case study - largest brazilian credit and debtor operator, a forgerock openam deployment
DESCRIPTION
Presented by Rogerio A. Rondini Professional Services Manager & Solutions Architect, Smart Software at the ForgeRock Open Identity Summit, June 2013TRANSCRIPT
Open Identity SummitOpen Identity Summit
Brazilian Success History
Rogério A. RondiniProfessional Service ManagerSmart Software
Open Identity Summit
Speaker BIO Former SUN solution architect Over 15 years of experience on the
development of critic mission software solutions
PhD in Electrical Engineering Professor in computer science courses
Open Identity Summit
Brasil
Open Identity Summit
Brasil
Emerging economy IT market handle 102bi in the last year –
growth of 11% Has become a leader in open source adoption
Open Identity Summit
Smart Software
Young Company Leaders are former Sun employee/consulting Development and Integration focusing on
Open Source Solution First ForgeRock partner in Brasil
Open Identity Summit
Smart Software
S.O e Virtualização(Red Hat Partner)
Middleware(Red Hat Partner)
B.I(Pentaho Community)
BPM(Bonita Software
Partner)
Portal and CMS(Liferay Community Platform)
Security(ForgeRock Gold Partner)
FullFull OpenOpen SourceSource
StackStack
Open Identity Summit
Success History
Largest Latin America payment company Leading in payment processing industry 1.3 million active merchants Present in 99% of Brazilian municipalities Annual grow rate of 20% in Financial Trading
Volume between 2011 and 2012
Open Identity Summit
Success History
Largest Latin America payment company 3 year of success deployment
First protected application on May, 2010 Dec, 2010 buy subscription support
Today it has around 10 protected applications from different technologies
Continuous deployment approach
Open Identity Summit
Business Problem # 01
Myriad of application accessing LDAP, each of your own way– Without API standardization– CHAOS on the department of Information
Security– Performance bottleneck of LDAP Server
Open Identity Summit
Business Problem # 02
Employees must to authenticate in third-part application (SaaS model) with your network login– Dump of LDAP DB to the third-part
application, causing synchronization problem and security gap
Open Identity Summit
Business Problem # 03
Applications using different technology and requiring different way of authentication– Need for a solution which offers flexibility to
customization
Open Identity Summit
OpenAM Solution # 01
OpenAM central Authentication and Authorization Server
No more direct access to LDAP DB Continuous Deployment approach
Open Identity Summit
LDAP
OpenAM OpenAM infrastructureinfrastructure
App A
Custom Weblogic Auth-provider calling WS/Rest interface
App B
Weblogic Policy Agent
App C
JBossPolicy Agent
App D
.NET App calling REST interface
OpenAM Solution # 01
Open Identity Summit
Ongoing deployment (continuous deployment) C++ web application
Protected by Apache Policy Agent Self-service password reset for external users
More .NET applications calling REST interface
Websphere Portal Server Webspehre Policy Agent Custom Auth-Module Custom self-service
OpenAM Solution # 01
Open Identity Summit
LDAP
OpenAM OpenAM infrastructureinfrastructure
App A
Custom Weblogic Auth-provider calling WS/Rest interface
App B
Weblogic Policy Agent
App C
JBossPolicy Agent
App D
.NET App calling REST interface
SaaS apps
Fedlet
Federation
Cicle of Trust
OpenAM Solution # 02
Open Identity Summit
OpenAM Solution # 03
Web Sphere Portal Server integration–WPS is not a simple JEE application–OpenAM Web Sphere Policy Agent is not
sufficient to protect WPS–Need a custom solution
Open Identity Summit
WPS Integration problem
... Custom User Registry (AmAgentUserRegistry) does not work with WPS
OpenAM Solution # 03
Open Identity Summit
WPS Integration problem
... OpenAM agent filter(AmAgentFilter) does not take effect in WPS
... IBM recommends the use of Session Validation Filter, a portlet filter not a servlet filter.
OpenAM Solution # 03
Open Identity Summit
The Solution...
1. Configure WebSphere Federated Repository instead of Custom User Registry
2. Use Agent TAI (AmTrustAssociationInterceptor) to perform SSO
3. Implements a custom Session Validation Filter instead of agent filter
OpenAM Solution # 03
Open Identity Summit
Federated Repository...Using default Websphere LDAPAdaptor class
Next step, to implement a custom VMM OpenAMAdaptor
Trust Association Interceptor...
OpenAM Solution # 03
Open Identity Summit
Custom filter...Implementation
WebSphere Configuration
OpenAM Solution # 03
Open Identity Summit
OpenAM Solution # 03
Legacy Portal X WPS Portal–The problem statement is to enable access to
the user in both (WPS and Legacy) with a single login• Legacy system uses your own login implementation• Legacy login implementation load a lot of information in
the http session• Some profile attributes are stored in RDBMS
Open Identity Summit
OpenAM Solution # 03
Proposed solution Protect legacy application with JEE Policy Agent Withdraw legacy login servlet Turn new portal (WPS) the entry point to users. SSO
between WPS and Legacy will solve the single login problem
Implement a custom Post Authentication Plugin to load session informations for legacy system, previously loaded by legacy login servlet
Open Identity Summit
Final Remarks OpenAM is the best Enterprise Class Access
Manager solution Simple deployment Open standards Flexible to extends
Q & AQ & A