OpenAM Best Practices - Corelio Media Case Study

•

2 likes•5,882 views

IS4U Senior Architect Robin Gorris shares OpenAM Best practices at Corelio Media, presented as part of our Case Study session with Everett and ACA, moderated by ForgeRock VP of Services Steve Ferris and Director of Support Tim Rault-Smith.

Technology Design

2013 Open Stack Identity Summit - France

Corelio Media
An Open Identity Stack case study

The case
•  Custom built CRM system with provisioning
•  Custom SSO implementations
•  Room for improved privacy protection
•  Per application social media integration
•  In code authorization

Goals and challenges
•  Single Sign On
•  Centralized policy & session management
•  Multi-tenant support
•  Identity management for 4.1M identities
•  3 month time constraint

Priorities
•  Performance
•  Ease of application integration
•  User comfort & privacy

Requiring the full stack
•  Central user store: OpenDJ
•  SSO & policy enforcement: OpenAM
•  Provisioning of user store: OpenIDM

The agent approach
•  Simple architecture
•  Agents scale with infastructure
•  Distributed high availability architecture
•  No impact on out-of-scope servers

Special cases
•  IP authentication
•  Instant sync
•  Remember me
•  Entitlements
•  Mobile applications

Remember me
Session cookies issued after successful authentication
Persistent cookie
(DProPCookie)
P

S
Session cookie
(iPlanetDirectoryPro)

Remember me
Close and reopen browser

P
S

Remember me
But if browser doesn’t close, then at session time-out
Expired Session cookie
(iPlanetDirectoryPro)
P

S

Remember me
Solution: persist session cookie
If session times-out, expired cookie won’t be sent

P
S

S

openam.session.persist_am_cookie
com.iplanet.am.cookie.timeToLive

Entitlements
•  Access policies are URL based
•  Define virtual URL policies
•  Application checks authorization
•  Through OpenAM authorization REST API

Entitlements

Policy: Allow
URL: http://www.standaard.be/avond/*
Group: Subscribers

HTTP_UID=987654
HTTP_mail=jdoe@sample.com
HTTP_sn=doe
HTTP_givenname=john

http://www.standaard.be/avond/art.aspx?id=23

Entitlements
Policy: Allow
URL: http://virtual.standaard.be/
comment
Group: White listed commenter

http://www.standaard.be/avond/art.aspx?id=23&action=comment

Mobile applications

content

OAuth token

Content server

e-mail/password

e-mail/OAuth token

Third party

Project results
•  Successfull launch of every tenant
•  Agile policy management
•  Centralized secure password storage
•  Session quota for subscribers enforced

Lessons learned
•  Value of ForgeRock support
•  Avoid crosstalk through sticky sessions
•  Use dedicated application pools in IIS
•  Use OpenDJ entry cache for large static groups
•  But don’t preload the entry cache

Roadmap
•  Session quota for mobile apps
•  Open Identity Stack upgrade
•  Media ID
•  Metering

Thank you
Robin Gorris
Partner - Senior Architect
+32 (0)474 40 99 91
robin.gorris@is4u.be
Business Park King Square
Veldkant 33A - 2550 Kontich
http://www.is4u.be

What's hot

OpenAM: An Introduction

ForgeRock

THE FORGEROCK PLATFORM BIG PICTURE

ForgeRock

Webinar: OpenAM 12.0 - New Featurs

ForgeRock

IDP Proxy Concept: Accessing Identity Data Sources Everywhere!

ForgeRock

The wait is over! ForgeRock is releasing shiny new versions of all solution areas of the ForgeRock Identity Platform. To give you a preview on what’s coming, join this webinar to hear directly from the Product Managers what’s new in: Access Management Identity Management Directory Services Identity Gateway Shared Services Learn more about ForgeRock Access Management: https://www.forgerock.com/platform/access-management/ Learn more about ForgeRock Identity Management: https://www.forgerock.com/platform/identity-management/

Webinar: ForgeRock Identity Platform Preview (Dec 2015)

ForgeRock

Webinar: OpenIDM 3.1

ForgeRock

OpenIDM: An Introduction

K8s idm-devfest

Single sign on - SSO

SINGLE SIGN-ON

SSO introduction

OpenIDM 3.0 - What's New

ForgeRock

In this webinar, learn how the ForgeRock Identity Platform and its new User-Managed Access capabilities make it easier for organizations to establish trusted digital relationships with customers, embrace IoT initiatives, and address rapidly changing data privacy regulations. Learn more about ForgeRock Access Management: https://www.forgerock.com/platform/access-management/ Learn more about ForgeRock Identity Management: https://www.forgerock.com/platform/identity-management/

Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge

ForgeRock

Single Sign On - The Basics

Ishan A B Ambanwela

SSO Strategy Implementation Considerations

John Bauer

To view recording of this webinar please use the below URL: http://wso2.com/library/webinars/2016/06/enterprise-security-requirements/ Meeting enterprise security requirements has now become challenging due to development of orthogonal aspects. Systems are diverse because a single vendor can’t cater to all these needs. Some enterprise also introduce public SaaS in addition to their internal on-premise system. APIs are used to make data in these systems readily available in order to integrate with other systems and automate processes. Identity and access management (IAM) systems are expected to provide centralized authentication and authorization despite the increase in complexity of data, systems and identities. This webinar will discuss how to Enable SSO for heterogeneous systems Handle different types of enterprise identities Protect your data and APIs Implement centralized authorization and authentication management

Enterprise Security Requirements

WSO2

OpenIDM - An Introduction

ForgeRock

Token, token... From SAML to OIDC

Shiu-Fun Poon

WSO2 Identity Server - Getting Started

Ismaeel Enjreny

Single Sign On Considerations

Venkat Gattamaneni

What's hot (20)

OpenAM: An Introduction

THE FORGEROCK PLATFORM BIG PICTURE

Webinar: OpenAM 12.0 - New Featurs

IDP Proxy Concept: Accessing Identity Data Sources Everywhere!

Webinar: ForgeRock Identity Platform Preview (Dec 2015)

Webinar: OpenIDM 3.1

OpenIDM: An Introduction

K8s idm-devfest

Single sign on - SSO

SINGLE SIGN-ON

SSO introduction

OpenIDM 3.0 - What's New

Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge

Single Sign On - The Basics

SSO Strategy Implementation Considerations

Enterprise Security Requirements

OpenIDM - An Introduction

Token, token... From SAML to OIDC

WSO2 Identity Server - Getting Started

Single Sign On Considerations

Similar to OpenAM Best Practices - Corelio Media Case Study

Hitachi ID Identity Manager

Hitachi ID Systems, Inc.

Identity as a Managed Cloud Service

ForgeRock

Introduction to Azure AD and Azure AD B2C

Joonas Westlin

Anonymous Individual Integration for IoT

Paul Fremantle

In this Webinar, Envision IT demonstrates how ADFS federation can allow external users to access an Extranet, their DMZ accounts or other external identities, and use single sign-on to other systems beyond SharePoint. View more details and the webinar recording here: http://www.envisionit.com/products/events/Pages/SharePoint-Extranet-Spring-Webinar-Series-Federation-and-SharePoint-On-Premise.aspx

Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...

Envision IT

Student Debt Solutions

Todd Meyers

Choosing the Best Business Intelligence Security Model for Your App

Logi Analytics

CIS14: PingOne IDaaS: What You Need to Know

CloudIDSummit

PingOne IDaaS: What You Need to Know

CloudIDSummit

OpenID Connect "101" Introduction -- October 23, 2018

OpenIDFoundation

Building an Identity Management Business Case

Hitachi ID Systems, Inc.

Red Hat Summit - OpenShift Identity Management and Compliance

Airwatch od VMware

OAuth

Gcp intro-20160721

A relative "new kid" on the IAM standards block, the Simple Cloud Identity Management (SCIM) specification was designed to be simple and improve manageability and governance for cloud applications. It does not try to cover every provisioning use case, but rather supports the most common situations. Wide-spread adoption of the SCIM standard will, ultimately, simplify cloud-based IAM, making it more convenient and cost-effective for users to move into, out of and around the cloud. In this session, Kelly Grizzle, software architect at SailPoint, will outline why it is not only critical for IAM vendors to support SCIM, but also why SaaS vendors and their customers should support the standard to ensure it is widely available and simplifies how enterprises manage cloud apps as part of their overall IAM program. The presentation will also demonstrate the simplicity of the SCIM specification as well as some of the available open source tools that allow it to easily be integrated into the IAM infrastructure.

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014

Kelly Grizzle

Today, with expand of the web portal, many customers are seeking for more secure solutions to access to their web portal outside of their own networks. For Liferay portal customers, this request has been increased due to the number of portal deployed on Cloud and the increase of deployment of Liferay portal for internet sites (B2C …). One of the proposed solutions is the use of Multi-factor authentication mechanism. Google Authenticator is one of the lead open source dual factor authentication systems. In this presentation, we will explain the integration technical solution of Liferay and Google Authenticator in order to deliver a two-factor authentication system. The presentation will be followed by a live demo.

2013.devcon3 liferay and google authenticator integration rafik_harabi

Rafik HARABI

Security breaches caused by passwords written on sticky notes, guessed passwords, or brute-force password attacks have compelled IBM i shops to implement stronger password management controls. Fear of such breaches, coupled with best practices and regulatory requirements, have driven companies to adopt multi-factor authentication (MFA) procedures that require users to enter an additional form of identification beyond passwords. MFA is a powerful technology for protecting sensitive data and there are numerous approaches and features to consider when choosing an MFA solution for IBM i. View this on-demand webinar to learn: • What true multi-factor authentication really is • Authentication options and tradeoffs • Tips on implementing multi-factor authentication for IBM i

Best Practices for Multi-Factor Authentication on IBM i

Precisely

At first sight, the development of "hardware" products hardly differs from that of IoT devices. Here you can see the methodology of IoT product development based on an IoT framework by Daniel Elizalde. It’s a convenient and simple model that estimates expenses and potential income, evaluates the technological complexity and at the same time is easily understood by the client. Made by notAnotherOne

Decision Matrix for IoT Product Development

Alexey Pyshkin

CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

CloudIDSummit

Similar to OpenAM Best Practices - Corelio Media Case Study (20)

Hitachi ID Identity Manager

Identity as a Managed Cloud Service

Introduction to Azure AD and Azure AD B2C

Anonymous Individual Integration for IoT

Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...

Student Debt Solutions

Choosing the Best Business Intelligence Security Model for Your App

CIS14: PingOne IDaaS: What You Need to Know

PingOne IDaaS: What You Need to Know

OpenID Connect "101" Introduction -- October 23, 2018

Building an Identity Management Business Case

Red Hat Summit - OpenShift Identity Management and Compliance

Airwatch od VMware

OAuth

Gcp intro-20160721

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014

2013.devcon3 liferay and google authenticator integration rafik_harabi

Best Practices for Multi-Factor Authentication on IBM i

Decision Matrix for IoT Product Development

CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

More from ForgeRock

In this webcast, KuppingerCole´s Principal Analyst Martin Kuppinger will introduce the concept of Identity Management for the Internet of Things. Following Martin's opening talk, ForgeRock´s Gerhard Zehethofer will discuss how ForgeRock is now extending these capabilities into the areas of managed and unmanaged devices, enhancing the customer experience as well as security and privacy at scale for people, services, and things.

Digital Identities in the Internet of Things - Securely Manage Devices at Scale

ForgeRock

Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond

ForgeRock

Identity Live Sydney: Identity Management - A Strategic Opportunity

ForgeRock

Identity Live Singapore: Transform Your Cybersecurity Capability

ForgeRock

Identity Live Singapore 2018 Keynote Presentation

ForgeRock

Identity Live Sydney 2018 Keynote Presentation

ForgeRock

Identity Live Singapore: Just Ask 'Em

ForgeRock

Identity Live Singapore: Building Trust & Privacy in a Connected Society

ForgeRock

Identity Live Sydney: Intelligent Authentication

ForgeRock

Identity Live Sydney: Building Trust and Privacy in a Connected Society

ForgeRock

Containerized IAM on Amazon Web Services - Deep Dive A deep technical look at the architecture behind running containerized IAM on AWS and what your team needs for a successful deployment You’ll experience an in depth review of: Assets and processes needed to containerize ForgeRock Architecture and processes guiding containerized IAM on AWS How containers are deployed into Kubernetes Monitoring and management strategies Continuous integration configuration

Get the Exact Identity Solution you Need in the Cloud - Deep Dive

ForgeRock

Get the Exact Identity Solution You Need - In the Cloud - Overview

ForgeRock

Authentication and MFA is no longer a one-mode-fits-all experience. Customer-centric companies need flexible intelligence models and simple, consistent login journeys across channels—web, call center, mobile—without being forced to bolt MFA on top of usernames and passwords. ForgeRock’s VP, Global Strategy and Innovation, Ben Goodman, and Trusona’s Chief Design Officer, Kevin Goldman, explain how ForgeRock combined with Trusona creates a broad range of multi-factor authentication modalities all with a consistent user experience, including primary MFA without usernames, passwords or typing whatsoever. Bonus: Trusona will reveal findings from the first-ever passwordless MFA behavioral research.

ForgeRock and Trusona - Simplifying the Multi-factor User Experience

ForgeRock

Opening Keynote (Identity Live Berlin 2018)

ForgeRock

Steinberg - Customer identity as the cornerstone of our approach to digitaliz...

ForgeRock

BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)

ForgeRock

Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...

ForgeRock

Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...

ForgeRock

Shift from GDPR readiness to sustained compliance to improve your business an...

ForgeRock

Intelligent Authentication (Identity Live Berlin 2018)

ForgeRock

More from ForgeRock (20)

Digital Identities in the Internet of Things - Securely Manage Devices at Scale

Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond

Identity Live Sydney: Identity Management - A Strategic Opportunity

Identity Live Singapore: Transform Your Cybersecurity Capability

Identity Live Singapore 2018 Keynote Presentation

Identity Live Sydney 2018 Keynote Presentation

Identity Live Singapore: Just Ask 'Em

Identity Live Singapore: Building Trust & Privacy in a Connected Society

Identity Live Sydney: Intelligent Authentication

Identity Live Sydney: Building Trust and Privacy in a Connected Society

Get the Exact Identity Solution you Need in the Cloud - Deep Dive

Get the Exact Identity Solution You Need - In the Cloud - Overview

ForgeRock and Trusona - Simplifying the Multi-factor User Experience

Opening Keynote (Identity Live Berlin 2018)

Steinberg - Customer identity as the cornerstone of our approach to digitaliz...

BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)

Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...

Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...

Shift from GDPR readiness to sustained compliance to improve your business an...

Intelligent Authentication (Identity Live Berlin 2018)

Recently uploaded

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Scaling API-first – The story of a global engineering organization

Radu Cotescu

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Real Time Object Detection Using Open CV

Khem

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Strategies for Landing an Oracle DBA Job as a Fresher

Finology Group – Insurtech Innovation Award 2024

🐬 The future of MySQL is Postgres 🐘

The 7 Things I Know About Cyber Security After 25 Years | April 2024

HTML Injection Attacks: Impact and Mitigation Strategies

AWS Community Day CPH - Three problems of Terraform

GenAI Risks & Security Meetup 01052024.pdf

A Year of the Servo Reboot: Where Are We Now?

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Scaling API-first – The story of a global engineering organization

[2024]Digital Global Overview Report 2024 Meltwater.pdf

Real Time Object Detection Using Open CV

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Powerful Google developer tools for immediate impact! (2023-24 C)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Boost PC performance: How more available memory can improve productivity

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Partners Life - Insurer Innovation Award 2024

OpenAM Best Practices - Corelio Media Case Study

1. 2013 Open Stack Identity Summit - France

2. Corelio Media An Open Identity Stack case study

3. Introducing

4. The case •  Custom built CRM system with provisioning •  Custom SSO implementations •  Room for improved privacy protection •  Per application social media integration •  In code authorization

5. Goals and challenges •  Single Sign On •  Centralized policy & session management •  Multi-tenant support •  Identity management for 4.1M identities •  3 month time constraint

6. Priorities •  Performance •  Ease of application integration •  User comfort & privacy

7. Requiring the full stack •  Central user store: OpenDJ •  SSO & policy enforcement: OpenAM •  Provisioning of user store: OpenIDM

8. The agent approach •  Simple architecture •  Agents scale with infastructure •  Distributed high availability architecture •  No impact on out-of-scope servers

9. Special cases •  IP authentication •  Instant sync •  Remember me •  Entitlements •  Mobile applications

10. Remember me

11. Remember me Session cookies issued after successful authentication Persistent cookie (DProPCookie) P S Session cookie (iPlanetDirectoryPro)

12. Remember me Close and reopen browser P S

13. Remember me But if browser doesn’t close, then at session time-out Expired Session cookie (iPlanetDirectoryPro) P S

14. Remember me Solution: persist session cookie If session times-out, expired cookie won’t be sent P S S openam.session.persist_am_cookie com.iplanet.am.cookie.timeToLive

15. Entitlements •  Access policies are URL based •  Define virtual URL policies •  Application checks authorization •  Through OpenAM authorization REST API

16. Entitlements Policy: Allow URL: http://www.standaard.be/avond/* Group: Subscribers HTTP_UID=987654 HTTP_mail=jdoe@sample.com HTTP_sn=doe HTTP_givenname=john http://www.standaard.be/avond/art.aspx?id=23

17. Entitlements Policy: Allow URL: http://virtual.standaard.be/ comment Group: White listed commenter http://www.standaard.be/avond/art.aspx?id=23&action=comment

18. Mobile applications •  Apps cannot be impacted •  Third party not to store credentials •  Client credential OAuth profile •  Patches required in OpenAM XPress 10.1.0

19. Mobile applications content OAuth token Content server e-mail/password e-mail/OAuth token Third party

20. Project results •  Successfull launch of every tenant •  Agile policy management •  Centralized secure password storage •  Session quota for subscribers enforced

21. Lessons learned •  Value of ForgeRock support •  Avoid crosstalk through sticky sessions •  Use dedicated application pools in IIS •  Use OpenDJ entry cache for large static groups •  But don’t preload the entry cache

22. Roadmap •  Session quota for mobile apps •  Open Identity Stack upgrade •  Media ID •  Metering

23. Thank you Robin Gorris Partner - Senior Architect +32 (0)474 40 99 91 robin.gorris@is4u.be Business Park King Square Veldkant 33A - 2550 Kontich http://www.is4u.be

OpenAM Best Practices - Corelio Media Case Study

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to OpenAM Best Practices - Corelio Media Case Study

Similar to OpenAM Best Practices - Corelio Media Case Study (20)

More from ForgeRock

More from ForgeRock (20)

Recently uploaded

Recently uploaded (20)

OpenAM Best Practices - Corelio Media Case Study