technical case study: mckesson - employing the open identity stack
DESCRIPTION
Presented by Paul Messera, Principal Security Architect, McKesson & Nick Belaevski, Senior Software Developer, Exadel, Inc.TRANSCRIPT
Paul Mezzera Principal Security Architect
McKesson Corporation
Nick Belaevski IAM Consultant
Exadel Inc.
Deploying the Open Identity Stack At McKesson
ForgeRock Open Identity Summit June 2013
Open Identity Summit
Discussion Points § McKesson / Exadel Partnership
§ Who are we?
§ Solution examples § Corporate Active Directory SSO
§ Identity Management UI
§ Screenshots § Q & A
2
Open Identity Summit
Together with our customers and partners, we are creating a sustainable future for healthcare. Together we are charting a course to better health.
McKesson at-a-Glance
3
America’s oldest and largest healthcare services company
• Founded in 1833
• Ranked 14th on Fortune’s list with $122.7 billion in revenues
• Headquartered in San Francisco
• More than 37,000 employees
• Two segments: Distribution Solutions and Technology Solutions
Open Identity Summit
Who is Exadel? Enterprise software development for businesses worldwide • Founded in 1988 • Headquartered in Silicon Valley • Delivery centers in six countries • More than 700 employees • Focus areas:
§ Enterprise systems and services
§ Mobile applications § Integrated front to back
office applications in financial, media, and other industries
4
Open Identity Summit
Active Directory SSO § Challenges
§ Allow corporate domain users to single sign-on into internal and external applications
§ Both internal and external network users
§ Seamlessly auto-detect if Windows Desktop SSO is properly configured
§ Solution § SPNEGO – based Kerberos with fallback to conventional form
authentication
§ XMLHttpRequest seamlessly delivers Kerberos token to the server in the background
§ Extension over standard Windows Desktop SSO module
5
Open Identity Summit
Solution Architecture
Open Identity Summit
Active Directory SSO Screens
7
Open Identity Summit
Identity Management Use Cases § Initial user account creation
§ Direct input
§ Batch import
§ User profile management § Delegated administration
§ Users are able to update their own profiles
§ Self-service capabilities § Restore forgotten user ID
§ Password reset
§ Security events handling § Forced password changes
8
Open Identity Summit
Solution Architecture
9
Open Identity Summit
Identity Management UI § Based on OpenIDM 2.1.0 § Utilizes pure HTML/REST architecture
§ jQuery, Mustache, Require.js, LESS
§ ForgeRock OpenIDM UI served as basis for this development
§ Active Directory, OpenDJ support § OpenAM agent used for authentication and
authorization
10
Open Identity Summit
Solution Tiers
11
Open Identity Summit
Handling Security Events § Challenges
§ Change password functionality is required both in OpenAM and OpenIDM tiers
§ Change password notification logic depends on OpenIDM configuration information
§ OpenAM agent doesn’t provide information about authenticated user until user fully completes authentication chain
§ Solution § Implement custom authentication module that invokes OpenIDM change
password endpoint via REST
§ Programmatically create and pass agent user SSO token in request
12
Open Identity Summit
Security Events
13
Open Identity Summit
Password Reset § Challenges
§ Active Directory does not provide standard attributes for questions & answers and schema customization is discouraged
§ Both self-service and delegated password reset are to be supported
§ Solution § Store questions & answers in non-reversible encryption format as
managed objects
§ Protect answers from looking over the shoulder by masking input
§ User is required to enter password in order to change questions & answers
Open Identity Summit
Challenge Questions
15 15
Open Identity Summit
Self-Service Password Reset
16
Open Identity Summit
Login Screen with Security Event Handling
17
Open Identity Summit
Challenge Questions Screen
18
Open Identity Summit
Self-Service Password Reset
19
Open Identity Summit
User Dashboard Screen
20
Open Identity Summit
Confirmation Screen
21
Open Identity Summit
Client-Side Validation
22
