This meant change for many of the open source projects which Sun had nurtured and developed. While much is known about the way in which MySQL's administration has given life to MariaDB, and the events that led to the forking of OpenOffice.org to give birth to LibreOffice, there are other, lesser-known entities that have also arisen due to Oracle's seeming inability to manage open source projects.
Among the latter group is ForgeRock, an open-source identity and access management company, which was founded in 2010 with very little seed capital. The founders were all part of Sun's extended community and they decided to focus on Sun's identity and access management products. One of the four co-founders of Sun, Scott McNealy, is also involved in ForgeRock.
It was a good decision because Oracle had its own products to cater to these niches and soon dropped support for Sun's products, all of which were under the Community Development and Distribution Licence, an open source licence.
iTWire: It seems a bit ironic that one of the founders of Sun is now involved in a company trying to lure business away from its products. Who were the five friends who formed the company and how did they come to unite on this line of products?
Lasse Andresen: ForgeRock was founded in 2010 on a mere $40,000 in seed capital. The founders are all still very involved in the company and include me, the chief technical officer, Steve Ferris, vice-president of services, Jonathan Scudder, OpenAM architect, Victor Ake, product manager, and Hermann Svoren, vice-president of sales.
Given the circumstances, it is not ironic at all that the founders, a group of talented engineers, developers and consultants who had been part of the extended Sun community, would decide to start a company based on the products they had helped design and deploy for some of Sun's largest customers. At the time, Sun had been recently purchased by Oracle. Since Oracle already had a full portfolio of identity and access management products, it was not surprising to the founders when Oracle announced that it would end of life (EOL) the Sun products. Oracle offered the Sun IAM customers two options: purchase a very expensive life-time support agreement for products that are no longer in development (no upgrades) or replace them with the Oracle products. Both options are very risky and expensive.
ForgeRock provides a third option to these customers. We have continued to evolve and innovate on the Sun open source code base and offer a feature-rich, highly reliable and scalable, next generation IAM product platform – the ForgeRock Open Identity Stack. Many of our customers are previous Sun customers, such as the government of Norway and Telecom New Zealand. However, more and more, our newer customers, such as GEICO and Vantiv, are replacing other legacy platforms.
Can you explain exactly what — in layman's language — OpenAM , OpenDJ and OpenIDM do? Are these built from scratch or are they based on some other codebase? What language are they written in?
OpenAM provides end-to-end access management services including:
Authentication (Who Are You?) – Single Sign-on (SSO) service for validating user identity for on-premises, cloud and mobile solutions. Creates a sign-on once, access everywhere environment. One password for accessing all assets.
Authorisation (What Can You Do?) – Service for granting a user permission to use web, mobile and cloud resources in a secured environment based on defined policies. Uses coarse-grained policies based on static information – group, role, etc.
Entitlements (What Can You Do @ Object Level?) – Service for granting users permission to use discrete objects within web, mobile and cloud resources. Uses fine-grained policies based on dynamic information – real-time attributes. Supports XACML, a popular authorisation or fine-grained entitlements standard.
Federation (Who Are You?) – Standards-based SSO for allowing identities to be shared securely across disparate networks and applications. Supports SAML, a standards-based method of implementing SSO.
Identity Gateway (Who Are You?) – SSO without the need to modify the target application or the container that it runs in. In short, it allows you to implement SSO without having to ever touch the target application you are trying to protect. Ideal for legacy applications that need to be included in SSO infrastructure without having to touch the application (e.g. – mainframe app).
OpenIDM provides end-to-end access management services including:
Core User Management – Provides a foundation framework to support identity synchronisation, reconciliation and basic provisioning activities within an organisation. All capabilities provided are exposed using the ForgeRock REST web API, and they can be used directly in your application. All activities occurring within the system gets properly logged and made available for reporting purposes.
Password Management – Password management provides and leverages OpenIDM capabilities to support enterprise, cloud and mobile password management use-cases, such as self-service of passwords, challenge/response questions to support password resets, password synchronisation and interception on native systems where there is support, while at the same time complying with corporate password policies.
Workflow and Business Process Management – Together with the Workflow and Business Process engine, OpenIDM can be extended to fully allow for workflow driven provisioning processes to be put in place. Extending OpenIDM with this module, capability to invoke workflows throughout the product or schedule tasks is provided. Support for approvals, notifications, escalations and other typical workflow-related constructs are supported.
OpenDJ provides a cloud/mobile ready identity data store that does the following:
Identity Data Store – OpenDJ provides a secure, reliable and scalable generic data store to higher-level applications, based on the LDAPv3 standard specifications. Clients accessing the data store are authenticated and access to the data is controlled ensuring confidentiality of possible sensitive data. Also, it provides web-based access to the Directory Service, through Web Services (DSMLv2) or REST interfaces (HTTP REST/JSon).
Under what licensing were the Sun products that you are aiming to replace sold?
The open source licences for Sun OpenSSO and OpenDS were CDDL.
Who are your competitors?
Many of our customers are migrating off legacy IAM platforms, typically from vendors such as IBM, Oracle and CA. These vendors developed their IAM portfolios through acquisition to meet the needs of employee-focused IAM, so these IAM products were initially designed to be deployed behind the corporate firewall to protect corporate data. In addition to being complex and difficult to scale, these platforms are also not designed to meet the needs of cloud and mobile computing.
ForgeRock, on the other hand, is committed to the development of next generation identity and access management, often referred to as identity relationship management. The ForgeRock platform of products is designed to be simple to deploy and manage, as well as developer-friendly. A single, common programming interface enables simple access to OpenAM, OpenIDM, and OpenDJ, so that each delivers rich, modular, massively scalable, lightweight identity relationship management services.
Removing the complexity of the underlying services with multiple tiers of API abstraction is a significant advantage to developers and the business. Now, for the first time, a developer can utilise re-usable shared services across an entire identity platform, whatever the requirements of the application strategy. This is a completely different model from the standard legacy provider approach, which requires developers to bend applications to support the vendor. The ForgeRock developer-centric approach and common API development platform is changing what was once costly and complex into easily accessible and re-usable solutions that companies can implement safely and efficiently, whether internally or externally, in order to effectively drive top line revenue.
Why choose the CDDL licence? During the time of OpenSolaris, it was the terms of this licence that tended to make it difficult for outsiders to contribute.
The initial decision to use the CDDL licence was made by Sun Microsystems. We are not able to comment on why that decision was made by Sun Microsystems.
Many companies have made a success of things by choosing a more open licence like the GNU general public licence. How come you never considered something like this?
Our products are forks from Sun OpenSSO and OpenDS, which were CDDL.
How much of a contribution do you get from outside – I mean the community?
We get lots of community contribution in the form of code evaluation, bug reporting, and feature requests. We do accept a limited amount of new code, as well, although ForgeRock engineering is the primary developer.
How does the company look after the community that has collected around these products?
We have community events in the US and Europe, and email aliases for daily collaboration.
In what industries have you made the most headway?
We have made headway in multiple verticals - telecom, healthcare, government, education, manufacturing, service providers, financial services, and more. A full list of our publicly referenceable customers is here.
Let's say someone wants to make a code contribution. How would I go about it?
We have a small number of approved committers who can contribute code directly. Other members can get involved with the discussions on the development mailing lists, answering user questions, suggesting patches for bug fixes or features, and helping to improve the documentation.