Your SlideShare is downloading. ×
  • Like
OpenAM as Flexible Integration Component
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

OpenAM as Flexible Integration Component

  • 1,693 views
Published

Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche …

Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche
Identity And Access Management Consultant, Global Consulting and Integration Services | Verizon Enterprise Solutions

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,693
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
67
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 2013 Open Stack Identity Summit - France OpenAM as flexible integration component Case studies: STORK, IDAP & eID
  • 2. Who we are Wouter Vandenbussche Zaeher Rachid IAM analyst and architect IAM Practice Manager Verizon Enterprise Solutions Consulting & integration services Identity practice zaeher.rachid@paradigmo.com wouter.vandenbussche@be.verizon.com @wouterbussche
  • 3. What we do Typical customer demand •  •  Identity management •  Access control •  Authentication and federation Realization •  •  Full lifecycle: strategy, analysis, implementation and support •  Solutions with products from partners •  Customization and tailored development by experts •  Adequate operational support organization
  • 4. Why Verizon/Paradigmo together? Client requirements Verizon UIS specifications Flexible integration component customized and supported by:
  • 5. OpenAM as integration component Value the strengths of ForgeRock OpenAM •  •  Flexible integration component •  Bringing adaptability, reliability and agility to projects Case studies •  •  UK Cabinet Office IDAP: Open market identity assurance •  STORK: pan-European authentication •  eID Authentication: Strong authentication with high reliability
  • 6. Service Provider The big picture AuthN Request AuthN means Other IDP (Oauth, OpenID, STORK) Final IDP selection
  • 7. UK Cabinet Office : Overview UK Cabinet Office (Government Digital Service) •  •  Identity Assurance Programme (IDAP) •  Privacy and Trust Government identity hub •  “We’re working closely with departments to develop an identity assurance process that can be adapted and reused right across government, benefiting users and service providers alike with a simpler, faster, better and safer way to access and transact with government services.” Open market identity providers •  •  Trust Framework and good practice guides •  IDP: Identity proofing and strong authentication
  • 8. UK Cabinet Office : Trust scheme Department 1 Service provider 1 Service provider 2 Matching Service 1 Department 2 Service provider 3 Service provider 4 Matching Service 2 Match M DS to local us er store
  • 9. UK Cabinet Office : Verizon IDP Verizon IDP Data provider for identity proofing OpenAM for integration Profile Management for user interfaces Profile mgmt for user interfaces Standardized Verizon product for strong authN
  • 10. UK Cabinet Office : Demo
  • 11. STORK : Overview STORK •  •  •  European eID interoperability platform Within existing legal restrictions, respectful with all national cultures and complying with the requirements of scalability, trust and security, especially the privacy. STORK PEPS architecture •  •  •  Leveraging the national trust frameworks to Europe Hiding national implementations for the other member states National identity providers •  •  •  Incoming and outgoing federation Implementation of Pan European Proxy Service (PEPS)
  • 12. STORK: use cases Service Provider Citizen Service Provider Citizen
  • 13. Service Provider STORK: trust scheme Final IDP selection
  • 14. STORK: our setup Service Provider Service Provider
  • 15. STORK: demo
  • 16. Service Provider SAML received SAML validated AuthN mean retrieved Existing session verified? OpenAM behavior Default class return the AuthN mean corresponding to the 1st allowed context. Nothing recorded regarding other contexts. Class DefaultIDPAuthnContextMapper Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preSendResponse
  • 17. OpenAM before •  AuthN contexts •  How to propose multiple AuthN means to end user? •  How to customize SSO regarding SAML AuthN context? •  AuthN level •  What if AuthN level not aligned with business requirements? •  KPIs •  How to demonstrate SLA compliance when you rely on external systems? •  How to catch timestamps for valid sessions?
  • 18. OpenAM before AuthN contexts
  • 19. OpenAM after •  Open source •  It greatly helps to understand issues when you are at the leading edge of federation features! •  ForgeRock support •  RFE raised @ ForgeRock •  Urgent delivery of RFE as a patch •  RFE now included in new releases •  Additional hooks for custom development
  • 20. OpenAM after SAML received SAML validated AuthN mean retrieved Existing session verified? Class DefaultIDPAdapter method: initialize Class DefaultIDPAdapter method: preSingleSignOn Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preAuthentication
  • 21. OpenAM after after •  Additional requirements… •  Request for multiple assertions in SAML response •  Request for accessing STORK extensions in SAML requests/ responses •  … result in new RFEs •  Additional hooks •  To manipulate SAML Request objects before they are processed •  To manipulate SAML Response •  To trap and to treat SAML Response errors
  • 22. eID Authentication: overview Belgian electronic identity cards •  •  Very high level of assurance: NIST 4 •  PKI based authentication mean & sturdy issuing process •  High penetration rate among population •  Public available infrastructure Authentication •  •  Confirmation of possession of and access to the card •  Real-time validation of the status of the card Identity Provider •  •  Reusability, simplify integration and increase reliability
  • 23. eID: trust scheme Validate possession and access Assert Identity Service Provider
  • 24. OpenAM OCSP/CRLs checking SSL mutual AuthN OCSP down Yes No OCSP Responder No CRLs
  • 25. OpenAM OCSP/CRLs mechanism Cache exist? yes no Lookup CRL URL in X509 certificate yes Cache expired? no Lookup certificate SerialNumber in CRL Fetch cached CRL Cache CRL
  • 26. Belgian CA •  New intermediate CA issued each month with the same CN but different SERIALNUMBER => different CRL URL
  • 27. Belgian CA behavior !  Belgian CA behavior " New intermediate CA issued each month with the same CN but different SERIALNUMBER => different crl url " Bulk issuing of certificates, all revoked by default " Big CRL can contain more than 100K entries !  Cache issues " Lot of time wasted on CRL initialization (download, validation, processing, …) " Storing big objects in LDAP " LDAP entry has CN in the name and certificateRevocationList is single valued field " LDAP replication can be an issue during peak time !  Average time for authentication is more than 10 seconds " Most of the time wasted in CRL checking
  • 28. CRL caching implementation •  SQLite database •  Daemon that fetches CRL and creates one database per CRL •  Only storing certificate SERIALNUMBER •  Custom “Cert” module •  SQL statement to retrieve revoked certificates •  Performance •  AuthN < 100ms •  CRL checking < 5ms
  • 29. Conclusion •  Our customers and engineers value the strengths of ForgeRock OpenAM as an integration component in the delivery of solutions for authentication and federation •  Adaptability •  Easy to customize components and extend functionality •  Reliability •  Scalable and stable deployments •  Agility •  Fast realizations due to open source and partnership with ForgeRock
  • 30. 2013 Open Stack Identity Summit - France Q&A