Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
ForgeRock OpenAM as flexible integration component
1. 2013 Open Stack Identity Summit - France
OpenAM as flexible integration component
Case studies: STORK, IDAP & eID
2. Who we are
Wouter Vandenbussche
Zaeher Rachid
IAM analyst and architect
IAM Practice Manager
Verizon Enterprise Solutions
Consulting & integration services
Identity practice
zaeher.rachid@paradigmo.com
wouter.vandenbussche@be.verizon.com
@wouterbussche
3. What we do
Typical customer demand
•
•
Identity management
•
Access control
•
Authentication and federation
Realization
•
•
Full lifecycle: strategy, analysis, implementation and support
•
Solutions with products from partners
•
Customization and tailored development by experts
•
Adequate operational support organization
5. OpenAM as integration component
Value the strengths of ForgeRock OpenAM
•
•
Flexible integration component
•
Bringing adaptability, reliability and agility to projects
Case studies
•
•
UK Cabinet Office IDAP: Open market identity assurance
•
STORK: pan-European authentication
•
eID Authentication: Strong authentication with high reliability
7. UK Cabinet Office : Overview
UK Cabinet Office (Government Digital Service)
•
•
Identity Assurance Programme (IDAP)
•
Privacy and Trust
Government identity hub
•
“We’re working closely with departments to develop an identity assurance
process that can be adapted and reused right across government, benefiting
users and service providers alike with a simpler, faster, better and safer way to
access and transact with government services.”
Open market identity providers
•
•
Trust Framework and good practice guides
•
IDP: Identity proofing and strong authentication
8. UK Cabinet Office : Trust scheme
Department 1
Service provider 1
Service provider 2
Matching Service 1
Department 2
Service provider 3
Service provider 4
Matching Service 2
Match M
DS to
local us
er store
9. UK Cabinet Office : Verizon IDP
Verizon IDP
Data provider for
identity proofing
OpenAM for
integration
Profile Management
for user interfaces
Profile mgmt for
user interfaces
Standardized
Verizon product for
strong authN
11. STORK : Overview
STORK
•
•
•
European eID interoperability platform
Within existing legal restrictions, respectful with all national cultures
and complying with the requirements of scalability, trust and
security, especially the privacy.
STORK PEPS architecture
•
•
•
Leveraging the national trust frameworks to Europe
Hiding national implementations for the other member states
National identity providers
•
•
•
Incoming and outgoing federation
Implementation of Pan European Proxy Service (PEPS)
16. Service Provider
SAML received
SAML validated
AuthN mean
retrieved
Existing session
verified?
OpenAM behavior
Default class return the AuthN mean
corresponding to the 1st allowed context.
Nothing recorded regarding other contexts.
Class DefaultIDPAuthnContextMapper
Redirect /
forward
AuthN level
verified?
SAML response
sent
Class DefaultIDPAdapter
method: preSendResponse
17. OpenAM before
• AuthN contexts
• How to propose multiple AuthN means to end user?
• How to customize SSO regarding SAML AuthN context?
• AuthN level
• What if AuthN level not aligned with business requirements?
• KPIs
• How to demonstrate SLA compliance when you rely on external
systems?
• How to catch timestamps for valid sessions?
19. OpenAM after
• Open source
• It greatly helps to understand issues when you are at the leading
edge of federation features!
• ForgeRock support
• RFE raised @ ForgeRock
• Urgent delivery of RFE as a patch
• RFE now included in new releases
• Additional hooks for custom development
20. OpenAM after
SAML received
SAML validated
AuthN mean
retrieved
Existing session
verified?
Class DefaultIDPAdapter
method: initialize
Class DefaultIDPAdapter
method: preSingleSignOn
Redirect /
forward
AuthN level
verified?
SAML response
sent
Class DefaultIDPAdapter
method: preAuthentication
21. OpenAM after after
• Additional requirements…
• Request for multiple assertions in SAML response
• Request for accessing STORK extensions in SAML requests/
responses
• … result in new RFEs
• Additional hooks
• To manipulate SAML Request objects before they are processed
• To manipulate SAML Response
• To trap and to treat SAML Response errors
22. eID Authentication: overview
Belgian electronic identity cards
•
•
Very high level of assurance: NIST 4
•
PKI based authentication mean & sturdy issuing process
•
High penetration rate among population
•
Public available infrastructure
Authentication
•
•
Confirmation of possession of and access to the card
•
Real-time validation of the status of the card
Identity Provider
•
•
Reusability, simplify integration and increase reliability
26. Belgian CA
• New intermediate CA issued each month with the same
CN but different SERIALNUMBER => different CRL URL
27. Belgian CA behavior
ü Belgian CA behavior
Ø New intermediate CA issued each month with the same CN but different
SERIALNUMBER => different crl url
Ø Bulk issuing of certificates, all revoked by default
Ø Big CRL can contain more than 100K entries
ü Cache issues
Ø Lot of time wasted on CRL initialization (download, validation, processing, …)
Ø Storing big objects in LDAP
Ø LDAP entry has CN in the name and certificateRevocationList is single valued field
Ø LDAP replication can be an issue during peak time
ü Average time for authentication is more than 10 seconds
Ø Most of the time wasted in CRL checking
28. CRL caching implementation
• SQLite database
• Daemon that fetches CRL and creates one database per CRL
• Only storing certificate SERIALNUMBER
• Custom “Cert” module
• SQL statement to retrieve revoked certificates
• Performance
• AuthN < 100ms
• CRL checking < 5ms
29. Conclusion
• Our customers and engineers value the strengths of
ForgeRock OpenAM as an integration component in the
delivery of solutions for authentication and federation
• Adaptability
• Easy to customize components and extend functionality
• Reliability
• Scalable and stable deployments
• Agility
• Fast realizations due to open source and partnership with ForgeRock