IRM Summit 2014

OpenAM

Matthias Tristl

2IRM Summit 2014

Agenda

■ ForgeRock Stack overview

■ OpenAM Overview

■ Authentication

■ Authorization

■ Federation

3IRM Summit 2014

ForgeRock Stack Overview

4IRM Summit 2014

Pillars of IAM

5IRM Summit 2014

Classic scenario IUser wants to use an application...

User

Application

which does not require any of ForgeRock's products, but ...

6IRM Summit 2014

Classic scenario IICentralization of Authentication

User

Application… and ...

7IRM Summit 2014

Classic scenario IIICentral Authorization

User

Application

8IRM Summit 2014

Classic scenario IVFederation

User

ApplicationApplication

9IRM Summit 2014

Classic scenario VIdentity Management

User

Application

HR DB

Provides single sign-on to web resources and create a sign on once, access everywhere environment

Centralized policy based authentication and authorization

Enables policy enforcement Tracks all user authentication related events Extends access beyond organizational boundaries

OpenAM Key Functionality

Authentication Authorization Single Sign-On Federation

Entitlements Web Services Security Auditing/Logging Adaptive AuthN

11IRM Summit 2014

Single Sign On

12IRM Summit 2014

Protecting Resources

13IRM Summit 2014

Partner Integration

14IRM Summit 2014

Integration Paths

15IRM Summit 2014

Authentication

16IRM Summit 2014

Who are you?

17IRM Summit 2014

Authentication Flow

18IRM Summit 2014

■ Common use case: User requests access to a web page

■ Other Use Cases: Applications can request authentication programatically through REST or SOAP web services and OpenAM SDK

Where does the request come from?

19IRM Summit 2014

■ OpenAM works with most authentication methods without customization

■ 21 out of the box Authentication modules

■ Custom modules can be created easily

Which Credentials?

20IRM Summit 2014

Active Directory Adaptive Risk Anonymous Certificate Data Store Device Print Federation HOTP

HTTP Basic JDBC LDAP Membership MSISDN OATH OAuth 2.0 RADIUS

SAE SecurID Windows

Desktop SSO Windows NT WSSAuth

FR-420 OpenAM 11 Deployment Copyright 2014 ForgeRock AS All Rights Reserved. Revision A.

Authentication Modules

21IRM Summit 2014

ID Token

22IRM Summit 2014

Authorization

23IRM Summit 2014

Authorization■ Authentication is not enough

■ Authorization determines:

– WHO can do

– what ACTIONS

– with what RESOURCES

– under which CONDITIONS?

■ Uses Policies to define those rights

24IRM Summit 2014

Authorization Flow

25IRM Summit 2014

Federation

26IRM Summit 2014

Federation■ Federation is the process of linking identities across

heterogeneous Access Management products

■ It is a trust relationship whereby a Service Provider (SP) trusts that an Identity Provider (IDP) has successfully authenticated a user

■ It is Standard Based

27IRM Summit 2014

Goals of Federation■ Federation enables Single Sign On and Single

Logout between partners

■ Federation allows rapid integration

– during company acquisitions

– between heterogeneous systems

■ Federation allows basic Identity Data Sharing

■ Helps to keep multiple internet accounts under control

28IRM Summit 2014

Federation Standards

OpenAMSAML

1.0SAML

1.xSAML

2.0

Liberty ID-FF 1.1/1.2

Shibboleth 1.0/1.1

Shibboleth 2(SAML2)

WS-Federation 1.1

ADFS

ADFS2

OAUTH 1.0 OAUTH 2.0

OpenIDConnect

REST/JSON

SOAP

WS-Federation 1.0

2002 Today

29IRM Summit 2014

Federation Terminology

30IRM Summit 2014

OpenAM Federation

■ OpenAM provides first class federation support

■ Federation Protocol support– SAML2, WS-Federation, ID-FF, OAuth2

■ Federated Web Services

■ Multi-Protocol Hub– Allows OpenAM to act as a broker between different federation protocols

■ Plug-in points allow for easy customization

■ Fedlet for applications that do not support standard protocols

31IRM Summit 2014

Forgerock University