SlideShare une entreprise Scribd logo

ForgeRock OpenAM as flexible integration component

Olivier Naveau
Olivier Naveau

ForgeRock OpenAM is used as a flexible integration component for the set-up of several IDP services across Europe.

Technologie
1  sur  30
Télécharger pour lire hors ligne
2013 Open Stack Identity Summit - France OpenAM as flexible integration component Case studies: STORK, IDAP & eID
Who we are Wouter Vandenbussche Zaeher Rachid IAM analyst and architect IAM Practice Manager Verizon Enterprise Solutions Consulting & integration services Identity practice zaeher.rachid@paradigmo.com wouter.vandenbussche@be.verizon.com @wouterbussche
What we do Typical customer demand •  •  Identity management •  Access control •  Authentication and federation Realization •  •  Full lifecycle: strategy, analysis, implementation and support •  Solutions with products from partners •  Customization and tailored development by experts •  Adequate operational support organization
Why Verizon/Paradigmo together? Client requirements Verizon UIS specifications Flexible integration component customized and supported by:
OpenAM as integration component Value the strengths of ForgeRock OpenAM •  •  Flexible integration component •  Bringing adaptability, reliability and agility to projects Case studies •  •  UK Cabinet Office IDAP: Open market identity assurance •  STORK: pan-European authentication •  eID Authentication: Strong authentication with high reliability
Service Provider The big picture AuthN Request AuthN means Other IDP (Oauth, OpenID, STORK) Final IDP selection
UK Cabinet Office : Overview UK Cabinet Office (Government Digital Service) •  •  Identity Assurance Programme (IDAP) •  Privacy and Trust Government identity hub •  “We’re working closely with departments to develop an identity assurance process that can be adapted and reused right across government, benefiting users and service providers alike with a simpler, faster, better and safer way to access and transact with government services.” Open market identity providers •  •  Trust Framework and good practice guides •  IDP: Identity proofing and strong authentication
UK Cabinet Office : Trust scheme Department 1 Service provider 1 Service provider 2 Matching Service 1 Department 2 Service provider 3 Service provider 4 Matching Service 2 Match M DS to local us er store
UK Cabinet Office : Verizon IDP Verizon IDP Data provider for identity proofing OpenAM for integration Profile Management for user interfaces Profile mgmt for user interfaces Standardized Verizon product for strong authN
UK Cabinet Office : Demo
STORK : Overview STORK •  •  •  European eID interoperability platform Within existing legal restrictions, respectful with all national cultures and complying with the requirements of scalability, trust and security, especially the privacy. STORK PEPS architecture •  •  •  Leveraging the national trust frameworks to Europe Hiding national implementations for the other member states National identity providers •  •  •  Incoming and outgoing federation Implementation of Pan European Proxy Service (PEPS)
STORK: use cases Service Provider Citizen Service Provider Citizen
Service Provider STORK: trust scheme Final IDP selection
STORK: our setup Service Provider Service Provider
STORK: demo
Service Provider SAML received SAML validated AuthN mean retrieved Existing session verified? OpenAM behavior Default class return the AuthN mean corresponding to the 1st allowed context. Nothing recorded regarding other contexts. Class DefaultIDPAuthnContextMapper Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preSendResponse
OpenAM before •  AuthN contexts •  How to propose multiple AuthN means to end user? •  How to customize SSO regarding SAML AuthN context? •  AuthN level •  What if AuthN level not aligned with business requirements? •  KPIs •  How to demonstrate SLA compliance when you rely on external systems? •  How to catch timestamps for valid sessions?
OpenAM before AuthN contexts
OpenAM after •  Open source •  It greatly helps to understand issues when you are at the leading edge of federation features! •  ForgeRock support •  RFE raised @ ForgeRock •  Urgent delivery of RFE as a patch •  RFE now included in new releases •  Additional hooks for custom development
OpenAM after SAML received SAML validated AuthN mean retrieved Existing session verified? Class DefaultIDPAdapter method: initialize Class DefaultIDPAdapter method: preSingleSignOn Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preAuthentication
OpenAM after after •  Additional requirements… •  Request for multiple assertions in SAML response •  Request for accessing STORK extensions in SAML requests/ responses •  … result in new RFEs •  Additional hooks •  To manipulate SAML Request objects before they are processed •  To manipulate SAML Response •  To trap and to treat SAML Response errors
eID Authentication: overview Belgian electronic identity cards •  •  Very high level of assurance: NIST 4 •  PKI based authentication mean & sturdy issuing process •  High penetration rate among population •  Public available infrastructure Authentication •  •  Confirmation of possession of and access to the card •  Real-time validation of the status of the card Identity Provider •  •  Reusability, simplify integration and increase reliability
eID: trust scheme Validate possession and access Assert Identity Service Provider
OpenAM OCSP/CRLs checking SSL mutual AuthN OCSP down Yes No OCSP Responder No CRLs
OpenAM OCSP/CRLs mechanism Cache exist? yes no Lookup CRL URL in X509 certificate yes Cache expired? no Lookup certificate SerialNumber in CRL Fetch cached CRL Cache CRL
Belgian CA •  New intermediate CA issued each month with the same CN but different SERIALNUMBER => different CRL URL
Belgian CA behavior ü  Belgian CA behavior Ø New intermediate CA issued each month with the same CN but different SERIALNUMBER => different crl url Ø Bulk issuing of certificates, all revoked by default Ø Big CRL can contain more than 100K entries ü  Cache issues Ø Lot of time wasted on CRL initialization (download, validation, processing, …) Ø Storing big objects in LDAP Ø LDAP entry has CN in the name and certificateRevocationList is single valued field Ø LDAP replication can be an issue during peak time ü  Average time for authentication is more than 10 seconds Ø Most of the time wasted in CRL checking
CRL caching implementation •  SQLite database •  Daemon that fetches CRL and creates one database per CRL •  Only storing certificate SERIALNUMBER •  Custom “Cert” module •  SQL statement to retrieve revoked certificates •  Performance •  AuthN < 100ms •  CRL checking < 5ms
Conclusion •  Our customers and engineers value the strengths of ForgeRock OpenAM as an integration component in the delivery of solutions for authentication and federation •  Adaptability •  Easy to customize components and extend functionality •  Reliability •  Scalable and stable deployments •  Agility •  Fast realizations due to open source and partnership with ForgeRock
2013 Open Stack Identity Summit - France Q&A

Recommandé

Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Starling Bank
 
#JaxLondon keynote: Developing applications with a microservice architecture
#JaxLondon keynote: Developing applications with a microservice architecture#JaxLondon keynote: Developing applications with a microservice architecture
#JaxLondon keynote: Developing applications with a microservice architecture
Chris Richardson
 
Microservices pattern language (microxchg microxchg2016)
Microservices pattern language (microxchg microxchg2016)Microservices pattern language (microxchg microxchg2016)
Microservices pattern language (microxchg microxchg2016)
Chris Richardson
 
Modeling microservices using DDD
Modeling microservices using DDDModeling microservices using DDD
Modeling microservices using DDD
Masashi Narumoto
 
Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...
Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...
Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...
Digital Transformation EXPO Event Series
 
FY 2017 Tax Facts
FY 2017 Tax FactsFY 2017 Tax Facts
FY 2017 Tax Facts
Fairfax County
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
ForgeRock
 

Recommandé

Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Starling Bank
 
#JaxLondon keynote: Developing applications with a microservice architecture
#JaxLondon keynote: Developing applications with a microservice architecture#JaxLondon keynote: Developing applications with a microservice architecture
#JaxLondon keynote: Developing applications with a microservice architecture
Chris Richardson
 
Microservices pattern language (microxchg microxchg2016)
Microservices pattern language (microxchg microxchg2016)Microservices pattern language (microxchg microxchg2016)
Microservices pattern language (microxchg microxchg2016)
Chris Richardson
 
Modeling microservices using DDD
Modeling microservices using DDDModeling microservices using DDD
Modeling microservices using DDD
Masashi Narumoto
 
Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...
Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...
Bringing Enterprise to the Blockchain - Moving from Science Experiment to Pra...
Digital Transformation EXPO Event Series
 
FY 2017 Tax Facts
FY 2017 Tax FactsFY 2017 Tax Facts
FY 2017 Tax Facts
Fairfax County
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
ForgeRock
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 
ATAGTR2017 Blockchain Based Testing
ATAGTR2017 Blockchain Based TestingATAGTR2017 Blockchain Based Testing
ATAGTR2017 Blockchain Based Testing
Agile Testing Alliance
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
Morgan Simonsen
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
Thorbjørn Værp
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
Amazon Web Services
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06
Computer Networking
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料
オラクルエンジニア通信
 
AP Automation System
AP Automation System AP Automation System
AP Automation System
Atul Kapoor
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
Amazon Web Services
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpractices
Anil Saldanha
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 

Contenu connexe

Similaire à ForgeRock OpenAM as flexible integration component

SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
Morgan Simonsen
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
Thorbjørn Værp
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 

Similaire à ForgeRock OpenAM as flexible integration component (20)

SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
ATAGTR2017 Blockchain Based Testing
ATAGTR2017 Blockchain Based TestingATAGTR2017 Blockchain Based Testing
ATAGTR2017 Blockchain Based Testing
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料
 
AP Automation System
AP Automation System AP Automation System
AP Automation System
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpractices
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

ForgeRock OpenAM as flexible integration component

  • 1. 2013 Open Stack Identity Summit - France OpenAM as flexible integration component Case studies: STORK, IDAP & eID
  • 2. Who we are Wouter Vandenbussche Zaeher Rachid IAM analyst and architect IAM Practice Manager Verizon Enterprise Solutions Consulting & integration services Identity practice zaeher.rachid@paradigmo.com wouter.vandenbussche@be.verizon.com @wouterbussche
  • 3. What we do Typical customer demand •  •  Identity management •  Access control •  Authentication and federation Realization •  •  Full lifecycle: strategy, analysis, implementation and support •  Solutions with products from partners •  Customization and tailored development by experts •  Adequate operational support organization
  • 4. Why Verizon/Paradigmo together? Client requirements Verizon UIS specifications Flexible integration component customized and supported by:
  • 5. OpenAM as integration component Value the strengths of ForgeRock OpenAM •  •  Flexible integration component •  Bringing adaptability, reliability and agility to projects Case studies •  •  UK Cabinet Office IDAP: Open market identity assurance •  STORK: pan-European authentication •  eID Authentication: Strong authentication with high reliability
  • 6. Service Provider The big picture AuthN Request AuthN means Other IDP (Oauth, OpenID, STORK) Final IDP selection
  • 7. UK Cabinet Office : Overview UK Cabinet Office (Government Digital Service) •  •  Identity Assurance Programme (IDAP) •  Privacy and Trust Government identity hub •  “We’re working closely with departments to develop an identity assurance process that can be adapted and reused right across government, benefiting users and service providers alike with a simpler, faster, better and safer way to access and transact with government services.” Open market identity providers •  •  Trust Framework and good practice guides •  IDP: Identity proofing and strong authentication
  • 8. UK Cabinet Office : Trust scheme Department 1 Service provider 1 Service provider 2 Matching Service 1 Department 2 Service provider 3 Service provider 4 Matching Service 2 Match M DS to local us er store
  • 9. UK Cabinet Office : Verizon IDP Verizon IDP Data provider for identity proofing OpenAM for integration Profile Management for user interfaces Profile mgmt for user interfaces Standardized Verizon product for strong authN
  • 11. STORK : Overview STORK •  •  •  European eID interoperability platform Within existing legal restrictions, respectful with all national cultures and complying with the requirements of scalability, trust and security, especially the privacy. STORK PEPS architecture •  •  •  Leveraging the national trust frameworks to Europe Hiding national implementations for the other member states National identity providers •  •  •  Incoming and outgoing federation Implementation of Pan European Proxy Service (PEPS)
  • 12. STORK: use cases Service Provider Citizen Service Provider Citizen
  • 16. Service Provider SAML received SAML validated AuthN mean retrieved Existing session verified? OpenAM behavior Default class return the AuthN mean corresponding to the 1st allowed context. Nothing recorded regarding other contexts. Class DefaultIDPAuthnContextMapper Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preSendResponse
  • 17. OpenAM before •  AuthN contexts •  How to propose multiple AuthN means to end user? •  How to customize SSO regarding SAML AuthN context? •  AuthN level •  What if AuthN level not aligned with business requirements? •  KPIs •  How to demonstrate SLA compliance when you rely on external systems? •  How to catch timestamps for valid sessions?
  • 19. OpenAM after •  Open source •  It greatly helps to understand issues when you are at the leading edge of federation features! •  ForgeRock support •  RFE raised @ ForgeRock •  Urgent delivery of RFE as a patch •  RFE now included in new releases •  Additional hooks for custom development
  • 20. OpenAM after SAML received SAML validated AuthN mean retrieved Existing session verified? Class DefaultIDPAdapter method: initialize Class DefaultIDPAdapter method: preSingleSignOn Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preAuthentication
  • 21. OpenAM after after •  Additional requirements… •  Request for multiple assertions in SAML response •  Request for accessing STORK extensions in SAML requests/ responses •  … result in new RFEs •  Additional hooks •  To manipulate SAML Request objects before they are processed •  To manipulate SAML Response •  To trap and to treat SAML Response errors
  • 22. eID Authentication: overview Belgian electronic identity cards •  •  Very high level of assurance: NIST 4 •  PKI based authentication mean & sturdy issuing process •  High penetration rate among population •  Public available infrastructure Authentication •  •  Confirmation of possession of and access to the card •  Real-time validation of the status of the card Identity Provider •  •  Reusability, simplify integration and increase reliability
  • 23. eID: trust scheme Validate possession and access Assert Identity Service Provider
  • 24. OpenAM OCSP/CRLs checking SSL mutual AuthN OCSP down Yes No OCSP Responder No CRLs
  • 25. OpenAM OCSP/CRLs mechanism Cache exist? yes no Lookup CRL URL in X509 certificate yes Cache expired? no Lookup certificate SerialNumber in CRL Fetch cached CRL Cache CRL
  • 26. Belgian CA •  New intermediate CA issued each month with the same CN but different SERIALNUMBER => different CRL URL
  • 27. Belgian CA behavior ü  Belgian CA behavior Ø New intermediate CA issued each month with the same CN but different SERIALNUMBER => different crl url Ø Bulk issuing of certificates, all revoked by default Ø Big CRL can contain more than 100K entries ü  Cache issues Ø Lot of time wasted on CRL initialization (download, validation, processing, …) Ø Storing big objects in LDAP Ø LDAP entry has CN in the name and certificateRevocationList is single valued field Ø LDAP replication can be an issue during peak time ü  Average time for authentication is more than 10 seconds Ø Most of the time wasted in CRL checking
  • 28. CRL caching implementation •  SQLite database •  Daemon that fetches CRL and creates one database per CRL •  Only storing certificate SERIALNUMBER •  Custom “Cert” module •  SQL statement to retrieve revoked certificates •  Performance •  AuthN < 100ms •  CRL checking < 5ms
  • 29. Conclusion •  Our customers and engineers value the strengths of ForgeRock OpenAM as an integration component in the delivery of solutions for authentication and federation •  Adaptability •  Easy to customize components and extend functionality •  Reliability •  Scalable and stable deployments •  Agility •  Fast realizations due to open source and partnership with ForgeRock
  • 30. 2013 Open Stack Identity Summit - France Q&A