openam - an introduction
DESCRIPTION
An IAM for Beginner's session presented by Dr. Matthias Tristl, ForgeRock Senior InstructorTRANSCRIPT
OpenAM for BeginnersEMEA Summit 2013
2
Agenda
■ ForgeRock Stack overview
■ OpenAM Overview
■ Authentication
■ Authorization
■ Federation
3
ForgeRock Stack Overview
4
Pillars of IAM
5
Classic scenario IUser wants to use an application...
User
Application
which does not require any of ForgeRock's products, but ...
6
Classic scenario IICentralization of Authentication
User
Application… and ...
OpenDJ
7
Classic scenario IIICentral Authorization
User
Application
OpenDJ
OpenAM
8
Classic scenario IVFederation
User
ApplicationApplication OpenAM OpenAM
OpenDJ OpenDJ
9
Classic scenario VIdentity Management
User
Application
HR DB
OpenAM
OpenDJOpenIDM
10
OpenAM Overview
11
OpenAM
Authenticate
SSO
Entitlements
CloudFederate
High Availabi
lity
Performance
OpenAM
JAAS
SOAP &
REST
XACML
OAuth
SAML
WS-Trust
OpenAM Vision and Scope
Partners
Outsourcing
Suppliers
ExternalParties
ExternalParties
Governments
SaaS
PaaS
In-house developedapplications
Commercial applications
DataBases
ActiveDirectory
DirectoryServices
PKIRADIUS
SecurID3rd party
Authentication methods
12
OpenAM Evolution
OpenSSOBuild 6
OpenSSOEnt 8.0
OpenSSOBuild 7
OpenSSOBuild 7
OpenSSOBuild 8
OpenAM9.0
OpenAM9.5
OpenAM10.0
OpenAM10.1
Open Source Closed Source
2008 20092008 2010 2011 2012
One single product for AAA+Federation
Some Patch development but no new functionalities
OpenAM11.0
2013
Provides single sign-on to web resources and create a sign on once, access everywhere environment
Centralized policy based authentication and authorization
Enables policy enforcement Tracks all user authentication related events Extends access beyond organizational boundaries
OpenAM Key Functionality
Authentication Authorization Single Sign-On Federation
Entitlements Web Services Security Auditing/Logging Adaptive AuthN
14
Key: Single Sign On
15
Key: Protecting Resources
16
Key: Partner Interaction and Integration
17
OpenAM Integration Paths
18
Authentication
19
Authentication: Who are you?
20
Authentication Flow
21
■ Common use case: User requests access to a web page
■ Other Use Cases: Applications can request authentication programatically through REST or SOAP web services and OpenAM SDK
Authentication: Where does the request come from?
22
■ OpenAM works with most authentication methods without customization
■ 21 out of the box Authentication modules
■ Custom modules can be created easily
Authentication: Which Credentials?
23
Authentication: ID Token
24
Authorization
25
Authorization
■ Authentication is not enough
■ Authorization determines:
– WHO can do
– what ACTIONS
– with what RESOURCES
– under which CONDITIONS?
■ Uses Policies to define those rights
26
Authorization Flow
27
Federation
28
Federation
■ Federation is the process of linking identities across heterogeneous Access Management products
■ It is a trust relationship whereby a Service Provider (SP) trusts that an Identity Provider (IDP) has successfully authenticated a user
■ It is Standard Based
29
The Goals of Federation
■ Federation enables Single Sign On and Single Logout between partners
■ Federation allows rapid integration
– during company acquisitions
– between heterogeneous systems
■ Federation allows basic Identity Data Sharing
■ Helps to keep multiple internet accounts under control
30
Federation Standard Protocols
OpenAMSAML
1.0SAML
1.xSAML
2.0
Liberty ID-FF 1.1/1.2
Shibboleth 1.0/1.1
Shibboleth 2(SAML2)
WS-Federation 1.1
ADFS
ADFS2
OAUTH 1.0 OAUTH 2.0
OpenIDConnect
REST/JSON
SOAP
WS-Federation 1.0
2002 Today
31
Federation Terminology
32
OpenAM Federation
■ OpenAM provides first class federation support
■ Federation Protocol support– SAML2, WS-Federation, ID-FF, OAuth2
■ Federated Web Services
■ Multi-Protocol Hub– Allows OpenAM to act as a broker between different federation protocols
■ Plug-in points allow for easy customization
■ Fedlet for applications that do not support standard protocols
33
Forgerock University