IS4U Senior Architect Robin Gorris shares OpenAM Best practices at Corelio Media, presented as part of our Case Study session with Everett and ACA, moderated by ForgeRock VP of Services Steve Ferris and Director of Support Tim Rault-Smith.
4. The case
• Custom built CRM system with provisioning
• Custom SSO implementations
• Room for improved privacy protection
• Per application social media integration
• In code authorization
5. Goals and challenges
• Single Sign On
• Centralized policy & session management
• Multi-tenant support
• Identity management for 4.1M identities
• 3 month time constraint
7. Requiring the full stack
• Central user store: OpenDJ
• SSO & policy enforcement: OpenAM
• Provisioning of user store: OpenIDM
8. The agent approach
• Simple architecture
• Agents scale with infastructure
• Distributed high availability architecture
• No impact on out-of-scope servers
9. Special cases
• IP authentication
• Instant sync
• Remember me
• Entitlements
• Mobile applications
13. Remember me
But if browser doesn’t close, then at session time-out
Expired Session cookie
(iPlanetDirectoryPro)
P
S
14. Remember me
Solution: persist session cookie
If session times-out, expired cookie won’t be sent
P
S
S
openam.session.persist_am_cookie
com.iplanet.am.cookie.timeToLive
15. Entitlements
• Access policies are URL based
• Define virtual URL policies
• Application checks authorization
• Through OpenAM authorization REST API
18. Mobile applications
• Apps cannot be impacted
• Third party not to store credentials
• Client credential OAuth profile
• Patches required in OpenAM XPress 10.1.0
20. Project results
• Successfull launch of every tenant
• Agile policy management
• Centralized secure password storage
• Session quota for subscribers enforced
21. Lessons learned
• Value of ForgeRock support
• Avoid crosstalk through sticky sessions
• Use dedicated application pools in IIS
• Use OpenDJ entry cache for large static groups
• But don’t preload the entry cache
23. Thank you
Robin Gorris
Partner - Senior Architect
+32 (0)474 40 99 91
robin.gorris@is4u.be
Business Park King Square
Veldkant 33A - 2550 Kontich
http://www.is4u.be