SSO

The following write up covers the results of some research I did for work regard SSO. The purpose was to give a brief high level report of what I had been investigating. It was not meant to cover all technologies investigated or implementation strategies in depth. I thought it might be of some use. This study was done in January of 2008.

SAML SSO Solution

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between security domains. SAML is used to try to solve the Web Browser Single Sign-On (SSO) problem, which is finding a way to allow a user to use several different services without needing to log in several different times with different usernames and passwords. The main componenents of a SAML solution are a service provider, which provides SAML assertions, and an identity provider, which consumes SAML assertions. The Service Provider and Identity Provider are configured to know that they can trust each other.

A SAML Assertion contains:

•  A packet of security information consisting of header information. The header contains the name of the identity provider and other information such as issue and expiration dates. 
• The name of the subject.
• One or more statements.  The two most important statement types are authentication statements and attribute statements.

A principal (often the user) must be enrolled with an identity provider. The identity provider is expected to provide local authentication services to the principal. The identity provider can use any method it wants for authentication, such as LDAP or Active Directory. The principal always communicates with the Service Provider to determine authentication. If the principal is not authenticated, the Service Provider will redirect the principal to the Identity Provider. The Identity Provider will log the principal in, commonly by displaying a log in page shared by all services. Once the Identity Provider has authenticated the principal, it will create an assertion that is provided to the Service Provider. The Service Provider will provide an artifact, which may be used to obtain the assertion, to the the principal. Of course, failure to authenticate the user will provide in failure to obtain access to the server. This allows Single Sign On Functionality, as any principal from any domain can authenticate themselves through Service Provider calls. A domain can check the status of a user by providing the SAML artifact and examining the resulting SAML assertion. More commonly, the Service Provider will redirect the principal to the service they requested after the Service Provider determines the principal is authenticated.

In addition to SAML, the Liberty ID-FF standard was investigated in addition to SAML. Liberty ID-FF is an extension to SAML version 1.0. Its primary difference is that it provides what Liberty called a circle of trust, which allowed policies to be defined to let domains know they can trust each other. SAML version 2.0 represents the convergence of Liberty ID-FF and other proprietary extensions, as well as early versions of SAML itself.

Sun Access Manager

Sun Access Manager was the first application I evaluated as a SAML Service Provider and Identity Provider. Tutorials proved to be difficult to follow and many supporting technologies were required to use Sun Access Manager for SAML purposes. Ultimately, I switched to the newest version of Sun Access Manager, which was OpenSSO. OpenSSO was not only being actively developed, but it already contained the supporting technologies Sun Access Manager had required for SAML.

OpenSSO

OpenSSO is Sun's open source access management and federation server platform. It is configured via an admin web interface and contains a rich Java API. The Java API defines communication between clients and OpenSSO. The Java API also contains interfaces so that developers can design plugins, or modules, to OpenSSO. The downside to OpenSSO is its complexity and flexibility. OpenSSO is so huge and does so much that it takes a lot of time to learn about it, despite only needing to do one small thing. OpenSSO is a combination of several different Sun Technologies and so has a very large amount of documentation. OpenSSO is also fairly new, although its underlying technologies are not, which make it difficult to find independent tutorials. Sun's OpenSSO documentation can be found at http://docs.sun.com/app/docs/coll/1767.1.

Authentication Service

The Identity Provider provides authentication. The identity provider to be used was OpenSSO, which provides authentication services through plugins. Three built-in plugins included LDAP, Active Directory, and OpenSSO's internal data store. There were many other plugins along with an interface to create custom authentication plugins. This provided confidence that OpenSSO could interact with any client's authentication service. LDAP, Active Directory, and OpenSSO's internal store were all investigated so that they could be used for flexibility demonstration purposes. Tutorials were found for all three services and all authentication services were set up successfully.

An SSO Solution

The identity provider will be OpenSSO. This will require an authentication service to be configured and populated. OpenSSO will also need to be configured as an identity provider. No plugins will need to be written unless the authentication service chosen to be used is not supported, which is an unlikely case.

The Service Provider can be either OpenSSO or a custom server. Creating a custom server would give a project more control, but would require writing code to parse SAML artifacts and assertions, as well as code to communicate with the Identity Provider. The SAML specification is not trivial, so this would be a lot of work to do correctly. It would probably be easier to use OpenSSO as the service provider. This would likely require writing OpenSSO plugins to circumvent certain redirections. This will also require a lot of OpenSSO configuration.

Code will also need to be written to retain artifacts, transport artifacts, and communicate with Service Provider to obtain assertions. Code will also need to be written to parse assertions, but this will most likely be accomplished through the OpenSSO API.

Weblinks

The following is a brief collection of web urls with information to help someone to implement the strategy described in the SSO Solution section.

A Good Overview of SAML: http://en.wikipedia.org/wiki/SAML
Directions to using OpenSSO as an IdP with Google as an SP, which will allows you to set up a working demonstration:
http://blogs.sun.com/wahmed/entry/how_to_federate_with_google
Directions to configuring OpenSSO as an SP: https://www.enterpriselab.ch/wiki/doku.php?id=public:opensso_sp_shib20_idp
OpenSSO SAML API: http://docs.sun.com/source/820-3739/index.html

Open SSO Token

Although the SAML approach is viable, it would take too much time to implement at this point in time. The introduction of a Service Provider and an Identity Provider would have added a significant amount of work, time spent debugging, and time spent spent documenting, especially in conjuncion with OpenSSO. A much less time consuming approach would use OpenSSO Tokens through the OpenSSO API. In this approach, only one OpenSSO instance is required. The OpenSSO instance will consume authentication requests and provide OpenSSO Tokens. It will also consume OpenSSO Tokens to provide OpenSSO assertions, which are collections of information about the principal whose authentication produces the OpenSSO token. Using the OpenSSO Token is a much simpler Single Sign On solution.

The downside is that SAML is a standard where the OpenSSO Token is not. However, using the OpenSSO Token still allows interaction with whichever authentication service a client is using. Furthermore, SAML functionality could be added given more time.

Learning Programming

My advice to a friend who wanted to learn about programming:

Honestly, for beginning programming, the best thing to do is to think of something you want to make and then try to make it.  I started with websites.  Books can sometime take the fun away from learning and learning because of passion is really the best way to go.

But if you want a guide, I think eloquentjavascript is a pretty good, easy to get into, thorough, interactive beginners book.  It uses Javascript, which is generally used to make web pages interactive, but is a full language on its own.  There's a bar at the bottom of the page you can click to open up a console, in which you can type and execute code.  The book is pretty easy to understand, yet covers the basics pretty well.  I would probably recommend this book the most: http://eloquentjavascript.net/contents.html

I read through this book on Ruby (which is recently popular for building the back end of websites) before and I liked it a lot.  Ruby is a very fun language to use and this is one of the more straightforward beginner's guides out there for any language: http://www.ruby-doc.org/docs/ProgrammingRuby/html/index.html

The book I mentioned when you came up is K&R's C Programming Language.  It covers C, which is an important language mostly used today for applications that require excellent performance.  The book is very, very good, but it's a lot more difficult to work through because of the nature of C and also the difficulty of getting C programs to run on your machine.  Because it's C, you get into the nitty-gritty of things kind of too early. This is a great book and more important than the ones above, but it's probably best to work through at least one of the two books I listed above first: http://www.iu.hio.no/~mark/CTutorial/CTutorial.html

The language you start out with doesn't matter much.  You can think of Programming Languages like web browsers... they all really do the same thing, but in slightly different ways.  You can also think of languages like tools, you use different ones depending on the job you want to do.  Sure you can use a hammer to get a screw in, but it's not the best way of doing it.  Which language you start out with doesn't matter, but you might make your choice depending on what type of thing you want to program.  Javascript/HTML/CSS/Flash for front end websites, Ruby/Perl/Python/Php for back end websites, C/C++ for high performance applications, Java for business applications, Scala/Haskell/Lisp/Schema for algorithmically complex languages.

Good luck learning.  Maybe read two chapters from each book and decide which path you want to take.


P.S:  As for my favorite beginner's guide... probably this one: http://mislav.uniqpath.com/poignant-guide/.  It's probably way too absurd and time consuming to be an actual good programming guide, but it's certainly fun.

Extended Cron

I wrote a Reminder/Notification program for Windows called Reminder 19 (you can check it out at http://reminder.relic19.net.)  I wanted to be able to cleanly define many different kinds of alert schedules and decided to use cron as my starting point.  I ended up extending the format because I wanted to have things like time delayed alerts and a year field.  This is the format I came up with... I think it's pretty expressive.  The only way I think it would be more expressive is if I added conditional alerts (for example, an alert should be shown on the 31st if the month has 31 days, otherwise it should be shown on the 28th).

Format 1: Advanced Schedule By Dates and Times
  +------------------ minute (0 - 59)
  |  +--------------- hour (0 - 23)
  |  |  +------------ day of month (0 - 31)
  |  |  |  +--------- month (1 - 12)
  |  |  |  |  +------ year (number between 1700 and 9999)
  |  |  |  |  |  +--- dayOfWeek (0 - 7, 10-17, 20-27, 30-37, 40-47)
  |  |  |  |  |  |  + optional command and parameters
  *  *  *  *  *  *  *

Each of the patterns from the first six fields may be either a single in range number, * (the asterisk character, which means the field matches all legal values), or a list of in range numbers separated by commas (such as 2,3). There may be no spaces following commas and fields may not end with a comma.  There is also an optional special seventh field.

The hour field (field 1) is specified using the 24-hour format.  0 is 12 AM, 4 is 4 AM, and 15 is 3 PM.

The month field (field 4) is defined as a number, where 1 is January and 11 is November.  Alerts will not be shown for non existent days, such as September 31.  Please note that an alert will not show on September 30 instead.

For the day of the week field (field 6), both 0 and 7 are considered Sunday.  The dayOfWeek field can be two digits, where the first digit represents its position in the month and the second digit is the day of the week.  For example, 31 would mean the third Monday of every month.  A position of 0 means every postion, so 03 means every Wednesday.  In deciding the next wake up time between, for example, the 1st and 31st, the soonest wake up date is chosen.

An alert is shown when the time/date specification fields all match the current time and date. There is one exception: if both "day of month" and "day of week" are restricted (not "*"), then either the "day of month" field (field 3) or the "day of week" field (field 6) must match the current day (even though the other of the two fields need not match the current day).

The command field (field 7) is completely optional.  If it is present, then an attempt will be made to execute the command.

Example 1:
00 16 1,2,31 2,3 2008 1,45
This alert specifies the following date and times:
February 1, 2008 at 4:00 PM
February 2, 2008 at 4:00 PM
February 4, 2008 at 4:00 PM (A Monday)
February 11, 2008 at 4:00 PM (A Monday)
February 18, 2008 at 4:00 PM (A Monday)
February 22, 2008 at 4:00 PM (The fourth Friday)
February 25, 2008 at 4:00 PM (A Monday)
March 1, 2008 at 4:00 PM
March 2, 2008 at 4:00 PM
March 3, 2008 at 4:00 PM (A Monday)
March 10, 2008 at 4:00 PM (A Monday)
March 17, 2008 at 4:00 PM (A Monday)
March 24, 2008 at 4:00 PM (A Monday)
March 28, 2008 at 4:00 PM (The fourth Friday)
March 31, 2008 at 4:00 PM (The 31st and a Monday)

Example 2:
00 4,16 * * * * "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ? http://www.google.com
Every day at 4 AM and 4 PM, an instance of Internet Explorer will be launched that navigates to http://www.google.com.


Format 2: Advanced Schedules by Time Delays
  +------------------ the start minute (0 - 59)
  |  +--------------- the start hour (0 - 23)
  |  |  +------------ the start day of month (0 - 31)
  |  |  |  +--------- the start month (1 - 12)
  |  |  |  |  +------ the start year (number between 1700 and 9999)
  |  |  |  |  |  +--- increment in minutes (+[number of minutes to delay])
  |  |  |  |  |  |  + optional command and parameters
  * * * * *  *  *

No field in this format may be * (an asterisk character.)  Field 7 (the command field) is optional, but all other fields must be defined.

Each of the first 5 fields must be a single number in the specified ranges.  They will be used to define the start date.

The hour field is specified using the 24-hour format.  0 is 12 AM, 4 is 4 AM, and 15 is 3 PM.

The months are defined as number, where 1 is January and 11 is November.

For "increment in minutes" field (field 6), a non-negative number must be specified, prefixed by a '+' character.  The number represents the number of minutes to wait between alerts.  For example, +59 means that the alert will be triggered every 59 minutes after the start date.

The command field (field 7) is completely optional.  If it is present, then an attempt will be made to execute the command.

Example 1:
00 00 31 3 2008 +30
This alert will be shown every 30 minutes after March 31, 2008 at 12:00 AM.  So the first alert will go off at March 31, 2008 at 12:30 AM, the next alert will go off at March 31, 2008 at 1:00 AM, and so on.

Example 2:
00 00 31 3 2008 +60 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ? http://www.google.com
This alert will be shown every 60 minutes (one hour) after March 31, 2008 at 12:00 AM.  So the first alert will go off at March 31, 2008 at 1:00 AM, the next alert will go off at March 31, 2008 at 2:00 AM, and so on.  Whenever an alert goes off, http://www.google.com will be launched in Internet Explorer.

Decoding Text Formats

Occasionally, you're get text documents in different formats.  I'm a plain text kinda guy.  I like that it's really flexible.  Anyway, here's a list of decoders I used.  These have been virus and functionally tested.

CHM Decoder (CHM to HTML) - It's useful to me because sometimes the text is too small to read on a CHM and there's no nice way I know of to increase the font size.  You can download it at: http://www.shareup.com/CHM_Encoder-download-26404.html

CLIT (LIT to HTML) - I found a similar program to convert LIT files to HTML.  Although it has a slightly unfortunate name, it works really well.  You can download it at: http://www.convertlit.com/download.php

ReNamer

I wanted to replace a lot of text in filenames without any hassle, so I quickly looked for a program to do it for me.  The first program I tried worked perfectly, had no installation process, and had a "no install" version (the archive version.)  So, if you need to rename files easily, I suggest giving this a program a try.

Try out ReNamer

C# Notes

I made a stupid C# mistake today. In the constructor of my form, I had an OpenFileDialog.Show() call (to get the name of a file to operate on.) When I ran the program, the OpenFileDialog would show as expected. But after I pressed okay, the main application would not be the focused window.

It took me too long to figure out that since I was calling OpenFileDialog in the constructor, the Application wasn't initialized yet and so the OpenFileDialog.ShowDialog() was using another window as its parent. Using the call OpenFileDialog.ShowDialog(this), where this is the current form, made everything work as expected.

Another problem I had was not being able to exit the program by calling Application.Exit() in the constructor. Apparently, the Application isn't initialized before the constructor returns. So I'd either have to throw an exception for whoever is calling Application.Run() or else use the Environment.Exit(). I went with Environment.Exit()... not sure if there's any reason not to.

I spent a long time trying to figure out why I couldn't set an item as selected for a ListView by setting the Select property to true. Apparently, you're supposed to call ListView's Select method. I should look into this more.

More:

Use the Shown Callback in forms if you want to do stuff to controls outside of the contstructor but before things really start running. In the constructor, there are no event handlers and you can't exit the application without using Environment.Exit.

If you want to use a checkbox in a list view, that is built in. If you're listening for items checked, make sure you don't add the ListViewItem to the list until the checked value is correctly set.

When I first started .Net development, I couldn't get the KeyDownEvent listener to work for my form. It turns out I forgot to change the form's KeyPreviewProperty to true.

iPhone Pains

Man, at this point I wish I had gone with an Android phone instead of an iPhone. But I have too much time and money burned (NOT INVESTED) on the iPhone to make it worthwhile. My laptop died last month (I think Taiwan's summer destroyed its ability to stay cool.) I used that laptop to sync with my iPhone and because of the way the iPhone is designed, I needed to resync with iTunes on a new computer, which would delete all my music and playlists. Luckily, the hard drive from my busted laptop was still good so I could get my music. Otherwise, I would need to spend A LOT of time looking for safe, trustworthy programs to get my music off my iPhone. I've heard they exist, I just don't want to spend the time figuring out what they are and how to use them safely.

So I needed to copy all the music from the laptop onto a new computer. I ended up using an old Mac Mini I had lying around, (might as well find a use for that expensive lesson on how I do not enjoy developing iPhone software in my freetime.) I needed to figure out how to copy all my playlists (hint: figure out where your iTune's library.xml file is and import it. Use some text editing software and do a "replace all" on your music directories from your old computer to where they live on the new computer.)

I spent an entire evening doing all of this, which was really annoying. I really, really wish I didn't have to jump through all these hoops to add new music or to sync other items with my iPhone. While the iPhone is pretty, using it requires so much awkward hoop jumping that one day, I know I'm just going to give up on it.

Advice to a man for a successful marriage

Okay, today I'm going to share one of the secrets to a successful marriage (for the husband.) This secret was passed down to me by a wise former boss of mine. Here's what he told me:

"At some point, especially in the beginning of marriage before she learns better, she will inevitably ask you to make a choice. This should be your most frequent response:

1. Slowly look over each choice. You don't have to really care, but it needs to appear like your thinking about them.
2. Pause until the count of 3.
3. Ask her what she thinks. She will have an opinion. You must make her voice it.
4. Reply: Y'know, that's what I was leaning for too. Let's go with that one."

This works very well, just don't be too obvious. And remember, in an argument, it's not a question about who is right or who is wrong. It's just about who cares more. I read that from Scott Adam's blog, and although I don't always agree with him, I agree with him in that.

(Yes, in case you're worried, there's loads of sarcasm in this entire post, Maybe. Ha ha.)