In July 2005 news first emerged of Sun Microsystems' first foray into open source identity management with the Open Web Single Sign-On (OpenSSO) project. Now, more than a year later, the project has been formally launched. Sun has kept to its word with OpenSSO and is releasing source code for the significant chunks of its Java System Access Manager required for web-based single sign-on, including session management, policy and federation as well as administration capabilities. My thoughts on this announcement are the same as those of a year ago and I have seen nothing on the project site which causes me to change that.

This is a smart move by Sun. First, it continues the ‘participation age’ theme promoted by CEO Jonathan Schwartz. Second, whilst web single sign-on is valuable both in terms of simplifying the user experience and easing user administration, the real opportunity lies in user provisioning, federated identity management, auditing for compliance etc. When the project was first announced last year, Eric Leach, a Sun product manager was quoted as saying “The idea is that we're going to give developers the tools they need to build basic security into their internal Web infrastructures without additional cost,”. In other words, OpenSSO provides customers with a free platform for Intranet-based single sign-on from which Sun can then build with its suite of identity management products offering higher value identity management capabilities.

Irrespective of Sun's motivations, organisations with any reasonably significant identity management initiative should dedicate at least a small amount of resource to investigate the project. Whether or not that investigation leads to deployment (and perhaps even project contribution!), this small investment should enhance their understanding based on exposure to what is a comprehensive and well-proven product in Access Manager.

But Sun didn't stop there. The company announced the OpenDS directory service project. Following the same logic as with OpenSSO and Access Manager, I assumed that OpenDS is the open sourcing of Sun's Java System Directory Server. My assumption was wrong! OpenDS sets out to deliver a similar set of capabilities to Directory Server: directory, directory proxy, virtual directory and synchronisation but the project is starting from scratch. It is not exploiting its own Directory Server code base or other open source directory server initiatives, such as OpenLDAP, ApacheDS and Red Hat Fedora Directory Server. The project FAQ provides some justification for these decisions, which can be boiled down to a combination of scope, licensing and implementation language.

OpenDS is a very ambitious undertaking, extending as it does beyond the core identity data repository to provide capabilities, such as virtual directory and data synchronisation, required for a comprehensive identity data management layer. It is going to be years, rather than months, before the project is completed, so it comes as no surprise that Sun will continue to develop Directory Server and does not anticipate releasing any products based on OpenDS for at least 18 months—and even then they will be part of the Java Enterprise System.

My thoughts on OpenDS mirror those for OpenSSO. It furthers the company's open source commitments whilst providing a foundation for its higher value identity management suite and is something which organisations should at least investigate.

There is an awful lot of open source activity in the world of identity management, what with Higgins, Bandit, Heraldry and OSIS. It will be interesting to see where these projects from Sun fit. The fact that Higgins (elements of which are part of Bandit) is an Eclipse project certainly won't make things easy with Sun dogmatically pursuing its NetBeans alternative.