A Breakout Session introducing OpenAM by Dr. Matthias Tristl, Senior Instructor at ForgeRock, at the 2014 IRM Summit in Phoenix, Arizona.

1. IRM Summit 2014
OpenAM
Matthias Tristl

2. 2IRM Summit 2014
Agenda
■ ForgeRock Stack overview
■ OpenAM Overview
■ Authentication
■ Authorization
■ Federation

3. 3IRM Summit 2014
ForgeRock Stack
Overview

4. 4IRM Summit 2014
Pillars of IAM

5. 5IRM Summit 2014
Classic scenario I
User wants to use an application...
User
Application
which does not require any of ForgeRock's
products, but ...

6. 6IRM Summit 2014
Classic scenario II
Centralization of Authentication
User
Application
… and ...

7. 7IRM Summit 2014
Classic scenario III
Central Authorization
User
Application

8. 8IRM Summit 2014
Classic scenario IV
Federation
User
Application
Application

9. 9IRM Summit 2014
Classic scenario V
Identity Management
User
Application
HR DB

10.  Provides single sign-on to web resources and create a
sign on once, access everywhere environment
 Centralized policy based authentication and
authorization
 Enables policy enforcement
 Tracks all user authentication related events
 Extends access beyond organizational boundaries
OpenAM Key Functionality
 Authentication
 Authorization
 Single Sign-On
 Federation
 Entitlements
 Web Services Security
 Auditing/Logging
 Adaptive AuthN

11. 11IRM Summit 2014
Single Sign On

12. 12IRM Summit 2014
Protecting Resources

13. 13IRM Summit 2014
Partner Integration

14. 14IRM Summit 2014
Integration Paths

15. 15IRM Summit 2014
Authentication

16. 16IRM Summit 2014
Who are you?

17. 17IRM Summit 2014
Authentication Flow

18. 18IRM Summit 2014
■ Common use case: User requests access to a web page
■ Other Use Cases: Applications can request authentication
programatically through REST or SOAP web services and
OpenAM SDK
Where does the request come from?

19. 19IRM Summit 2014
■ OpenAM works with most authentication methods without
customization
■ 21 out of the box Authentication modules
■ Custom modules can be created easily
Which Credentials?

20. 20IRM Summit 2014
 Active Directory
 Adaptive Risk
 Anonymous
 Certificate
 Data Store
 Device Print
 Federation
 HOTP
 HTTP Basic
 JDBC
 LDAP
 Membership
 MSISDN
 OATH
 OAuth 2.0
 RADIUS
 SAE
 SecurID
 Windows
Desktop SSO
 Windows NT
 WSSAuth
FR-420 OpenAM 11
Authentication Modules

21. 21IRM Summit 2014
ID Token

22. 22IRM Summit 2014
Authorization

23. 23IRM Summit 2014
Authorization
■ Authentication is not enough
■ Authorization determines:
– WHO can do
– what ACTIONS
– with what RESOURCES
– under which CONDITIONS?
■ Uses Policies to define those rights

24. 24IRM Summit 2014
Authorization Flow

25. 25IRM Summit 2014
Federation

26. 26IRM Summit 2014
Federation
■ Federation is the process of linking identities across
heterogeneous Access Management products
■ It is a trust relationship whereby a Service Provider
(SP) trusts that an Identity Provider (IDP) has
successfully authenticated a user
■ It is Standard Based

27. 27IRM Summit 2014
Goals of Federation
■ Federation enables Single Sign On and Single
Logout between partners
■ Federation allows rapid integration
– during company acquisitions
– between heterogeneous systems
■ Federation allows basic Identity Data Sharing
■ Helps to keep multiple internet accounts under
control

28. 28IRM Summit 2014
Federation Standards
OpenAM
SAML
1.0
SAML
1.x
SAML
2.0
Liberty ID-
FF 1.1/1.2
Shibboleth
1.0/1.1
Shibboleth 2
(SAML2)
WS-
Federation 1.1
ADFS
ADFS2
OAUTH 1.0 OAUTH 2.0
OpenID
Connect
REST/JSON
SOAP
WS-
Federation 1.0
2002 Today

29. 29IRM Summit 2014
Federation Terminology

30. 30IRM Summit 2014
OpenAM Federation
■ OpenAM provides first class federation support
■ Federation Protocol support
– SAML2, WS-Federation, ID-FF, OAuth2
■ Federated Web Services
■ Multi-Protocol Hub
– Allows OpenAM to act as a broker between different federation protocols
■ Plug-in points allow for easy customization
■ Fedlet for applications that do not support standard protocols

31. 31IRM Summit 2014
Forgerock University