trouble hope to play Arsenal. The game plan is simple. Drop deep and defend around the penalty box, get in the Arsenal players faces and don’t allow them time on the ball, have a couple of players hang around just inside the half-way line then wait for a misplaced pass or interception. With all of the Arsenal team camped inside the opposition half a quick pass up-field and Arsenal are in trouble.
It’s a tactic the teams from Manchester United to Wigan to QPR have used over the years but we continue to fall for it and concede stupid goals. This wouldn’t happen if the defenders were told that their primary task is to defend and they were disciplined enough to know when to go forward and when to hang back. The hope is that Steve Bould will help to instill this mentality into our defense to alleviate this problem.
As for the attacking side of Arsenal’s game, in a nutshell it’s predictable. Passing the ball from one side of the pitch to the other is not going to break down a well-drilled team. When playing against teams that bring most players back to defend the penalty area it’s very difficult to find the pass to open them up and it’s even more difficult to find the room for a strike on goal. Alex Song is a good passer of the ball but he’s not the type of player we need trying to open up a defense. His problem is that he gets the ball, looks up then makes the pass. By the time he makes the pass his intentions have been read by a defender and the pass is more often than not cut out. We need a player who can see the pass before he gets the ball and has the skill to make the pass immediately he gets it, you know someone like Cesc Fabragas except we sold him and didn’t buy replacement. Mikel Arteta has been badly missed the last few games because, whereas most of our passes from midfield are easy to read, he moves the ball on quickly when he gets it giving defenders little time to read in intercept the pass.
Talking about Alex Song, he needs to be reminded that he’s a defensive midfielder not a play-maker.
With the right mix of players I think we would be able to open up any team. Barcelona plays a very similar way and they have to overcome the same problems. However, they vary their attacks and have Lionel Messi who has good close control and can ghost past players to make room for himself or others. The closest player we had that could give us this type of attacking variety was Samir Nasri but we sold him and didn’t get a replacement. With both Fabregas and Nasri gone we were left with midfield players who were pretty much alike. Very few of them can carry the ball and individually hurt the opposition and we don’t have anyone who has the vision to make the killer passes. Consequently, we struggled against teams at the bottom of the table because they were quite happy to defend deeply and hit us on the break.
The upcoming transfer window is going to be interesting. It will give us an insight into Arsene Wenger’s ambitions for next season. If he sits on his laurels again and doesn’t shake up the squad then it shows that he’s content just to continue trying to qualify for the Champions League and is not interested in competing for the title or actually winning the Champions League. I don’t include the domestic cup competitions because with a bit of luck anyone can win those.
If he brings in players that will give some more variety to our attack, buys a defensive midfielder who will play defensive midfield and addresses our defensive attitudes then I believe we’ll be on the right track to competing with the Manchester clubs and Chelsea. Even though those three clubs will be spending a lot of money in the summer at least two of them (Manchester United and Chelsea) currently depend heavily on players in their mid to late thirties so a good portion of their budgets will be spent buying players to replace them. We have the opposite problem, we need to bring in more experience.
I honestly believe we have the core of a very good squad. If the mix of the squad regarding experience and youth is improved then I think we can compete. However, if we follow the route of waiting for players such as Abu Diaby to come back (how many games did he play this year before getting injured again?) we will go back to our annual cycle of injury crisis followed by a mini revival followed by struggling to get results from February to the end of the season. Only this time if the teams around us get their act together we won’t qualify for the Champions League.
OK, next post it’s back to the day job.
I’ve met with several prospective customers recently who are interested in cloud technology such as Software as a Service (SaaS) but want to know how to implement identity and access management.
Enterprises often use products and services from various cloud providers who need to have their own identity store for policy, access and authorization. Consequently, there is a need for identity synchronization and provisioning mechanisms between the enterprise and the SaaS provider.
The answer is to either find a vendor who has created a solution for the problem such as Radiant Logic or create a custom solution by integrating with the SaaS vendor’s API. Different cloud vendors expose custom provisioning APIs which require enterprises to develop and maintain proprietary connectors to integrate with them.
There is a new initiative driven by Google, salesforce.com and Ping Identity called SCIM (Simple Cloud Identity Management). It is an open standard which defines a comprehensive REST API along with a platform neutral schema and a SAML binding to facilitate the user management operations across SaaS applications placing specific emphasis on simplicity and interoperability. SCIM gives cloud application providers a consistent and simple way to manage their identities in their cloud application as well as other clouds.
There is already a provisioning standard called Service Provisioning Markup Language (SPML) but the industry hasn’t adopted it. SPML was developed for the enterprise provisioning market and while many identity management vendors support sending and accepting SPML requests, few support SPML as their API for provisioning. As a result most integrations from IAM vendors still use the vendor API which, as with cloud vendors, varies from vendor to vendor.
Will SCIM be adopted by the major cloud vendors? Only time will tell.
In the meantime, if the customer doesn’t want to purchase a third-party solution, we’re left with working with the vendors APIs and uploading accounts in a format that they can understand. If the service is exposed as a web service over SSL then data can be sent this way or it may be as simple as setting up a secure connection with two-way authentication and bulk uploading provisioning information. Security can be further enhanced if the cloud solution can be configured to only accept connections from specific hosts. Not very neat or scalable but it gets the job done
I’ve been quietly fuming over the last few weeks because of the pigs ear that Arsenal have made of getting the points necessary to gain automatic qualification to the Champions League.
I’ll wait until after Sunday’s game before discussing further.
This is the final installment of the discussion about deploying OpenSSO in a high availability configuration across two data centers.
In the previous installment OpenSSO was configured as two separate sites one for each data center.
The load balancer in each data center is configured to connect to both the local and remote OpenSSO servers.
They are configured to communicate with their local OpenSSO servers by default and route requests to the remote servers if both local OpenSSO instances are down. Session stickiness settings are configured in both load balancers across all OpenSSO servers in both data centers.
The main benefit of adopting this configuration is to reduce the amount of back channel server-to-server communications. Since all load balancers can connect to any OpenSSO server in both data centers it’s not necessary to route traffic via an OpenSSO server during fail-over as is the case with the previous configuration.
The OpenSSO configuration to implement this solution is:
The following use cases describe what happens during fail-over with this configuration.
These use cases assume that the user session is initially created on Svr1 via LB1 and that fail-over occurs when ClientA tries to validate the user session later on.
OpenSSO out-of-the-box provides service fail-over to address the requirement of infrastructure redundancy within data centers and session fail-over to achieve state redundancy within each deployment site. In most cases these HA product features are sufficient. However, there are sometimes requirements for cross-site session fail-over. Although this feature was not added to OpenSSO before the Oracle purchase of Sun MicroSystems the product itself can be configured to meet this requirement with a special OpenSSO Site configuration as described in these posts.
The potential performance impact with both presented solutions depends on the network bandwidth in the WAN environment. This is because a large number of cross-site communications is expected to occur between the data centers.
This is the second part of the discussion about deploying OpenSSO in a high availability configuration across two data centers.
Although, I’ve not tested these configurations with OpenAM I believe they should work.
The environment consists of two independent data centers, each of them having two OpenSSO instances deployed in an HA configuration behind a load balancer.
This configuration limits the load-balancer in each data center to connect only to the OpenSSO servers in the same geographical site. This avoids having to make the local load-balancer aware of the other OpenSSO servers in the remote data center and simplifies the deployment. However, in the case of a fail-over, this configuration increases the possibility of back channel communication between the OpenSSO servers in the two data centers.
The OpenSSO configuration to implement this solution is:
The following use cases describe what happens during fail-over with this configuration.
These use cases assume that the user session is initially created on Svr1 via LB1 and the fail-over occurs when ClientA tries to validate the user session later on.
The OpenSSO IRR logic will also identify when the primary server hosting the user session is back in service and resume routing traffic to it.
The definition of high availability varies depending on the context but in general it covers infrastructure and state redundancy. Both of which are provided in OpenSSO.
A customer required OpenSSO to be deployed to provide high availability between two data centers with the following high-level requirements:
In order to meet the requirements described above network connectivity between data centers had to be allowed for the message broker and for the back channel communication between the OpenSSO servers located in the data centers. In addition, because of the potential performance impact of the proposed solutions, it was important that there was good network bandwidth between the data centers.
It is important to note that with either solution there would be a lot of cross-site communications whether or not fail-over occurred. This was because session fail-over was to be configured across both data centers and so every session write would result in a message call to the remote Berkeley Database component.
The next two posts will describe the proposed solutions.
This is a post from one of our FAQs.
It’s sometimes necessary to change the OpenSSO server instance information such as the host-name or port number.
This can be achieved as follows:
That’s it.
In recent posts I have been a bit pessimistic about Arsenal’s chances of finishing in the top four, mainly because of the team’s recent history of fading in the latter part of the season and bottling the big games.
What a difference having a few experienced players in the team makes.
Players approaching or over 30 that Arsene wouldn’t normally touch with a barge-pole have proved their worth this season. I’m thinking of the likes of Arteta and Rosicky who, although not blessed with the ability of the departed Fabregas and Nasri, have added some steel, drive and experience to the Arsenal team and given the younger players someone to look up to. It’s been such a success that Arsenal are now favourites to finish third after a horrid start to the season and the papers are suggesting that Arsene has his eye on one or two more older players such as Fulham’s Clint Dempsey.
If only Arsene had had this epiphany two or three years ago who knows what success we might have had instead of always being ‘So close‘.
I was recently asked to recommend an Open Source identity management solution by a customer who uses OpenAM for access management.
I have experience with Oracle Identity Manager and Oracle Waveset (formerly Sun Identity Manager) but have never looked at an Open Source alternative.
I decided to take a look at OpenIDM.
I created a virtual server in the lab and set about creating a test environment. OpenIDM is installed by unpacking the contents of the .zip file into the install location. It runs in its own Felix container which is part of the installation so it’s not necessary to install an HTTP server.
It’s recommended that the default OrientDB repository be replaced with a JDBC repository when running OpenIDM in production so I installed MySQL and created a database for OpenIDM by
Following the installation documentation I found this a straightforward process that took very little time. At this point installation was complete but I ran into my only problem when I tried to start the service because the script threw reams of Java runtime errors. I was able to determine the cause from the logs, I hadn’t added the Java bin directory to the path so the startup script couldn’t find the Java commands that it needed. Once this was rectified OpenIDM came up without any more problems.
With the application up and running I tried to work out how to bring up the user interface but was disappointed to find that there isn’t one. Reading through the documentation I found that a UI is currently under development and, for now, administration is done from the command line.
I looked at alternatives but found that there aren’t as many options as I thought there would be and they are in various stages of maturity. My main concern with some such as OpenIAM is that they’ve been around a while but there is not much traffic on the forums which suggests they are not widely deployed.
An alternative that I did find interesting is Evolveum’s midPoint.
Having never heard of Evolveum before I decided to take a look at their background and was surprised to learn that midPoint is based on the unreleased version 1.7 of OpenIDM. I won’t go into the history but if you’re interested Evolveum explains it on their website here. Suffice to say that midPoint is based on traditional Identity Management technologies whereas OpenIDM 2.0.x uses a much newer approach.
The current version of midPoint (Release 1.10 code-named Phoebe), however, can only be used for demonstrations, proof of concept or very small deployments because it only support 500-1000 users.
I intend to evaluate both products.
However, I don’t believe that either can be recommended to my customer at the moment.
I’m currently working on a contract in which the holy triad of security (Confidentiality, Integrity and Availability) is of paramount importance.
Oracle OpenSSO and Waveset provide the access control and provisioning aspects of the project configured for high availability and fail-over. In addition to performance metrics other deliverables include security vulnerability testing and remediation.
I found the following Security Week case study very interesting because it suggests that security testing is the exception rather than the rule for many web sites.
I got my results today by email and I passed.
Now I need to be endorsed by a credentialed endorser, update my resume and send them off to ISC2.
Shortly thereafter I’ll receive my certificate and all those hours of taking practice exams will have been worth it.
Whoohoo!!!
