You have probably already seen a press release from ForgeRock about the 11.0 release of the OpenAM access management product.
However, that is not a headline feature. The fact that OpenAM now supports OpenID Connect is a headline feature though, which is impressive as the ink is hardly dry on the specification. OpenID Connect builds on OAuth 2, to provide proper authentication, rather than just bearer authorisation tokens which anyone can use. I would be expecting the social web sites to move to this within the next year as using OAuth 2.0 for authentication is insecure.
What you may not have heard is that the training has been updated to reflect the new features, and to reflect the changes to the internal architecture. As partners of ForgeRock, we were pleased to be able to take part in the beta course of the new training. The only commitment from our side being to provide feedback and suggestions. I feel slightly fraudulent as these consist of “great” and “keep up the good work” respectively.
Many of the same people have been involved in the product that were working on it within Sun (when it was called OpenSSO), and it is a sign of the commitment that ForgeRock are putting into the training, that it was run by one of the chief architects of the product: Allan Foster, and supported by Nathalie Hoet (who developed much of the materials) and Matthias Tristl, another experienced trainer and implementer of ForgeRock products.
The end result was, unusually for any kind of course: labs with well thought-out learning objectives and no bugs. The flow of the lectures was concentrated around building up domain knowledge, rather than the order in which an installation proceeds, which worked very well; especially for those of our team who were new to the subject area.
Somehow the content was well pitched for more experienced people too. I never felt tempted to start catching up on emails, as I did to want to miss any content. One of the other experienced delegates, who has been using the product for three years, also felt he had learned loads more. It is probably also from having people who can explain why the product is architected the way it is, and what will be changing… and why.
One of the exercises was performing an upgrade from version 10.0… and it was pretty much trivial for a stock install. The understanding of the architecture and how customisations are performed… and dealt with during upgrade gives great confidence to performing upgrades. One of the stated principles from version 10 is that upgrade should be ‘painless’ (for the supported enterprise builds), and with their stated aim of a new major release roughly every year it is definitely in users interest to keep up-to-date. We see that in loads of packages (not just IAM) where an enterprise will wait for one year (or six months) before the product runs out of its extended support before contemplating upgrade. By then the package is two versions out of date… and the upgrade is like starting again.
So in summary, the latest version of OpenAM includes OpenID connect, which showing a commitment to keep up to relevant standards. The roadmap currently shows new releases every 3rd quarter, and it is a design principle for the team that upgrades should be painless. Quite apart from it being good practice to keep any and all software up-to-date; the changes in IAM, with drivers such as social and mobile mean that change is going to keep coming in this area. It’s a good idea to check your vendor has a good story on upgrades.