Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Case Study: Utilizing OpenIDM with an External AJAX Interface


Published on

Breakout Session presented by Rob Jackson, Identity Solutions Architect at Nulli at the 2014 IRM Summit in Phoenix, Arizona

Published in: Software, Technology, Business
  • Be the first to comment

  • Be the first to like this

Case Study: Utilizing OpenIDM with an External AJAX Interface

  1. 1. Human Information Identity Management Identity Solution Architects Case Study: Utilizing OpenIDM with an External AJAX Interface 6/4/2014
  2. 2. Introduction Nulli oForgeRock Strategic Partner oOpenSource Contributors oIAM Specialists since 1997 oHQ in Calgary, AB, Canada Servicing North America
  3. 3. Whitepaper Consumer facing trend Available for download blog Authored by Hadi Ahmadi / Sandeep Chaturvedi Based on current Customer o Requirements  IDP for public sector applications  Registration/verification  Self-service user functions o Detailed design was already complete o Interested in lightweight AJAX UI with REST API (Internet-facing)
  4. 4. CREST (Commons REST) Common REST API between products: oOpenIdM oOpenDJ oOpenAM
  5. 5. Implementing CREST Which API? oOverlap of functionality oStrong points Security? oInternet-facing? Middle Tier? oRequired? Gotchas
  6. 6. Which API? Overlap Example Create User • OpenAM »../json/users/?_action=regi ster • OpenIdM »../managed/user/ • OpenDJ »../users/newuser
  7. 7. Which API? CREST API Registration ProvisionLDAP Provision (Multiple Password PasswordReset OTP Auth’n& Customizable Workflow Policy/Validati Configuration SelfService Data Federation OpenAM X X X X X X X X X OpenIdM X X X X X X X X X X X OpenDJ X X X X
  8. 8. Which API? - Summary OpenIdM oWorkflow oMultiple Data Stores oMost Flexible OpenAM oAuthentication/Authorization OpenDJ oMore System->System
  9. 9. Security? Reverse Proxy/Secure Gateway o Reduce ‘Attack’ Surface o Control generalized API patterns POST ../?action=something API Policies (OpenIdM) Authenticated vs Anonymous o Token/UID+PWD o OpenIdM protected by OpenAM XSS/CORS JSON Sanitization (embedded scripts, etc)
  10. 10. Middle Tier? Business Logic oMultiple calls behind Token authentication DMZ presence Anonymous links from emails Host non-identity contents oCountry/city lists, etc oLanding pages/UI host CAPTCHA
  11. 11. Gotchas OpenIdM (Jetty) Protected by OpenAM oCan’t use OOTB Anonymous user Returning detailed user status from OpenAM Authentication REST API (Active/Inactive) oMultiple calls oAuthentication plugin? Functionality in OpenAM not as flexible oOpenIdM custom end points
  12. 12. Architecture
  13. 13. P C Robert Jackson Identity Architect (403) 869-3313 (403) 648-0909 Questions?