forgerock openam as flexible integration component
DESCRIPTION
ForgeRock OpenAM is used as a flexible integration component for the set-up of several IDP services across Europe.TRANSCRIPT
2013 Open Stack Identity Summit - France
OpenAM as flexible integration component Case studies: STORK, IDAP & eID
Who we are
Wouter Vandenbussche
IAM analyst and architect
Verizon Enterprise Solutions Consulting & integration services
Identity practice
[email protected] @wouterbussche
Zaeher Rachid
IAM Practice Manager
What we do
• Typical customer demand • Identity management • Access control • Authentication and federation
• Realization • Full lifecycle: strategy, analysis, implementation and support • Solutions with products from partners • Customization and tailored development by experts • Adequate operational support organization
Why Verizon/Paradigmo together?
Client requirements
Verizon UIS specifications
Flexible integration component customized and supported by:
OpenAM as integration component
• Value the strengths of ForgeRock OpenAM • Flexible integration component • Bringing adaptability, reliability and agility to projects
• Case studies • UK Cabinet Office IDAP: Open market identity assurance • STORK: pan-European authentication • eID Authentication: Strong authentication with high reliability
The big picture Service Provider
AuthN Request
Other IDP (Oauth, OpenID, STORK)
AuthN means
Final IDP selection
UK Cabinet Office : Overview
• UK Cabinet Office (Government Digital Service) • Identity Assurance Programme (IDAP) • Privacy and Trust
• Government identity hub “We’re working closely with departments to develop an identity assurance process that can be adapted and reused right across government, benefiting users and service providers alike with a simpler, faster, better and safer way to access and transact with government services.”
• Open market identity providers • Trust Framework and good practice guides • IDP: Identity proofing and strong authentication
UK Cabinet Office : Trust scheme
Match MDS to local user store
Service provider 1
Service provider 2
Matching Service 1
Department 1
Service provider 3
Service provider 4
Matching Service 2
Department 2
UK Cabinet Office : Verizon IDP
Profile mgmt for user interfaces
Profile Management for user interfaces
Data provider for identity proofing
OpenAM for integration
Verizon IDP
Standardized Verizon product for
strong authN
UK Cabinet Office : Demo
STORK : Overview
• STORK • European eID interoperability platform • Within existing legal restrictions, respectful with all national cultures
and complying with the requirements of scalability, trust and security, especially the privacy.
• STORK PEPS architecture • Leveraging the national trust frameworks to Europe • Hiding national implementations for the other member states
• National identity providers • Incoming and outgoing federation • Implementation of Pan European Proxy Service (PEPS)
STORK: use cases
Service Provider
Citizen
Citizen
Service Provider
STORK: trust scheme
Service Provider
Final IDP selection
STORK: our setup Service Provider
Service Provider
STORK: demo
OpenAM behavior Service Provider
SAML received
SAML validated
AuthN mean retrieved
SAML response sent
Class DefaultIDPAuthnContextMapper
Class DefaultIDPAdapter method: preSendResponse
Existing session verified?
AuthN level verified?
Redirect / forward
Default class return the AuthN mean corresponding to the 1st allowed context. Nothing recorded regarding other contexts.
OpenAM before
• AuthN contexts • How to propose multiple AuthN means to end user? • How to customize SSO regarding SAML AuthN context?
• AuthN level • What if AuthN level not aligned with business requirements?
• KPIs • How to demonstrate SLA compliance when you rely on external
systems? • How to catch timestamps for valid sessions?
OpenAM before
AuthN contexts
OpenAM after • Open source
• It greatly helps to understand issues when you are at the leading edge of federation features!
• ForgeRock support • RFE raised @ ForgeRock • Urgent delivery of RFE as a patch • RFE now included in new releases
• Additional hooks for custom development
OpenAM after SAML received
SAML validated
AuthN mean retrieved
SAML response sent
Class DefaultIDPAdapter method: initialize
Class DefaultIDPAdapter method: preAuthentication
Existing session verified?
AuthN level verified?
Redirect / forward
Class DefaultIDPAdapter method: preSingleSignOn
OpenAM after after
• Additional requirements… • Request for multiple assertions in SAML response • Request for accessing STORK extensions in SAML requests/
responses
• … result in new RFEs • Additional hooks
• To manipulate SAML Request objects before they are processed
• To manipulate SAML Response
• To trap and to treat SAML Response errors
eID Authentication: overview
• Belgian electronic identity cards • Very high level of assurance: NIST 4
• PKI based authentication mean & sturdy issuing process
• High penetration rate among population • Public available infrastructure
• Authentication • Confirmation of possession of and access to the card • Real-time validation of the status of the card
• Identity Provider • Reusability, simplify integration and increase reliability
eID: trust scheme
Service Provider
Assert Identity
Validate possession and access
OpenAM OCSP/CRLs checking
SSL mutual AuthN
No
OCSP Responder
No
OCSP down
CRLs
Yes
Cache CRL
OpenAM OCSP/CRLs mechanism no
yes
no
Cache exist?
Cache expired?
Fetch cached CRL
yes
Lookup CRL URL in X509 certificate
Lookup certificate SerialNumber in CRL
Belgian CA • New intermediate CA issued each month with the same
CN but different SERIALNUMBER => different CRL URL
Belgian CA behavior ü Belgian CA behavior
Ø New intermediate CA issued each month with the same CN but different SERIALNUMBER => different crl url
Ø Bulk issuing of certificates, all revoked by default Ø Big CRL can contain more than 100K entries
ü Cache issues Ø Lot of time wasted on CRL initialization (download, validation, processing, …) Ø Storing big objects in LDAP Ø LDAP entry has CN in the name and certificateRevocationList is single valued field Ø LDAP replication can be an issue during peak time
ü Average time for authentication is more than 10 seconds
Ø Most of the time wasted in CRL checking
CRL caching implementation
• SQLite database • Daemon that fetches CRL and creates one database per CRL • Only storing certificate SERIALNUMBER
• Custom “Cert” module • SQL statement to retrieve revoked certificates
• Performance • AuthN < 100ms • CRL checking < 5ms
Conclusion • Our customers and engineers value the strengths of
ForgeRock OpenAM as an integration component in the delivery of solutions for authentication and federation • Adaptability
• Easy to customize components and extend functionality
• Reliability • Scalable and stable deployments
• Agility • Fast realizations due to open source and partnership with ForgeRock
2013 Open Stack Identity Summit - France
Q&A