2013 Open Stack Identity Summit - France

OpenAM as flexible integration component Case studies: STORK, IDAP & eID

Who we are

Wouter Vandenbussche

IAM analyst and architect

Verizon Enterprise Solutions Consulting & integration services

Identity practice

wouter.vandenbussche@be.verizon.com @wouterbussche

Zaeher Rachid

IAM Practice Manager

zaeher.rachid@paradigmo.com

What we do

•  Typical customer demand •  Identity management •  Access control •  Authentication and federation

•  Realization •  Full lifecycle: strategy, analysis, implementation and support •  Solutions with products from partners •  Customization and tailored development by experts •  Adequate operational support organization

Why Verizon/Paradigmo together?

Client requirements

Verizon UIS specifications

Flexible integration component customized and supported by:

OpenAM as integration component

•  Value the strengths of ForgeRock OpenAM •  Flexible integration component •  Bringing adaptability, reliability and agility to projects

•  Case studies •  UK Cabinet Office IDAP: Open market identity assurance •  STORK: pan-European authentication •  eID Authentication: Strong authentication with high reliability

The big picture Service Provider

AuthN Request

Other IDP (Oauth, OpenID, STORK)

AuthN means

Final IDP selection

UK Cabinet Office : Overview

•  UK Cabinet Office (Government Digital Service) •  Identity Assurance Programme (IDAP) •  Privacy and Trust

•  Government identity hub “We’re working closely with departments to develop an identity assurance process that can be adapted and reused right across government, benefiting users and service providers alike with a simpler, faster, better and safer way to access and transact with government services.”

•  Open market identity providers •  Trust Framework and good practice guides •  IDP: Identity proofing and strong authentication

UK Cabinet Office : Trust scheme

Match MDS to local user store

Service provider 1

Service provider 2

Matching Service 1

Department 1

Service provider 3

Service provider 4

Matching Service 2

Department 2

UK Cabinet Office : Verizon IDP

Profile mgmt for user interfaces

Profile Management for user interfaces

Data provider for identity proofing

OpenAM for integration

Verizon IDP

Standardized Verizon product for

strong authN

UK Cabinet Office : Demo

STORK : Overview

•  STORK •  European eID interoperability platform •  Within existing legal restrictions, respectful with all national cultures

and complying with the requirements of scalability, trust and security, especially the privacy.

•  STORK PEPS architecture •  Leveraging the national trust frameworks to Europe •  Hiding national implementations for the other member states

•  National identity providers •  Incoming and outgoing federation •  Implementation of Pan European Proxy Service (PEPS)

STORK: use cases

Service Provider

Citizen

Citizen

Service Provider

STORK: trust scheme

Service Provider

Final IDP selection

STORK: our setup Service Provider

Service Provider

STORK: demo

OpenAM behavior Service Provider

SAML received

SAML validated

AuthN mean retrieved

SAML response sent

Class DefaultIDPAuthnContextMapper

Class DefaultIDPAdapter method: preSendResponse

Existing session verified?

AuthN level verified?

Redirect / forward

Default class return the AuthN mean corresponding to the 1st allowed context. Nothing recorded regarding other contexts.

OpenAM before

•  AuthN contexts •  How to propose multiple AuthN means to end user? •  How to customize SSO regarding SAML AuthN context?

•  AuthN level •  What if AuthN level not aligned with business requirements?

•  KPIs •  How to demonstrate SLA compliance when you rely on external

systems? •  How to catch timestamps for valid sessions?

OpenAM before

AuthN contexts

OpenAM after •  Open source

•  It greatly helps to understand issues when you are at the leading edge of federation features!

•  ForgeRock support •  RFE raised @ ForgeRock •  Urgent delivery of RFE as a patch •  RFE now included in new releases

•  Additional hooks for custom development

OpenAM after SAML received

SAML validated

AuthN mean retrieved

SAML response sent

Class DefaultIDPAdapter method: initialize

Class DefaultIDPAdapter method: preAuthentication

Existing session verified?

AuthN level verified?

Redirect / forward

Class DefaultIDPAdapter method: preSingleSignOn

OpenAM after after

•  Additional requirements… •  Request for multiple assertions in SAML response •  Request for accessing STORK extensions in SAML requests/

responses

• … result in new RFEs •  Additional hooks

•  To manipulate SAML Request objects before they are processed

•  To manipulate SAML Response

•  To trap and to treat SAML Response errors

eID Authentication: overview

•  Belgian electronic identity cards •  Very high level of assurance: NIST 4

•  PKI based authentication mean & sturdy issuing process

•  High penetration rate among population •  Public available infrastructure

•  Authentication •  Confirmation of possession of and access to the card •  Real-time validation of the status of the card

•  Identity Provider •  Reusability, simplify integration and increase reliability

eID: trust scheme

Service Provider

Assert Identity

Validate possession and access

OpenAM OCSP/CRLs checking

SSL mutual AuthN

No

OCSP Responder

No

OCSP down

CRLs

Yes

Cache CRL

OpenAM OCSP/CRLs mechanism no

yes

no

Cache exist?

Cache expired?

Fetch cached CRL

yes

Lookup CRL URL in X509 certificate

Lookup certificate SerialNumber in CRL

Belgian CA •  New intermediate CA issued each month with the same

CN but different SERIALNUMBER => different CRL URL

Belgian CA behavior !  Belgian CA behavior

" New intermediate CA issued each month with the same CN but different SERIALNUMBER => different crl url

" Bulk issuing of certificates, all revoked by default " Big CRL can contain more than 100K entries

!  Cache issues

" Lot of time wasted on CRL initialization (download, validation, processing, …) " Storing big objects in LDAP " LDAP entry has CN in the name and certificateRevocationList is single valued field " LDAP replication can be an issue during peak time

!  Average time for authentication is more than 10 seconds

" Most of the time wasted in CRL checking

CRL caching implementation

•  SQLite database •  Daemon that fetches CRL and creates one database per CRL •  Only storing certificate SERIALNUMBER

•  Custom “Cert” module •  SQL statement to retrieve revoked certificates

•  Performance •  AuthN < 100ms •  CRL checking < 5ms

Conclusion •  Our customers and engineers value the strengths of

ForgeRock OpenAM as an integration component in the delivery of solutions for authentication and federation •  Adaptability

•  Easy to customize components and extend functionality

•  Reliability •  Scalable and stable deployments

•  Agility •  Fast realizations due to open source and partnership with ForgeRock

2013 Open Stack Identity Summit - France

Q&A