- I’m often asked to demonstrate federation functionality or help people set up their own demonstration environments to show single sign-on and self-registration capabilities using Tivoli Federated Identity Manager. I’m pleased to share that we now have a live IBM-hosted demonstration environment for this purpose.
Disclaimer
The demonstration environment is a single instance virtual machine, so don’t expect miracles from it, but for a taste of some of TFIM’s capabilities it’s a good starting point. The machine’s availability or longevity is subject to change, so don’t take my post as a guarantee of it being there for your use. Similarly I haven’t spent a whole lot of time making this the most secure endpoint on earth – it’s purpose is to show functional capabilities rather than being a flagship for deployment best practices. Finally the demo VM is likely to be “reset to snapshot” from time-to-time, so don’t be surprised if your previously self-registered account disappears without notice.
Disclaimers done, I’d like to share information about this environment, and ask for your feedback on the types of capabilities you’d like to see demonstrated here. I’m always open to ideas and your input will influence what we showcase on our demonstration machine.
Overview
The machine may be reached with your browser at:
https://tfim01.demos.ibm.com
The machine’s basic setup is Tivoli Access Manager WebSEAL junctioned to WebSphere Application Server running Tivoli Federated Identity Manager plus some demonstration content in the form of a set of JSP’s and supporting code. I’m being purposefully vague about version numbers as this will change over time. The demonstration system’s basic capabilities are split into two sections – Identity Provider Functionality and Relying Party Functionality. That is a bit misleading because much of the true Relying Party functionality of this environment is built into the self-registration and login process.
The rest of this article will demonstrate a few capabilities of the demonstration environment.
Self-Registration
Let’s walk through getting started with using the demonstration environment – establishing an account for authentication via self-registration. There are currently three techniques available for self-registration: OpenID, Information Card (including self-issued information cards), and Facebook. Each of these methods provides to TFIM the same thing – a unique identifier that can only be provided by using that authenticaiton method and your email address which is used to email back a confirmation code required to complete the self-registration process.
All of these self-registration techniques follow the general patterns I described in these developerworks articles (particularly the second one):
Account recovery is also supported. This account recovery scenario is one where you have self-registered an account, then later come back to the site and try to self-register using a different technique (e.g. with Facebook instead of OpenID) that shares the same email address as the original self-registration.
OpenID Self-Registration
Using OpenID, you must use an OpenID provider that supports sending your email address via either Attribute-Exchange (AX) or the Simple Registration Extension (SREG). I have provided quick links in the login form to pre-fill the OP-Identifers, but you can freely type any compliant https-baed OpenID server and it should work. If you encounter an error with your OpenID provider, it could be that I don’t “trust” your SSL certificate. Contact me and I’ll consider adding it for testing purposes.
MyOpenID requires you to establish a persona and include an email address in it. The myopenid.com site supports both AX and SREG for sharing an email address.
Yahoo will work if you use the OpenID URL: https://open.login.yahooapis.com/openid20/www.yahoo.com/xrds
You have to use that one instead of just www.yahoo.com or https://www.yahoo.com because Yahoo initially direct you to their XRDS via http, and I have configured the OpenID RP to not allow discovery by http (only https). Yahoo will also only share a Yahoo email address via AX, not any other registered email address.
Google will work for OpenID if you use the OpenID URL: https://www.google.com/accounts/o8/id
Google also makes your email address available via AX.
Information Card Self-Registration
You can self-register using an Information Card including a self-issued information card from Microsft Cardspace. You must provide an email adddress for the email address claim (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
Facebook Self-Registration
You can self-register with a Facebook account. The demonstration site acts as an OAuth client as described in this article to make that work:
OpenID Provider
The demonstration site will act as an OpenID Provider, with free control for you to support any SREG or AX attributes you like, with any values. This is purely for testing purposes, and you should never use this OpenID Provider to actually login to a real relying-party for account establishment. More information on this capability is found here: Understanding the OpenID Provider
Information Card Provider
The demonstration site will issue managed information cards, and allow you to assert claims values for them from the Manage your attribute information page. You can use these managed cards at other test sites that accept cards, including using the managed card to link to your own account at the demo site.
Account Linkages
This facility allows you to link multiple authentication techniques to your account. For example you can link multiple information cards, OpenID’s, and Facebook accounts all to your one account on the demonstration site.
Any of these can be used to authenticate to the site later:
The principals described in this article were used for that facility:
SSO Links to Other Services
This facility is only available to IBM employees (those registering with a *.ibm.com email address) for demonstration purposes. It allows demonstration of single sign-on to third party cloud/app providers including IBM’s own Lotus Live.
Well, that’s the quick tour of existing capabilities (at least the ones I’m advertising). Please feel free to give it a go and provide feedback on your experience.