We will be attending IDNext 2013 in the Netherlands and decided to submit our OX open source software platform for consideration for the 2013 Novay Digital Identity Award.
Below is a Q&A-style transcript of our submission. What do you think… does OX deserve consideration? Tweet, share, and like if you think so!!
Description of the innovation (max. 700 words):
Gluu started the OX project in 2010. The goal was to open source portions of Gluu’s commercial identity platform.
Since that time, the project has become one of the most comprehensive implementations of
the OpenID Connect profile of OAuth2. A copy of the results from the fourth OpenID Connect
Interop are published at: http://www.gluu.co/.fm8t
The fifth OpenID Connect Interop is going on right now, and Gluu’s server is expected to have an equally strong showing. Current results compare favorably with other participants. The OX project provides a much needed administrative interface for the Shibboleth Identity Provider (“IDP”), which Gluu uses as part of its identity stack to provide SAML federation capabilities.
In 2012, Gluu added support to OX for the UMA profile of OAuth2. In fact, Gluu defined and
implemented a new use case for UMA, which was developed into a case study called “Access
Management 2.0 for the Enterprise.” This case study, which was one of the most visited sites at Kantara after its release, helped to accelerate market interest in developing UMA technology. Currently an UMA Interop is planned for early 2014 with Gluu, ForgeRock and others participating.
Recognizing that an easier approach was needed to enable web developers to use the
OpenID Connect and UMA profiles, Gluu launched a CrowdTilt campaign to fund plugins for
the Apache web server. This effort was successful, and not only raised money for open source development, but it raised awareness for OpenID Connect and UMA. Developers are engaged, and coding is under way for these plugins.
Gluu’s entrance into the market promises to bring down the cost for organizations to use
federated identity technology. Gluu is seeing adoption in the US, Europe, the Middle East,
and Asia in the government, education, and commercial sectors. The platform is particularly
good for large B2C SSO deployments. For example, the State of Texas is rolling out a system
for 3 million K12 students. OX is under consideration to revolution voting in two countries.
While people might not see the OX platform, it may enable some of the authentications and
authorizations behind the scenes for new web and mobile services.
Gluu has also been on the forefront of introducing new standards to OpenID Connect to
support multi-party federation. These endpoints are already supported in the OX project.
One of the most significant innovations in the OX project was the use of interpreted scripts
to enable organizations to customize the behavior of their IDP. Gluu enables five different
“interception points” that enable domains to use simple Python scripts to implement very custom workflows to meet the needs of their organization, especially for authentication and authorization. In previous access management platforms, you could use Java or C to customize behavior. But it was hard for many system administrators to compile and deploy changes to business logic.
The OX interception approach makes it much easier for organizations to use new authentication technologies and to implement federated authorization policies.
OX was designed from the ground up to be easy enough for small domain installations, but
to scale to large B2C requirements. It supports clustered deployments for maximum business
continuity. The application is stateless—no sessions are used—and uses LDAP as the
underlying persistence layer, as is common with many other access management suites.
In addition to the OX server software, the project also publishes client software. In fact, the
OX OpenID Connect RP is used by many of the participants to test their implementation. A
demo of the RP can be seen at: http://seed.gluu.org/oxauth-rp
Additional, optional, material clarifying the submission, if any:
The Gluu Service is based on OX software. There are many videos with demo’s available at
Motivation why it qualifies for the award (max. 500 words):
Supporting new protocols is not just a race to implement the most endpoints. We set out to
write the OX software because we couldn’t train Gluu engineers to modify XML files by hand.
We needed something that was easier and less error prone. OX has become one of the most
usable and flexible access management platforms available. Gluu uses the OX software
to deliver a utility access management service to organizations. But we made the software
available under the MIT license, which enables organizations to embed or use as they see
fit. The goal is to make access management available to many more organizations, not just
those large enough to purchase expensive commercial identity / access management suites.
No one benefits if a domain does a bad job of authentication and authorization. To make
the Internet a safer place, we need to make open source tools available, not just expensive
commercial tools. OX is a step in the right direction, and it would be really helpful to get
recognition for the work we’ve done which made the OX releases of 2012 possible. We can’t
spend $4,500/day on pay-per-click like some of our competitors, so awards like this really help
generate the buzz on the Internet that drives adoption of the technology.
Internet adoption of OpenID Connect and UMA for authentication and authorization could
have a massive impact on privacy. In fact, these core services are the coral reef, from
which a whole ecosystem of privacy protecting technologies, networks, and technologies
can develop. Other work that Gluu has contributed to includes “graph” technology to
enable people and organizations to share data. We decided to focus on authentication
and authorization, because we realized that without it, there was no way to share data in a
scalable privacy protecting manner.
Which companies/organizations are involved?
Gluu is the primary authors of the OX software. Gluu, ForgeRock, Symas, and Falcon
Systems (Japan) all funded the CrowdTilt campaign. Toshiba currently has the largest
announced commercial implementation of OX.
Who will attend the award ceremony at IDnext’13?
Mike Schwartz is already speaking at the event.
Is one of the jury members direct or indirectly involved with the submission, and if so, please provide details?
Subscribe to Get News and Product Updates
our RSS Feed