Computerworld

OpenSSO to continue under guidance of start-up

Small firm takes over OpenSSO roadmap after Oracle's buy

A Norwegian startup is assuming responsibility for maintaining an open source web authentication technology originally developed by Sun Microsystems, and seemingly neglected by Oracle after its purchase of Sun in January.

The company, ForgeRock, has released a new version of Sun's Open Single Sign On (OpenSSO) Enterprise software, called OpenAM, that adheres to the OpenSSO roadmap established by Sun.

"It's a pretty easy migration path for all the customers who have found themselves stranded on OpenSSO. They can safely migrate to a current version," said Simon Phipps, chief strategy officer at ForgeRock, and former chief open source officer at Sun. Phipps was one of a number of employees who have joined ForgeRock since Oracle's purchase of Sun.

Oracle continues to display a page on its website for OpenSSO, though it has removed the free downloadable version of the product. The company has not made any announcements about future releases of the software, and did not respond to a request for comment.

In February, ForgeRock issued its first release of OpenAM — the name was changed for trademark reasons — which was basically a snapshot of Sun OpenSSO Enterprise 8. OpenAM 9.5 is the first version that upgrades the software from the Sun version.

The software package includes a number of updates, including the ability to support version 2 of the Security Assertion Markup Language (SAML), a standard for exchanging authorisation information across different systems. It also includes a new monitoring framework, and a new version of the directory server, called OpenDS. Patches issued since the last release of OpenSSO have also been rolled into the new version, and various bugs have been fixed as well.

Sun created OpenSSO in 2005 as an open source version of the Sun Java System Access Manager, licensing the software under the Common Development and Distribution License (CDDL). The software was designed for large transactional websites that require users to log in and keep accounts.

"This enterprise identity middleware was actually a big success at Sun. It was doing very well at competing with IBM, Oracle and CA," Phipps said. The company estimates that OpenSSO has a customer base in "the low four digits," said Allan Foster, who heads U.S. operations for the company and is a former Sun support manager for OpenSSO.

"Pretty much every day we get an email from some company that was doing an evaluation of OpenSSO, and they want to move on to a pilot or even a full-production deployment, and they discovered that they can't buy a subscription to it, so they come to us," Phipps said.

Upgrading from OpenSSL Enterprise 8 to OpenAM version 9.5 should be a largely painless transition, Phipps promised. Those using the older version of OpenDS may have to do some work to upgrade to the newer version of that server but "on the whole, customers will find that this is a pretty seamless update," Phipps said.

While the software itself is open source, ForgeRock sells enterprise subscriptions for support and maintenance. At least one other company, OSSTech in Japan, is also working on and selling support for OpenAM. OpenAM is one component of ForgeRock's I3 enterprise platform, which also includes OpenESB (an enterprise service bus), OpenIdM (an identity access manager) and OpenPortal.

Last week, at the O'Reilly Open Source Conference (OSCON), held in Portland, Oregon, Phipps gave a talk about how an open source project can survive after it loses corporate support. In addition to working with OpenAM, Phipps is also on the governing board for OpenSolaris, another open source software package inherited by Oracle whose future remains uncertain.

In the case of OpenSolaris, Phipps noted that there are portions of the operating systems that are not open source, and so assuming control of the software would be difficult for the OpenSolaris community, or another company. Another roadblock to OpenSolaris' survival outside of Oracle is that most of the engineers who worked on OpenSolaris were Sun Microsystems employees, and now are Oracle employees. Unless Oracle allows them to continue contributing to the code base, it is doubtful that enough outside expertise exists to keep maintaining and improving the OS.

In the case of OpenSSO, ForgeRock has hired a significant number of ex-Sun engineers who are familiar with the product. Most did not develop the software itself, but rather worked as customer support specialists who were highly knowledgeable with the code base, Phipps said.