Safehaus Identity Management

Like my organization, I imagine some of you have been looking for a robust and enterprise Identity Management solution without the invasiveness, complexity, and expense of most of the more popular solutions. For our organization, we were looking for a solution that could provide authentication and authorization services based on standards like Kerberos, LDAP, and OATH. We needed a solution that could aggregate user repositories across different domains like Microsoft AD, databases, LDAP directories -- providing us with a single view of all these disparate stores. Furthermore, we didn't want to spend alot of $$$ or be burdened with a heavy licensing fee, and have the technology wrap its tentacles around every aspect of our back-end. While there's no silver bullet in most complex environments, we think we've found a solution that comes a close as we've found. I thought maybe I'd take a minute or two to post what we've discovered for some of you that might be looking for a similar identity management solution. It's called Safehaus and the techology is based on the standards listed above, and is the effort of open source initiatives at the Apache Software Foundation and the Codehaus. Feel free to contact Alex Karasulu or myself for more information.

---

About Safehaus

---

Safehaus.org is the first ecosystem of IT, ISV and open source developers providing high quality open-source software components related to directory and security infrastructure. By commoditizing directory and security related software, safehaus.org allows innovation to move up to the next layer of higher functionality, which further fuels, the innovation of enterprise security software.

---

Safehaus Triplesec Server - http://triplesec.safehaus.org

---

The Triplesec Server is a non-invasive strong authentication and policy server designed to meet enterprise identity management needs. Triplesec is a composite server that can serve requests for multiple protocols to achive this end result: LDAP, Kerberos, NTP and Changepw. It is based on the Apache Directory Server from the Apache Software Foundation. Coupled with the HausKeys application (http://hauskeys.safehaus.org) it enables users of the system to authenticate into their (*NIX, Windows, MacOS) workstations or to intra and internet applications using One Time Passwords generated from mobile devices. HausKeys is a J2ME application that generates HOTP values specified by OATH (http://openauthentication.org) the Organization for Open Authentication as an RFC Draft here: http://www.ietf.org/internet-drafts/draft-mraihi-oath-hmac-otp-04.txt. This is all done non-invasively using the LDAP and Kerberos protocols. Any operating system or application independent of the programing language or platform can be enabled with strong authentication. No hardware key fobs are needed reducing the chances of loosing yet another device to carry. One's cell phone is all that is needed for multiple accounts. Both Single Sign On and authorization policies can be managed by Triplesec to identify and control access to applications, systems and resources.

Features:

• Open-source
• 100% Java
• Non-Invasive interoperability with most operating systems, languages, and platforms
• Unlike proprietary auth protocols Kerberos is proven, secure, and open
• 2-factor auth with Kerberos enables immediate interop with existing Kerberos infrastructure (2-factor auth is free)
• Proprietary protocols do not interop without invasive changes: i.e. RSAs SecureID
• Passwords are not transmitted on the wire
• SSO is supported out of the box
• Trusts also supported between servers and realms
• Pluggable SAM types leverage existing investments in FOB hardware
• Run embedded in your application
• No time synchronization required
• Resynchronization is automatic
• Tunable: security parameters can be altered in response to attempted attacks
• Forgiving: it operates even when servers are disconnected from a replicated cluster

---

Safehaus Penrose Server - http://penrose.safehaus.org

---

Penrose is a virtual directory server based on Apache Directory project (http://directory.apache.org). A Virtual Directory does not store any information itself, unlike other LDAP implementations. Requests received from LDAP client applications are processed by Penrose and passed on to the data source hosting the desired data. Penrose currently supports Active Directory, LDAP and JDBC back-ends. Penrose is a phenomenal tool for Directory integration of disparate resources. In conjunction with Triplesec it can centralize access to security information across databasess making it appear as a single corporate LDAP directory.

Features:

• Open-source
• 100% Java
• Run stand-alone as a backend for ApacheDS and OpenLDAP
• Run embedded in your application
• Object transformation via BeanShell scripting
• High performance join and cache engine
• Data encryption using Bouncy Castle
• Supports resource connectors for JDBC/SQL, JNDI/LDAP, Active Directory
• Remote management via JMX
• Extensible via plug-ins

#permalink   Aug 10, 2005 2:29 pm