The document outlines a presentation at the Forgerock Open Identity Summit, detailing a partnership between McKesson Corporation and Exadel Inc. to deploy the Open Identity Stack. Key topics include the implementation of single sign-on solutions via Active Directory, user identity management use cases, and the architecture of the identity management user interface. The presentation emphasizes collaboration in creating a sustainable future for healthcare and provides contact information for further inquiries.

1. Paul Mezzera
Principal Security Architect
McKesson Corporation
Nick Belaevski
IAM Consultant
Exadel Inc.
Deploying the Open Identity Stack
At McKesson
ForgeRock Open Identity Summit
June 2013

2. Open Identity Summit
Discussion Points
§ McKesson / Exadel Partnership
§ Who are we?
§ Solution examples
§ Corporate Active Directory SSO
§ Identity Management UI
§ Screenshots
§ Q & A
2

3. Open Identity Summit
Together with our customers and partners, we are creating a sustainable
future for healthcare. Together we are charting a course to better health.
McKesson at-a-Glance
3
America’s oldest and largest healthcare
services company
• Founded in 1833
• Ranked 14th on Fortune’s list
with $122.7 billion in revenues
• Headquartered in San Francisco
• More than 37,000 employees
• Two segments: Distribution Solutions
and Technology Solutions

4. Open Identity Summit
Who is Exadel?
Enterprise software development for
businesses worldwide
• Founded in 1988
• Headquartered in Silicon Valley
• Delivery centers in six countries
• More than 700 employees
• Focus areas:
§ Enterprise systems and
services
§ Mobile applications
§ Integrated front to back
office applications in
financial, media, and other
industries
4

5. Open Identity Summit
Active Directory SSO
§ Challenges
§ Allow corporate domain users to single sign-on into internal and external
applications
§ Both internal and external network users
§ Seamlessly auto-detect if Windows Desktop SSO is properly configured
§ Solution
§ SPNEGO – based Kerberos with fallback to conventional form
authentication
§ XMLHttpRequest seamlessly delivers Kerberos token to the server in
the background
§ Extension over standard Windows Desktop SSO module
5

6. Open Identity Summit
Solution Architecture

7. Open Identity Summit
Active Directory SSO Screens
7

8. Open Identity Summit
Identity Management Use Cases
§ Initial user account creation
§ Direct input
§ Batch import
§ User profile management
§ Delegated administration
§ Users are able to update their own profiles
§ Self-service capabilities
§ Restore forgotten user ID
§ Password reset
§ Security events handling
§ Forced password changes
8

9. Open Identity Summit
Solution Architecture
9

10. Open Identity Summit
Identity Management UI
§ Based on OpenIDM 2.1.0
§ Utilizes pure HTML/REST architecture
§ jQuery, Mustache, Require.js, LESS
§ ForgeRock OpenIDM UI served as basis for this development
§ Active Directory, OpenDJ support
§ OpenAM agent used for authentication and
authorization
10

11. Open Identity Summit
Solution Tiers
11

12. Open Identity Summit
Handling Security Events
§ Challenges
§ Change password functionality is required both in OpenAM and
OpenIDM tiers
§ Change password notification logic depends on OpenIDM configuration
information
§ OpenAM agent doesn’t provide information about authenticated user
until user fully completes authentication chain
§ Solution
§ Implement custom authentication module that invokes OpenIDM change
password endpoint via REST
§ Programmatically create and pass agent user SSO token in request
12

13. Open Identity Summit
Security Events
13

14. Open Identity Summit
Password Reset
§ Challenges
§ Active Directory does not provide standard attributes for questions &
answers and schema customization is discouraged
§ Both self-service and delegated password reset are to be supported
§ Solution
§ Store questions & answers in non-reversible encryption format as
managed objects
§ Protect answers from looking over the shoulder by masking input
§ User is required to enter password in order to change questions &
answers

15. Open Identity Summit
Challenge Questions
1515

16. Open Identity Summit
Self-Service Password Reset
16

17. Open Identity Summit
Login Screen with Security Event Handling
17

18. Open Identity Summit
Challenge Questions Screen
18

19. Open Identity Summit
Self-Service Password Reset
19

20. Open Identity Summit
User Dashboard Screen
20

21. Open Identity Summit
Confirmation Screen
21

22. Open Identity Summit
Client-Side Validation
22

23. Open Identity Summit
Q & A
Thank you for your time!
Contact Paul.Mezzera@Mckesson.com or
Nbelaevski@exadel.com
23