Supporting OpenAM

For some of us, getting commercial support for OpenAM isn’t an immediate option. Here are some resources that may help bridge the gap.

Probably the most insightful (and honest) review I’ve read about OpenAM was posted a year ago on Filip Czaja’s blog, under the caption, Cross-domain Single Sign On with OpenAM.

I’ll skip the “Pros” Filip points out, because you probably wouldn’t be reading this if you didn’t recognize the product’s favorable qualities — which are many.

What jumped out at me from among the “Cons” were these two still applicable points:

* Very poor documentation – most of the information about the product installation and configuration is available at the Wiki page in form of short, informal articles. Most of the useful information you find on the old OpenSSO specification pages hosted by Sun so you can never be sure if that info is still relevant with the latest version of OpenAM.

* No community – there is actually no real community of people using that solution. This means there is no fora you can search for advise. There is only an oldschool mailing list with very limited usability.

For an open source project that second critique could be a killer. But my experience so far is that the user mailing list is pretty active and the project team, as well as some fairly knowledgeable consultants, are pretty responsive. “Ordinary” users are also stepping up, seasoned enterprise sysadmins and developers who live and breathe in the kind of real world environments that vendor sales engineers and consultants don’t get much long term flight time in. All of these continue to be a welcome lifeline for myself and my team. Unfortunately the complexity of the product makes it hard for them to identify and provide solutions in many cases. It’s also pretty obvious that they haven’t reached that “critical mass” of deployments needed to generate the kind of traffic that results in a useful, albeit ad hoc, knowledge base useful for those who have to self-support on it. It’s probably time for a grassroots user group to spring up around the product (as well as the other ForgeRock properties).

The documentation situation is actually about average for both closed and open source software products, but in the case of OpenAM appears to be worse because the product itself is so complex (I think the continuing shortfall in documentation for some of the better known closed source stacks is going to become a real issue sooner than anyone anticipates). While the fact that as projects go OpenSSO was a work in progress right up to the Sun acquisition has helped it to remain ahead of the pack, it also means that answers found in the knowledge base (documentation, forum, mailing list and blog postings) are often inapposite. Watching the ForgeRock site it’s clear that the project team and its sponsor get this: they’ve recently hired a number of technical writers who worked on the product when they were at Sun. Hopefully we’ll see an improvement in the doc as a result. In the meantime I think a lack of detailed, high quality documentation is going to be a major impediment to enterprise adoption of OpenAM — and that’s a shame because the product clearly could be the answer to the needs of a lot of companies.

Having said all that, here are a few links lifted from Filip’s post that are well worth looking into:

OpenAM Wiki

Deployment options for OpenSSO

Troubleshooting OpenSSO with Firefox Add-ons

To these I’d add one more:

Sun Identity Management Reference

[UPDATE: Oracle has axed this link and redirects to the OTN front page now — so much for continuity!]

This page links to materials that are heavily weighted towards working with OpenSSO and so is particularly relevant to supporting an OpenAM environment. Although it is often hard to know how applicable particular configuration details found there may be to the latest OpenAM release, if you find yourself having to reverse engineer your way out of a problem those materials provide valuable background you won’t find anywhere else.

Note that Oracle continues to play “hide and seek” with its cache of legacy Sun documentation — in keeping with their “customers be damned, profits are all that matter” attitude — so that any one of the above pages and links to or from them may stop working at any time. My recommendation is that as you find documentation you download it under the assumption it might be gone tomorrow.

For example, as of this writing all the Sun legacy identity management doc, including for OpenSSO, can be found on this page. You can bookmark the html version if you’d like, but definitely download the pdf version without delay or you may regret not doing so later on.