Paul MezzeraPrincipal Security ArchitectMcKesson CorporationNick BelaevskiIAM ConsultantExadel Inc.Deploying the Open Iden...
Open Identity SummitDiscussion Points§  McKesson / Exadel Partnership§  Who are we?§  Solution examples§  Corporate Ac...
Open Identity SummitTogether with our customers and partners, we are creating a sustainablefuture for healthcare. Together...
Open Identity SummitWho is Exadel?Enterprise software development forbusinesses worldwide•  Founded in 1988•  Headquartere...
Open Identity SummitActive Directory SSO§  Challenges§  Allow corporate domain users to single sign-on into internal and...
Open Identity SummitSolution Architecture
Open Identity SummitActive Directory SSO Screens7
Open Identity SummitIdentity Management Use Cases§  Initial user account creation§  Direct input§  Batch import§  User...
Open Identity SummitSolution Architecture9
Open Identity SummitIdentity Management UI§  Based on OpenIDM 2.1.0§  Utilizes pure HTML/REST architecture§  jQuery, Mu...
Open Identity SummitSolution Tiers11
Open Identity SummitHandling Security Events§  Challenges§  Change password functionality is required both in OpenAM and...
Open Identity SummitSecurity Events13
Open Identity SummitPassword Reset§  Challenges§  Active Directory does not provide standard attributes for questions &a...
Open Identity SummitChallenge Questions1515
Open Identity SummitSelf-Service Password Reset16
Open Identity SummitLogin Screen with Security Event Handling17
Open Identity SummitChallenge Questions Screen18
Open Identity SummitSelf-Service Password Reset19
Open Identity SummitUser Dashboard Screen20
Open Identity SummitConfirmation Screen21
Open Identity SummitClient-Side Validation22
Open Identity SummitQ & AThank you for your time!Contact Paul.Mezzera@Mckesson.com orNbelaevski@exadel.com23
Upcoming SlideShare
Loading in …5
×

Technical Case Study: McKesson - Employing the Open Identity Stack

1,393 views

Published on

Presented by Paul Messera, Principal Security Architect, McKesson & Nick Belaevski, Senior Software Developer, Exadel, Inc.

Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/

Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,393
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
64
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Technical Case Study: McKesson - Employing the Open Identity Stack

  1. 1. Paul MezzeraPrincipal Security ArchitectMcKesson CorporationNick BelaevskiIAM ConsultantExadel Inc.Deploying the Open Identity StackAt McKessonForgeRock Open Identity SummitJune 2013
  2. 2. Open Identity SummitDiscussion Points§  McKesson / Exadel Partnership§  Who are we?§  Solution examples§  Corporate Active Directory SSO§  Identity Management UI§  Screenshots§  Q & A2
  3. 3. Open Identity SummitTogether with our customers and partners, we are creating a sustainablefuture for healthcare. Together we are charting a course to better health.McKesson at-a-Glance3  America’s oldest and largest healthcareservices company•  Founded in 1833•  Ranked 14th on Fortune’s listwith $122.7 billion in revenues•  Headquartered in San Francisco•  More than 37,000 employees•  Two segments: Distribution Solutionsand Technology Solutions
  4. 4. Open Identity SummitWho is Exadel?Enterprise software development forbusinesses worldwide•  Founded in 1988•  Headquartered in Silicon Valley•  Delivery centers in six countries•  More than 700 employees•  Focus areas:§  Enterprise systems andservices§  Mobile applications§  Integrated front to backoffice applications infinancial, media, and otherindustries4
  5. 5. Open Identity SummitActive Directory SSO§  Challenges§  Allow corporate domain users to single sign-on into internal and externalapplications§  Both internal and external network users§  Seamlessly auto-detect if Windows Desktop SSO is properly configured§  Solution§  SPNEGO – based Kerberos with fallback to conventional formauthentication§  XMLHttpRequest seamlessly delivers Kerberos token to the server inthe background§  Extension over standard Windows Desktop SSO module5
  6. 6. Open Identity SummitSolution Architecture
  7. 7. Open Identity SummitActive Directory SSO Screens7
  8. 8. Open Identity SummitIdentity Management Use Cases§  Initial user account creation§  Direct input§  Batch import§  User profile management§  Delegated administration§  Users are able to update their own profiles§  Self-service capabilities§  Restore forgotten user ID§  Password reset§  Security events handling§  Forced password changes8
  9. 9. Open Identity SummitSolution Architecture9
  10. 10. Open Identity SummitIdentity Management UI§  Based on OpenIDM 2.1.0§  Utilizes pure HTML/REST architecture§  jQuery, Mustache, Require.js, LESS§  ForgeRock OpenIDM UI served as basis for this development§  Active Directory, OpenDJ support§  OpenAM agent used for authentication andauthorization10
  11. 11. Open Identity SummitSolution Tiers11
  12. 12. Open Identity SummitHandling Security Events§  Challenges§  Change password functionality is required both in OpenAM andOpenIDM tiers§  Change password notification logic depends on OpenIDM configurationinformation§  OpenAM agent doesn’t provide information about authenticated useruntil user fully completes authentication chain§  Solution§  Implement custom authentication module that invokes OpenIDM changepassword endpoint via REST§  Programmatically create and pass agent user SSO token in request12
  13. 13. Open Identity SummitSecurity Events13
  14. 14. Open Identity SummitPassword Reset§  Challenges§  Active Directory does not provide standard attributes for questions &answers and schema customization is discouraged§  Both self-service and delegated password reset are to be supported§  Solution§  Store questions & answers in non-reversible encryption format asmanaged objects§  Protect answers from looking over the shoulder by masking input§  User is required to enter password in order to change questions &answers
  15. 15. Open Identity SummitChallenge Questions1515
  16. 16. Open Identity SummitSelf-Service Password Reset16
  17. 17. Open Identity SummitLogin Screen with Security Event Handling17
  18. 18. Open Identity SummitChallenge Questions Screen18
  19. 19. Open Identity SummitSelf-Service Password Reset19
  20. 20. Open Identity SummitUser Dashboard Screen20
  21. 21. Open Identity SummitConfirmation Screen21
  22. 22. Open Identity SummitClient-Side Validation22
  23. 23. Open Identity SummitQ & AThank you for your time!Contact Paul.Mezzera@Mckesson.com orNbelaevski@exadel.com23

×