OpenAM for BeginnersEMEA Summit 2013

2

Agenda

■ ForgeRock Stack overview

■ OpenAM Overview

■ Authentication

■ Authorization

■ Federation

3

ForgeRock Stack Overview

4

Pillars of IAM

5

Classic scenario IUser wants to use an application...

User

Application

which does not require any of ForgeRock's products, but ...

6

Classic scenario IICentralization of Authentication

User

Application… and ...

OpenDJ

7

Classic scenario IIICentral Authorization

User

Application

OpenDJ

OpenAM

8

Classic scenario IVFederation

User

ApplicationApplication OpenAM OpenAM

OpenDJ OpenDJ

9

Classic scenario VIdentity Management

User

Application

HR DB

OpenAM

OpenDJOpenIDM

10

OpenAM Overview

11

OpenAM

Authenticate

SSO

Entitlements

CloudFederate

High Availabi

lity

Performance

OpenAM

JAAS

SOAP &

REST

XACML

OAuth

SAML

WS-Trust

OpenAM Vision and Scope

Partners

Outsourcing

Suppliers

ExternalParties

ExternalParties

Governments

SaaS

PaaS

In-house developedapplications

Commercial applications

DataBases

ActiveDirectory

DirectoryServices

PKIRADIUS

SecurID3rd party

Authentication methods

12

OpenAM Evolution

OpenSSOBuild 6

OpenSSOEnt 8.0

OpenSSOBuild 7

OpenSSOBuild 7

OpenSSOBuild 8

OpenAM9.0

OpenAM9.5

OpenAM10.0

OpenAM10.1

Open Source Closed Source

2008 20092008 2010 2011 2012

One single product for AAA+Federation

Some Patch development but no new functionalities

OpenAM11.0

2013

Provides single sign-on to web resources and create a sign on once, access everywhere environment

Centralized policy based authentication and authorization

Enables policy enforcement Tracks all user authentication related events Extends access beyond organizational boundaries

OpenAM Key Functionality

Authentication Authorization Single Sign-On Federation

Entitlements Web Services Security Auditing/Logging Adaptive AuthN

14

Key: Single Sign On

15

Key: Protecting Resources

16

Key: Partner Interaction and Integration

17

OpenAM Integration Paths

18

Authentication

19

Authentication: Who are you?

20

Authentication Flow

21

■ Common use case: User requests access to a web page

■ Other Use Cases: Applications can request authentication programatically through REST or SOAP web services and OpenAM SDK

Authentication: Where does the request come from?

22

■ OpenAM works with most authentication methods without customization

■ 21 out of the box Authentication modules

■ Custom modules can be created easily

Authentication: Which Credentials?

23

Authentication: ID Token

24

Authorization

25

Authorization

■ Authentication is not enough

■ Authorization determines:

– WHO can do

– what ACTIONS

– with what RESOURCES

– under which CONDITIONS?

■ Uses Policies to define those rights

26

Authorization Flow

27

Federation

28

Federation

■ Federation is the process of linking identities across heterogeneous Access Management products

■ It is a trust relationship whereby a Service Provider (SP) trusts that an Identity Provider (IDP) has successfully authenticated a user

■ It is Standard Based

29

The Goals of Federation

■ Federation enables Single Sign On and Single Logout between partners

■ Federation allows rapid integration

– during company acquisitions

– between heterogeneous systems

■ Federation allows basic Identity Data Sharing

■ Helps to keep multiple internet accounts under control

30

Federation Standard Protocols

OpenAMSAML

1.0SAML

1.xSAML

2.0

Liberty ID-FF 1.1/1.2

Shibboleth 1.0/1.1

Shibboleth 2(SAML2)

WS-Federation 1.1

ADFS

ADFS2

OAUTH 1.0 OAUTH 2.0

OpenIDConnect

REST/JSON

SOAP

WS-Federation 1.0

2002 Today

31

Federation Terminology

32

OpenAM Federation

■ OpenAM provides first class federation support

■ Federation Protocol support– SAML2, WS-Federation, ID-FF, OAuth2

■ Federated Web Services

■ Multi-Protocol Hub– Allows OpenAM to act as a broker between different federation protocols

■ Plug-in points allow for easy customization

■ Fedlet for applications that do not support standard protocols

33

Forgerock University