Thomson Reuters Case Study


Published on

Presented by Tim Vogt, Senior Technologist, Thomson Reuters at ForgeRock Open Identity Summit, June 2013.

Learn more about ForgeRock Access Management:

Learn more about ForgeRock Identity Management:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Thomson Reuters Case Study

  1. 1. Open Identity SummitThe platform we builtOn OpenAM and OpenDJTim Vogt, ArchitectThisana Pienlert, Technical LeadThomson Reuters
  2. 2. Open Identity SummitAbout us…
  3. 3. Open Identity SummitAbout us…
  4. 4. Open Identity SummitWhat is “Thomson Reuters Eikon” ? A desktop application: A financial information product A platform that delivers content, market data, infrastructure services,hosted applications. The platform’s tasks: Inbound: Protect its own value Outbound: Deliver the right stuff to the right people in a quick & easywayWith an identity hat on: The individual end user is less interesting than the services they’repaying for. Managing Identity is a necessary evil rather than a purpose.
  5. 5. Open Identity SummitA bit of history Previous product generations were “fat” in manyways: a fat desktop application, dedicatedinfrastructure, hard to provision and complex tomanage. No true authentication, instead a complex, multi-layered authorisation system reliant upon trustedconnections. Previous attempts to “go hosted” and consolidateon a platform were not unsuccessful, but did notdeliver the desired economy of scale. Thomson had a web-based delivery platform,backed by an existing ID&AM architecture. “Common Platform” was to turn things around,providing single sign-on, federation capabilities,centralised permissioning, replicated storage anda self-admin framework. Renewed focus on “customer first”: Ease of use,convenience, performance.Content DBReal-time distributionnetworkDeployedDistributionInfrastructureDataSourcesThomsonOneInternet
  6. 6. Open Identity SummitShape-shifting Platform - Version 1AAACCRM
  7. 7. Open Identity SummitShape-shifting Platform - Version 2AAACCRMAAAoAuthSAML2FederationOpenIDApp storeEikon APIEikon cloud
  8. 8. Open Identity SummitShape-shifting Platform – The Future ?AAACCRMSingle IdentityMasterEikon might turn into anexecutionframework, managing theinteractions with theplatform from the desktop.
  9. 9. Open Identity SummitHow Security Awareness changed Account management Access control Authentication policies Session policies AuditingFor customeracceptance, security must bevisibly solid andflawless, whilst ensuringintuitiveness for the end user.Stop making things sodifficult and complex ! Myclients [developers] needconvenience.Expire passwords !Terminate sessions !Require second factor !Introduce fingerprintreaders !2013:2011:2007:
  10. 10. Open Identity SummitLessons learnt Business people don’t always appreciate architecturalguidance – but they need it, especially in the IDAM space. Whether or not industry buzz brings useful technologicaldevelopments worth adopting is often a question of timing. It’s the quick and easy solutions that score and bringvisible success – the challenge is to keep them undercontrol and avoid Keep calm and carry on, absorb the pain, do the rightthing.
  11. 11. Open Identity SummitThe stackJavaSOLARIS 10JavaSWS 7Sun AM 7.1DSEE 6Apache /TomcatOpen AM 9.xDSEE 6OpenDJMigrationPhase 1(2011)Phase 2(2013)SOLARIS 10Rightnow !
  12. 12. Open Identity SummitTIMELINE FOR PRODUCT OPTIONS (2010)2010 Q2AM 7.1-TR2011 Q2 2012 Q2 EOY 2012 EOY 2013CP 1.0 CP 1.5OpenSSO8U2End ofpremiersupportOpenAM 9OAM 11gR2EOY 2014…..
  13. 13. Open Identity SummitWhat SunAM/OpenAM had to do for us SSO: between web and non-web applications covering HTTP and non-HTTP protocols. across two physically separate delivery networks across multiple global sites Exclusive Sign-On: Enforcing a single device, single session per userglobally Site affinity: Direct all access to user’s home site or failover site Session refresh: Virtually infinite session duration Heavily customised authentication flows 24x7 availability, non-disruptive maintenance 120,000 active users per data centre, 50 logins per second
  14. 14. Open Identity Summit…and what we had to do to them: Request various functional enhancements: Persistent cookie for master token Communication between DAS and AM Better support for hardware-load balanced set-ups: DAS, PA (POSTdata preservation) Request many fixes: PA (for IIS) Session housekeeping and failover MQ Consistent updates of cached state and config information
  15. 15. Open Identity SummitWhat we expect from OpenAM Solve the Policy Agent pain: Ensure stability Suitable, stable, manageable alternatives for different use cases:OpenIG, Fedlet, … Stabilise session failover and global session replication Consistent replication of distributed state information Complete REST framework including authorisation
  16. 16. Open Identity SummitWhat we expect from OpenDJ A successful migration on June 22nd Rock-solid replication Fix session failover and replication in OpenAM Complete and reliable monitoring Write performance Scale & Stability
  17. 17. Q & A