OpenAM: An Introduction

76,241 views

Published on

A Breakout Session introducing OpenAM by Dr. Matthias Tristl, Senior Instructor at ForgeRock, at the 2014 IRM Summit in Phoenix, Arizona.

Published in: Technology

OpenAM: An Introduction

  1. 1. IRM Summit 2014 OpenAM Matthias Tristl
  2. 2. 2IRM Summit 2014 Agenda ■ ForgeRock Stack overview ■ OpenAM Overview ■ Authentication ■ Authorization ■ Federation
  3. 3. 3IRM Summit 2014 ForgeRock Stack Overview
  4. 4. 4IRM Summit 2014 Pillars of IAM
  5. 5. 5IRM Summit 2014 Classic scenario I User wants to use an application... User Application which does not require any of ForgeRock's products, but ...
  6. 6. 6IRM Summit 2014 Classic scenario II Centralization of Authentication User Application … and ...
  7. 7. 7IRM Summit 2014 Classic scenario III Central Authorization User Application
  8. 8. 8IRM Summit 2014 Classic scenario IV Federation User Application Application
  9. 9. 9IRM Summit 2014 Classic scenario V Identity Management User Application HR DB
  10. 10.  Provides single sign-on to web resources and create a sign on once, access everywhere environment  Centralized policy based authentication and authorization  Enables policy enforcement  Tracks all user authentication related events  Extends access beyond organizational boundaries OpenAM Key Functionality  Authentication  Authorization  Single Sign-On  Federation  Entitlements  Web Services Security  Auditing/Logging  Adaptive AuthN
  11. 11. 11IRM Summit 2014 Single Sign On
  12. 12. 12IRM Summit 2014 Protecting Resources
  13. 13. 13IRM Summit 2014 Partner Integration
  14. 14. 14IRM Summit 2014 Integration Paths
  15. 15. 15IRM Summit 2014 Authentication
  16. 16. 16IRM Summit 2014 Who are you?
  17. 17. 17IRM Summit 2014 Authentication Flow
  18. 18. 18IRM Summit 2014 ■ Common use case: User requests access to a web page ■ Other Use Cases: Applications can request authentication programatically through REST or SOAP web services and OpenAM SDK Where does the request come from?
  19. 19. 19IRM Summit 2014 ■ OpenAM works with most authentication methods without customization ■ 21 out of the box Authentication modules ■ Custom modules can be created easily Which Credentials?
  20. 20. 20IRM Summit 2014  Active Directory  Adaptive Risk  Anonymous  Certificate  Data Store  Device Print  Federation  HOTP  HTTP Basic  JDBC  LDAP  Membership  MSISDN  OATH  OAuth 2.0  RADIUS  SAE  SecurID  Windows Desktop SSO  Windows NT  WSSAuth FR-420 OpenAM 11 Authentication Modules
  21. 21. 21IRM Summit 2014 ID Token
  22. 22. 22IRM Summit 2014 Authorization
  23. 23. 23IRM Summit 2014 Authorization ■ Authentication is not enough ■ Authorization determines: – WHO can do – what ACTIONS – with what RESOURCES – under which CONDITIONS? ■ Uses Policies to define those rights
  24. 24. 24IRM Summit 2014 Authorization Flow
  25. 25. 25IRM Summit 2014 Federation
  26. 26. 26IRM Summit 2014 Federation ■ Federation is the process of linking identities across heterogeneous Access Management products ■ It is a trust relationship whereby a Service Provider (SP) trusts that an Identity Provider (IDP) has successfully authenticated a user ■ It is Standard Based
  27. 27. 27IRM Summit 2014 Goals of Federation ■ Federation enables Single Sign On and Single Logout between partners ■ Federation allows rapid integration – during company acquisitions – between heterogeneous systems ■ Federation allows basic Identity Data Sharing ■ Helps to keep multiple internet accounts under control
  28. 28. 28IRM Summit 2014 Federation Standards OpenAM SAML 1.0 SAML 1.x SAML 2.0 Liberty ID- FF 1.1/1.2 Shibboleth 1.0/1.1 Shibboleth 2 (SAML2) WS- Federation 1.1 ADFS ADFS2 OAUTH 1.0 OAUTH 2.0 OpenID Connect REST/JSON SOAP WS- Federation 1.0 2002 Today
  29. 29. 29IRM Summit 2014 Federation Terminology
  30. 30. 30IRM Summit 2014 OpenAM Federation ■ OpenAM provides first class federation support ■ Federation Protocol support – SAML2, WS-Federation, ID-FF, OAuth2 ■ Federated Web Services ■ Multi-Protocol Hub – Allows OpenAM to act as a broker between different federation protocols ■ Plug-in points allow for easy customization ■ Fedlet for applications that do not support standard protocols
  31. 31. 31IRM Summit 2014 Forgerock University

×