OpenAM as Flexible Integration Component


Published on

Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche
Identity And Access Management Consultant, Global Consulting and Integration Services | Verizon Enterprise Solutions

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OpenAM as Flexible Integration Component

  1. 1. 2013 Open Stack Identity Summit - France OpenAM as flexible integration component Case studies: STORK, IDAP & eID
  2. 2. Who we are Wouter Vandenbussche Zaeher Rachid IAM analyst and architect IAM Practice Manager Verizon Enterprise Solutions Consulting & integration services Identity practice @wouterbussche
  3. 3. What we do Typical customer demand •  •  Identity management •  Access control •  Authentication and federation Realization •  •  Full lifecycle: strategy, analysis, implementation and support •  Solutions with products from partners •  Customization and tailored development by experts •  Adequate operational support organization
  4. 4. Why Verizon/Paradigmo together? Client requirements Verizon UIS specifications Flexible integration component customized and supported by:
  5. 5. OpenAM as integration component Value the strengths of ForgeRock OpenAM •  •  Flexible integration component •  Bringing adaptability, reliability and agility to projects Case studies •  •  UK Cabinet Office IDAP: Open market identity assurance •  STORK: pan-European authentication •  eID Authentication: Strong authentication with high reliability
  6. 6. Service Provider The big picture AuthN Request AuthN means Other IDP (Oauth, OpenID, STORK) Final IDP selection
  7. 7. UK Cabinet Office : Overview UK Cabinet Office (Government Digital Service) •  •  Identity Assurance Programme (IDAP) •  Privacy and Trust Government identity hub •  “We’re working closely with departments to develop an identity assurance process that can be adapted and reused right across government, benefiting users and service providers alike with a simpler, faster, better and safer way to access and transact with government services.” Open market identity providers •  •  Trust Framework and good practice guides •  IDP: Identity proofing and strong authentication
  8. 8. UK Cabinet Office : Trust scheme Department 1 Service provider 1 Service provider 2 Matching Service 1 Department 2 Service provider 3 Service provider 4 Matching Service 2 Match M DS to local us er store
  9. 9. UK Cabinet Office : Verizon IDP Verizon IDP Data provider for identity proofing OpenAM for integration Profile Management for user interfaces Profile mgmt for user interfaces Standardized Verizon product for strong authN
  10. 10. UK Cabinet Office : Demo
  11. 11. STORK : Overview STORK •  •  •  European eID interoperability platform Within existing legal restrictions, respectful with all national cultures and complying with the requirements of scalability, trust and security, especially the privacy. STORK PEPS architecture •  •  •  Leveraging the national trust frameworks to Europe Hiding national implementations for the other member states National identity providers •  •  •  Incoming and outgoing federation Implementation of Pan European Proxy Service (PEPS)
  12. 12. STORK: use cases Service Provider Citizen Service Provider Citizen
  13. 13. Service Provider STORK: trust scheme Final IDP selection
  14. 14. STORK: our setup Service Provider Service Provider
  15. 15. STORK: demo
  16. 16. Service Provider SAML received SAML validated AuthN mean retrieved Existing session verified? OpenAM behavior Default class return the AuthN mean corresponding to the 1st allowed context. Nothing recorded regarding other contexts. Class DefaultIDPAuthnContextMapper Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preSendResponse
  17. 17. OpenAM before •  AuthN contexts •  How to propose multiple AuthN means to end user? •  How to customize SSO regarding SAML AuthN context? •  AuthN level •  What if AuthN level not aligned with business requirements? •  KPIs •  How to demonstrate SLA compliance when you rely on external systems? •  How to catch timestamps for valid sessions?
  18. 18. OpenAM before AuthN contexts
  19. 19. OpenAM after •  Open source •  It greatly helps to understand issues when you are at the leading edge of federation features! •  ForgeRock support •  RFE raised @ ForgeRock •  Urgent delivery of RFE as a patch •  RFE now included in new releases •  Additional hooks for custom development
  20. 20. OpenAM after SAML received SAML validated AuthN mean retrieved Existing session verified? Class DefaultIDPAdapter method: initialize Class DefaultIDPAdapter method: preSingleSignOn Redirect / forward AuthN level verified? SAML response sent Class DefaultIDPAdapter method: preAuthentication
  21. 21. OpenAM after after •  Additional requirements… •  Request for multiple assertions in SAML response •  Request for accessing STORK extensions in SAML requests/ responses •  … result in new RFEs •  Additional hooks •  To manipulate SAML Request objects before they are processed •  To manipulate SAML Response •  To trap and to treat SAML Response errors
  22. 22. eID Authentication: overview Belgian electronic identity cards •  •  Very high level of assurance: NIST 4 •  PKI based authentication mean & sturdy issuing process •  High penetration rate among population •  Public available infrastructure Authentication •  •  Confirmation of possession of and access to the card •  Real-time validation of the status of the card Identity Provider •  •  Reusability, simplify integration and increase reliability
  23. 23. eID: trust scheme Validate possession and access Assert Identity Service Provider
  24. 24. OpenAM OCSP/CRLs checking SSL mutual AuthN OCSP down Yes No OCSP Responder No CRLs
  25. 25. OpenAM OCSP/CRLs mechanism Cache exist? yes no Lookup CRL URL in X509 certificate yes Cache expired? no Lookup certificate SerialNumber in CRL Fetch cached CRL Cache CRL
  26. 26. Belgian CA •  New intermediate CA issued each month with the same CN but different SERIALNUMBER => different CRL URL
  27. 27. Belgian CA behavior !  Belgian CA behavior " New intermediate CA issued each month with the same CN but different SERIALNUMBER => different crl url " Bulk issuing of certificates, all revoked by default " Big CRL can contain more than 100K entries !  Cache issues " Lot of time wasted on CRL initialization (download, validation, processing, …) " Storing big objects in LDAP " LDAP entry has CN in the name and certificateRevocationList is single valued field " LDAP replication can be an issue during peak time !  Average time for authentication is more than 10 seconds " Most of the time wasted in CRL checking
  28. 28. CRL caching implementation •  SQLite database •  Daemon that fetches CRL and creates one database per CRL •  Only storing certificate SERIALNUMBER •  Custom “Cert” module •  SQL statement to retrieve revoked certificates •  Performance •  AuthN < 100ms •  CRL checking < 5ms
  29. 29. Conclusion •  Our customers and engineers value the strengths of ForgeRock OpenAM as an integration component in the delivery of solutions for authentication and federation •  Adaptability •  Easy to customize components and extend functionality •  Reliability •  Scalable and stable deployments •  Agility •  Fast realizations due to open source and partnership with ForgeRock
  30. 30. 2013 Open Stack Identity Summit - France Q&A