Sun ONE Identity Server 6.0

scubacuda points to this article at The Register, about "what is believed to be the industry's first identity server based on Liberty Alliance Project specifications for federated network identity (date sheet here). Other reports of Sun's release: eWeek, Information Week, Computer World, & Y!"

supported

[RobertTaylor]

System Requirements

Supported:

Sun Solaris[tm] 9 and 8 Operating Environments for 32- and 64-bit UltraSPARC®
Microsoft Windows 2000 Server, Service Pack 2 or later
Microsoft Windows 2000 Advanced Server

What? No Epoc? ;)

(btw, FP?)

Re:supported

[Anonymous Coward]

And it runs on linux.

from the article:
Platforms supported are Solaris 8, 9 and x86, Red Hat 7.2 (6.1 only) and Windows 2000

So, I hope its clear to everyone that it runs on Red Hat 7.2 (6.1 only) too!

Re:supported

[abdulwahid]

So, I hope its clear to everyone that it runs on Red Hat 7.2 (6.1 only) too!

I think you'll find they mean that only version 6.1 of the Identity server will be supported under Redhat Linux 7.2 and this version 6.0 doesn't actually support Linux at all.

Re:supported

[mcbridematt]

Heck, you need to learn reading official product specs are the most reliable source of info on a product and if that ain't true, just call your lawyer. On the Sun Website [sun.com], it says and I quote:
"Supported:
* Sun Solaris[tm] 9 and 8 Operating Environments for 32- and 64-bit UltraSPARC®
* Microsoft Windows 2000 Server, Service Pack 2 or later
* Microsoft Windows 2000 Advanced Server
".
No linux, no Solaris x86, no Windows Whistler/XP, no Longhorn XP Alpha, no FreeBSD, NetBSD, OpenBSD, no Minix, no MicroBSD, no IRIX, no OpenUNIX, no Windows 2003 RC1/2. The list goes on.

What about DDOS support?

[trezor]

So it isnt supported on Micrsofts newest DDOS platform? Disappointing, really :)

Re:Wow.

[serber]

Single-Sign-On is one of those things that is just so damned useful. Especially if you can do it in the way that MS has with Passport and XP. I wish universities would do it... so much hassle to: a) login to worksation b) login to email c) login to accounting server (see how much cash you have left on print/internet server) and so on. Perhaps we have to realise that more and more often the domestic user doesn't share a pc in the same way anymore. (Windows XP certainly encourages users to have their own 'windows', as does Linux).

Re:Wow.

[Alrocket]

You need to talk to your IT department - a lot of this stuff can be done with MITs Kerberos V5 [mit.edu] which is an excellent open source solution - it's been around for years and is quite robust and secure. It's one of the backends that LDAP and other directory services are using nowadays.

Al.

Sounds Familiar

[mcbridematt]

I've heard of this before. What good does the text services by simplifying the authentication and authorization process. do when from a users point of view, it sounds like Enchanced User Experiance - Web Based single sign on so I don't have to have multiple logins for one web site.
But doesn't Passport virtually do the same thing, just have Passport or something simular do the authentication then simply create references against passports (or something simular) in a database.
But I remember, this is meant for the enterprise. Nothing does better than an /etc/passwd file, NIS or LDAP or Samba (configured to imiate NT) and xdm/kdm/gdm. I wonder why IT admins waste their time when free and out of the box solutions already exist?

Finally...

[powerlinekid]

Umm... I'd like to order one new identity, supersized. Preferebly one with Bill Gates bank account and Hugh Hefners mansion.

Oh wait... this doesn't serve identities?

Re:Finally...

[$$$$$exyGal]

I'd like to order one new identity, supersized.

Done. At the next full moon, you'll magically turn into this supersized slashdot fellow [insanepictures.com].

--naked gal [slashdot.org]

Re:Finally...

[soupmaster]

I'll just settle for the inhabitants. He can keep the bricks & mortar... taxes :-(

Due to bunnies clouding the brain .... I forgot my SUN One pun

Sun ONE

[CableModemSniper]

The Sun ONE Server is the first single sign-on server based on the liberty Alliance project. And its at version 6.0

Re:Sun ONE

[blibbleblobble]

"The Sun ONE Server is the first single sign-on server based on the liberty Alliance project. And its at version 6.0"

Yeah, you can't trust version 1.0 software: look at Windows!

Re:Sun ONE

[dohcvtec]

And its at version 6.0
And your point is what? In case you're not aware, this is not the debut of Sun ONE Identity Server, it's simply the first version of it that is based on the Liberty Alliance Project specifications. Duh...

Re:Sun ONE

[CableModemSniper]

Oh I know, I was just pointing out the irony / whoring for fun.

Re:Sun ONE

[hummer]

The SunONE identity server is a fork of Sun/iPlanet/netscape's directory (LDAP) server product. Identity server used to be called SunONE directory server 5.1, Access Management edition. Hence, the latest version number is 6.

hummer

Not exactly the first !!

[NeoEinstein]

A month ago I read the same thing from novell "We're the first compliant to the Liberty Alliance specs !"

But don't "fight" yourselfs Liberty Alliance guys, it's all about kick assing M$'s passport isn't it ? And that's a good reason, so go for it !

We don't want M$ to master our digital identites ! We don't want any M$ at all !

Sorry got slightly distracted by my anti-M$ part :(

Re:Not exactly the first !!

[Anonymous Coward]

We don't want Microsoft, but we do want Sun and Novell? I see.

Re:Not exactly the first !!

[Anonymous Coward]

well, while I'm posting this from a zaurus through an unsecured wireless network, my identity is safe :-)

Re:Not exactly the first !!

[NeoEinstein]

I'd want to reply to this, but you're all Anonymous Cowards, so I don't wanna waste my time writing fuzzy replies :)

So Wait?

[Jordy]

Why is this under your rights online? Do we not like this system for some reason?

It seems like a perfectly sane system. Distributed login, no personal information swapping between services and even a global logout. All the specifications appear to be published as far as I can tell.

I'm pretty surprised there hasn't been any progress creating an Open Source implementation of the specification. Kinda disappointing.

Re:So Wait?

[fuzzbrain]

There is a developing open source implementation of distributed login here [sourceid.org]. There was a good article by Doc Searls about PingID and the Liberty Alliance in the December 2002 edition of Linux Journal.

This particular service begs for an OS solution!

[Anonymous Coward]

Who's to say that Sun wouldn't use/abuse my personal information in exactly the same way a lot of us fear Microsoft would?

Although I really like the idea of not having to type in my personal details all the time, I don't trust a public company, which is primarily answerable to its shareholders (i.e. not potential users, such as myself), with this sort of information.

I wouldn't trust the US government with this info either. I wouldn't trust my own (Australian) government either.

In an ideal world, this sort of service could be hosted/provided by a United Nations-type, global "entity" and the details made available "only to the good guys". Nothing about the *real* UN would make me trust it with my personal info either.

However, if the information was held strongly encrypted *and* distributed so that nobody had access to vast amounts of user data for "market analysis" or other purposes, then I might be interested in signing over my details. A model something like Freenet's has much more appeal; nobody knows where the data is stored, so hopefully nobody could dig into my personal details without my consent. Having my personal data mixed in with everyone else's all around the world would make it impractical for marketing droids to perform their volumetric analysis on it. Add some decent encryption to the mix, and allow me to release only extremely specific details about myself to vendors, and I'd probably be pretty tempted to sign up. In particular, let ME be the traffic cop for my own data; don't tell me to trust somebody else to provide my personal info on request, since frankly there's hardly anyone I'd trust at that level.

As it stands, I can't see an offering from Sun being any more acceptable than one from Microsoft, or Novell, or Oracle, or any government body from any country. An open source solution is a mandatory starting point, as far as I'm concerned

Re:This particular service begs for an OS solution

[Xrikcus]

If nobody knows where the data is stored, is there not a problem with recovery if some of the system goes down? Extending that, if part of the system only goes down, and only certain peoples information is unobtainable, all of a sudden people know where it's stored...

This is precisely the problem that is avoided

[Mindbridge]

Notice that Sun and the Liberty Aliance do NOT offer a centralized identity repository a la Passport. This is a distributed solution -- as a provider (internet store, etc.) you install an authentication server and decide yourself what other providers you can trust, so that if a user is logged in their site, he can be considered logged in yours as well (put simply).

The only requirement is that the server implements the Liberty Aliance protocol standards. I _think_ one can make an open source server that implements those standards as well.

Re:This is precisely the problem that is avoided

[Anonymous Coward]

Sorry I didn't state my point a bit more clearly - long day in park, in the sun, with small children...

The single sign-on approach that was proposed by Microsoft with Passport et al was, I think, a really good model in terms of what was promised as the end-user experience. The problem I had with it was that it was going to be provided by MS, an organization that I simply don't trust with that type of information. I believe MS would use my information for purposes that I personally would find undesirable, and I don't want to employ legal advice to get my head around their EULAs to try to satisfy myself that they won't be allowed to do anything I personally would regard as "naughty". From what I've read, most people seem to share this particular concern, and it's the real showstopper issue as far as a lot of people are concerned.

That said, I would like a service of this type IF the provider was someone I trusted.

The Liberty Alliance approach is a "watered down" attempt at a solution to the same problem. It seeks to address the privacy concerns by implementing a shared trust model between different vendors/providers, which doesn't address the above concern at all. If I won't give my details to a MS, why would I give them to another provider who could/will share them without my express consent?

What I really want is the MS Passport model, but not run by a corporate or government (or other...) entity that might use this info for something I don't want. Note the distinction here between "don't want" and "didn't authorise" - again, I don't want to wade through EULA-type legalese with a vendor/provider.

Give me a decentralised, highly encrypted solution where there's not piles of personal data sitting in a known repository, and that goes a long way to addressing my concern. Make it (nearly?) impossible for anyone to track down where MY data is stored, and encrypt it such that even if the source of my data is found, then nobody but me (and those I authorise) can decrypt it. Let ME decide who gets access to my info, not some 3rd party acting as my proxy; let ME nominate exactly what information I'm prepared to provide to each and any entity I want to do business with, and empower ME to remove or change my data whenever and wherever I see fit.

The various components necessary to produce such a solution exist today and are already widely deployed in other products (e.g. gnutella et al, ssh and the various encryption protocols used within, FreeNet, ...); all that's required is for some enterprising souls to tie all the bits together as a coherent solution, release it as Open Source to let the world shake out the bugs, then everyone and his dog can sign themselves up.

If a simple-to-implement interface spec is published, there's no reason why lots of specialised clients couldn't be developed, along the lines of the Jabber model. For example, I'd need a client to enter/maintain my own info, and if I had clients that could run on a phone/PDA/Web browser, etc. to the point where I could access and change my own info securely from just about anywhere, that might meet the reasonable usage requirements of just about any "connected" person. Similarly, a vendor looking for my details could access my info via a freely-downloadable, open-source API (e.g. JavaBean); if a collection of vendor-specific client interfaces was created, open-sourced and free for download, the reliability should be there and the vendors should all be happy to support such a solution.

That all sounds very simplistic, but the problem of identity verification is very large and a good solution would be adopted very quickly by lots of people. Consider ssh's history; a problem of insecure data transfer existed, a solution was produced and open-sourced, and some time down the track it's a no-brainer solution to an entire class of problems. You want secure access, whether it's a Web portal or a sys admin working from home; you use ssh and don't even think about it. *That's* how people need to regard identity verification; if I need it, I use XXX and it just works...

The problem of identity verification is a classic "build a better mousetrap" situation; once a solution is created that meets peoples' requirements, the take-up rate will be enormous. That solution isn't going to come from a commercial vendor as a closed-source, boxed product; if it was, then frankly MS would have been able to provide it (face it, most people trust MS, even these days...). An open-source solution, with widespread vendor buy-in, is the only likely way that such a thing is likely to succeed.

All IMHO, of course ;->

Re:This is precisely the problem that is avoided

[varslot]

There is an open source implementation of distributed login here [sourceid.org] [sourceid.org].

If Sun were smart that is exactly what they'd do

[FreeUser]

The only requirement is that the server implements the Liberty Aliance protocol standards. I _think_ one can make an open source server that implements those standards as well.

If Sun were really smart, that is exactly what they do: impliment a free software/open source reference of the protocol.

In fact, they would be well advised to GPL such an implimentation? Why?

The GPL would prevent competitors *cough* Microsoft *cough* from incorporating Sun's code into their proprietary products without first negotiating and obtaining a separate license under whatever terms Sun wishes to impose (they get all the negotiating power with proprietary vendors that they have now).

The GPL would allow its inclusion in any free software products. Perhaps, under FreeBSD and Apache as a separate module, to avoid licensing collisions. This would give the free software community a decentralized authentication framework, and would mean widespread adoption by anyone and everyone not firmly in the MS IIS camp (most reasonably savvy people).

While I do not believe anyone is entitled to obtaining privately funded and written software for free, I do think a move like this by Sun would be strategicly brilliant in getting their standard quickly and widely adopted, quickly and widely enough to prevent Microsoft from owning online authentication. I suspect if Sun doesn't do this (or spin off a well funded group to do this), their liberty alliance will fade much like java has ... where many java websites fail to work with anything other than Internet Explorer under Windows because the java they run relies on Microsoft's jvm, and Sun's jvm isn't really any less of a hassle for developers and surfers to obtain.

(As an aside: based on Sun's treatment of Java, I doubt they are that smart. Having to click through license agreements to download and install a jvm, vs. simply having to type 'emerge somejdk' for everyone elses jvm, means most people install someone else's jdk if at all possible due to the hassle factor alone. Not good when you're trying for widespread adoption.)

Re:If Sun were smart that is exactly what they'd d

[IamTheRealMike]

If Sun were really smart, that is exactly what they do: impliment a free software/open source reference of the protocol.

Then they must be really, smart because that's exactly what the IPL implementation is - except under an Apache style license. At least, I think it's called the IPL.

Don't expect to just download it and get single sign on though. Liberty doesn't work like that.

Re:If Sun were smart that is exactly what they'd d

[jsergent]

IPL is available from http://liberty.sunsource.net/ and the code is under the SISSL (you can see the license on opensource.org).

The license is not Apache style--it's fairly unique. (I should know--I am the IPL author.)

Re:This is precisely the problem that is avoided

[CKW]

.
IIRC - there *are* centralized repositories, it's just that it's not a single repository.

IE: You sign up with Sony, and get to use that authorized trust ID with Sony's partners, deciding which of Sony's partners get what level of information.

So Sony or some other big mean corporations will own your ass instead of Microsoft or Sun.

Feel better now?
.

Re:This particular service begs for an OS solution

[jone]

You've rather dramatically missed the point.

Sun doesn't want to store your identity. Not having a single entity as a central point of failure for all account information is exactly why the Liberty Alliance was formed!

You might want to go and read the specs and learn about federated identity.

UN server

[john_is_war]

Yeah, but then you'll start getting hippy, peace-promoting spam. But it beats opening your mail and finding a message that tells you to prepare for war with a Dell.

Now, let's connect this to local IDs

[Max Romantschuk]

I have an electronic ID card [sahkoinenh...okortti.fi], which I haven't really found useful at all... I can in theory use it to identify myself in any kind of electronic transaction.

Now, if identity servers could interact with local registries of people already in existance the whole secure, verifiable electronic ID -thing would really be taken to the next level.

This is probably far to utopistic though...

Policy

[4of12]

Well, for the cases where identity needs to be unambiguously established for an individual, I'm happy to see technology available to support it.

And if the technology is open, I like it more.

But I'd really feel a lot more comfortable if there were fundamental changes in identity policy to permit anonymity and privacy of varying degrees.

There are far too many circumstances today where I have to establish my individual identity as a person, where it would suffice to identify me as "an individual capable of giving X amount of money for this particular transaction".

I've grown to like the Slashdot model where you can create your own identity and it stands only for the cumulative comments you make, nothing more.

But governments and corporations don't want to lose any bit of control, so we probably won't see this model extended into public life. By the time average citizens become cognizant that their every action, speech and deed is instantly and perfectly recognized by the authorities, it will be too late to change the policy.

Re:Now, let's connect this to local IDs

[puppetluva]

This identity server (and the defined protocols behind it) are a method of doing exactly what you are describing. The point of the Liberty Alliance and its working groups are to interact with local registries of people already in existence (or yet to be created) and coordinate their authentications and authorizations.

It is not a service like Passport. It is a product and protocol suite so you can run your own centralized identity system (as a company or personally).

Re:Red Hat 7.2.6.1?

[abdulwahid]

I think they mean from version 6.1 of the indentity server Redhat 7.2 will be supported. Crap way of saying it though

Putting the 1984 conspiracy theorists aside......

[kiwi-matgar]

for a moment, I'm quite interested in what is going to happen within the opensource community?

Right now there is a move to create an opensource passport, however, it would be interesting if there was a lead by another group to create an opensource liberty project.

For me, it would be great to have a certain amount of information being shared over a number of services instead of needing to learn 101 passwords and user names.

Yes, I know I could use the same one over and over again, however, my experience has always been that there is some dimwit using my username, and it has ABSOLUTELY nothing to do with their proper name! GRRRR

so wheres version 1.0-5.0?

[Anonymous Coward]

maybe version "6.0" makes it sound more mature .

I'll be waiting for the XP version.

-mdew

Re:so wheres version 1.0-5.0?

[infront314]

so wheres version 1.0-5.0

This is the first version.
Sun ONE Identity Server 6.0

The next version will be Sun TWO Identity Server 6.0

Re:so wheres version 1.0-5.0?

[dohcvtec]

Apparently, there was a version 5.1. To wit:
Sun[tm] ONE Identity Server 5.1: Installation and Configuration [sun.com]

Would any a company want this?

[MyNameIsFred]

If I understand this whole thing, I'm trying to understand why any manjor company would want this on their ecommerce site. As a CEO, I would say, "Let me understand this. We will no longer keep detailed customer information. Some service provider will?." I'd hit the roof. Ask my employees what were they thinking. Giving up one of our most precious resources, information on our customers. I'd fire the whole group, and get new people with more intelligence. Quite frankly, I don't see this being accepted by major corporations. And I seriously doubt "Mom and Pop" operations, which wouldn't want the trouble of maintaining such data, is a big enough market to support these efforts.

Re:Would any a company want this?

[hey]

You can give the customer a choice: buy using your Liberty id or enter all the personal info like they do now. If the customer prefers Liberty like him its just like a customer paying cash in a regular store... and you might scare him off if that choice wasn't there.

Re:Would any a company want this?

[angel'o'sphere]

Well,

and as a share holder or Chairman I would likely fire you and get your staff back.

a) its likely cheaper to outsource those informations

b) you likely can trust those informations

c) you can process e-commerce transactions faster and mroe secure and with better privacy

Of course: you give up power.

I'magine:

Company Market Customer

And now the company has no, absolutely no, data about the customer. The Market handles the identity, financial security and delievery adress.

The customer can trust into the "Market" not to disclose informations to the company where the customer is ordering at.

The company can trust the "Market" that this order is conducted by a real identyty with real money.

angel'o'sphere

Re:Would any a company want this?

[sszurfer]

You don't understand this. Liberty enables a company to decide what information it wants to keep about its customers and what information it will rely on Identity Providers for. From the CEO's perspective this is great - he doesn't have to wear the risk of holding sensitive information (eg. credit card numbers) but gets to hold onto the stuff that is important for maintaining a relationship with the customer. The customer gets to decide which organisation it will trust to hold identity-related data. I trust my bank to keep my credit card number, since they have it anyway, but I don't trust every merchant with it, therefore I would be happy to deal with a merchant which uses my bank as an Identity Provider. The merchant would never get to see my credit card number, nor any other information held about me unless I approve it. Likewise, my bank would never know the complete details of my transaction with the merchant. Liberty gives the consumer and the company the best of both worlds, unlike Passport, which gives Microsoft the whole world.

One Identity Server to Rule Them All!

[jaredcoleman]

One Server to rule them all
One Server to find them
One Server to bring them all
And in the darkness bind them

DATE sheet?

[kperrier]

(date sheet here)

What the hell is a date sheet? Is this a list of single women's names and their phone numbers? No, that would a potential date sheet. So, again, I ask, what is a date sheet?

Kent

Identity server?

[Russ Steffen]

Just what I need - software to tell me who I am.

Server: You are number six.
Me: I am not a number, I am a free man!
Server: Haven't read /. lately, huh? You are number six.
Me: Fine, number six it is. Who's number 1?
Server: That would be telling. You, however, are number six ...

first?

[RAMMS+EIN]

``what is believed to be the industry's first identity server''
First? Don't we have Kerberos and MicroSoft Passport already?