openam as flexible integration component
DESCRIPTION
Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche Identity And Access Management Consultant, Global Consulting and Integration Services | Verizon Enterprise SolutionsTRANSCRIPT
![Page 1: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/1.jpg)
2013 Open Stack Identity Summit - France
OpenAM as flexible integration component Case studies: STORK, IDAP & eID
![Page 2: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/2.jpg)
Who we are
Wouter Vandenbussche
IAM analyst and architect
Verizon Enterprise Solutions Consulting & integration services
Identity practice
[email protected] @wouterbussche
Zaeher Rachid
IAM Practice Manager
![Page 3: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/3.jpg)
What we do
• Typical customer demand • Identity management • Access control • Authentication and federation
• Realization • Full lifecycle: strategy, analysis, implementation and support • Solutions with products from partners • Customization and tailored development by experts • Adequate operational support organization
![Page 4: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/4.jpg)
Why Verizon/Paradigmo together?
Client requirements
Verizon UIS specifications
Flexible integration component customized and supported by:
![Page 5: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/5.jpg)
OpenAM as integration component
• Value the strengths of ForgeRock OpenAM • Flexible integration component • Bringing adaptability, reliability and agility to projects
• Case studies • UK Cabinet Office IDAP: Open market identity assurance • STORK: pan-European authentication • eID Authentication: Strong authentication with high reliability
![Page 6: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/6.jpg)
The big picture Service Provider
AuthN Request
Other IDP (Oauth, OpenID, STORK)
AuthN means
Final IDP selection
![Page 7: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/7.jpg)
UK Cabinet Office : Overview
• UK Cabinet Office (Government Digital Service) • Identity Assurance Programme (IDAP) • Privacy and Trust
• Government identity hub “We’re working closely with departments to develop an identity assurance process that can be adapted and reused right across government, benefiting users and service providers alike with a simpler, faster, better and safer way to access and transact with government services.”
• Open market identity providers • Trust Framework and good practice guides • IDP: Identity proofing and strong authentication
![Page 8: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/8.jpg)
UK Cabinet Office : Trust scheme
Match MDS to local user store
Service provider 1
Service provider 2
Matching Service 1
Department 1
Service provider 3
Service provider 4
Matching Service 2
Department 2
![Page 9: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/9.jpg)
UK Cabinet Office : Verizon IDP
Profile mgmt for user interfaces
Profile Management for user interfaces
Data provider for identity proofing
OpenAM for integration
Verizon IDP
Standardized Verizon product for
strong authN
![Page 10: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/10.jpg)
UK Cabinet Office : Demo
![Page 11: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/11.jpg)
STORK : Overview
• STORK • European eID interoperability platform • Within existing legal restrictions, respectful with all national cultures
and complying with the requirements of scalability, trust and security, especially the privacy.
• STORK PEPS architecture • Leveraging the national trust frameworks to Europe • Hiding national implementations for the other member states
• National identity providers • Incoming and outgoing federation • Implementation of Pan European Proxy Service (PEPS)
![Page 12: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/12.jpg)
STORK: use cases
Service Provider
Citizen
Citizen
Service Provider
![Page 13: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/13.jpg)
STORK: trust scheme
Service Provider
Final IDP selection
![Page 14: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/14.jpg)
STORK: our setup Service Provider
Service Provider
![Page 15: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/15.jpg)
STORK: demo
![Page 16: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/16.jpg)
OpenAM behavior Service Provider
SAML received
SAML validated
AuthN mean retrieved
SAML response sent
Class DefaultIDPAuthnContextMapper
Class DefaultIDPAdapter method: preSendResponse
Existing session verified?
AuthN level verified?
Redirect / forward
Default class return the AuthN mean corresponding to the 1st allowed context. Nothing recorded regarding other contexts.
![Page 17: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/17.jpg)
OpenAM before
• AuthN contexts • How to propose multiple AuthN means to end user? • How to customize SSO regarding SAML AuthN context?
• AuthN level • What if AuthN level not aligned with business requirements?
• KPIs • How to demonstrate SLA compliance when you rely on external
systems? • How to catch timestamps for valid sessions?
![Page 18: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/18.jpg)
OpenAM before
AuthN contexts
![Page 19: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/19.jpg)
OpenAM after • Open source
• It greatly helps to understand issues when you are at the leading edge of federation features!
• ForgeRock support • RFE raised @ ForgeRock • Urgent delivery of RFE as a patch • RFE now included in new releases
• Additional hooks for custom development
![Page 20: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/20.jpg)
OpenAM after SAML received
SAML validated
AuthN mean retrieved
SAML response sent
Class DefaultIDPAdapter method: initialize
Class DefaultIDPAdapter method: preAuthentication
Existing session verified?
AuthN level verified?
Redirect / forward
Class DefaultIDPAdapter method: preSingleSignOn
![Page 21: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/21.jpg)
OpenAM after after
• Additional requirements… • Request for multiple assertions in SAML response • Request for accessing STORK extensions in SAML requests/
responses
• … result in new RFEs • Additional hooks
• To manipulate SAML Request objects before they are processed
• To manipulate SAML Response
• To trap and to treat SAML Response errors
![Page 22: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/22.jpg)
eID Authentication: overview
• Belgian electronic identity cards • Very high level of assurance: NIST 4
• PKI based authentication mean & sturdy issuing process
• High penetration rate among population • Public available infrastructure
• Authentication • Confirmation of possession of and access to the card • Real-time validation of the status of the card
• Identity Provider • Reusability, simplify integration and increase reliability
![Page 23: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/23.jpg)
eID: trust scheme
Service Provider
Assert Identity
Validate possession and access
![Page 24: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/24.jpg)
OpenAM OCSP/CRLs checking
SSL mutual AuthN
No
OCSP Responder
No
OCSP down
CRLs
Yes
![Page 25: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/25.jpg)
Cache CRL
OpenAM OCSP/CRLs mechanism no
yes
no
Cache exist?
Cache expired?
Fetch cached CRL
yes
Lookup CRL URL in X509 certificate
Lookup certificate SerialNumber in CRL
![Page 26: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/26.jpg)
Belgian CA • New intermediate CA issued each month with the same
CN but different SERIALNUMBER => different CRL URL
![Page 27: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/27.jpg)
Belgian CA behavior ! Belgian CA behavior
" New intermediate CA issued each month with the same CN but different SERIALNUMBER => different crl url
" Bulk issuing of certificates, all revoked by default " Big CRL can contain more than 100K entries
! Cache issues
" Lot of time wasted on CRL initialization (download, validation, processing, …) " Storing big objects in LDAP " LDAP entry has CN in the name and certificateRevocationList is single valued field " LDAP replication can be an issue during peak time
! Average time for authentication is more than 10 seconds
" Most of the time wasted in CRL checking
![Page 28: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/28.jpg)
CRL caching implementation
• SQLite database • Daemon that fetches CRL and creates one database per CRL • Only storing certificate SERIALNUMBER
• Custom “Cert” module • SQL statement to retrieve revoked certificates
• Performance • AuthN < 100ms • CRL checking < 5ms
![Page 29: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/29.jpg)
Conclusion • Our customers and engineers value the strengths of
ForgeRock OpenAM as an integration component in the delivery of solutions for authentication and federation • Adaptability
• Easy to customize components and extend functionality
• Reliability • Scalable and stable deployments
• Agility • Fast realizations due to open source and partnership with ForgeRock
![Page 30: OpenAM as Flexible Integration Component](https://reader036.vdocuments.mx/reader036/viewer/2022062303/554f88c9b4c905d25b8b4de0/html5/thumbnails/30.jpg)
2013 Open Stack Identity Summit - France
Q&A