identity summit uk: keep talking: lessons learned during our migration from legacy iam to forgerock
TRANSCRIPT
Keep TalkingMigrating from Legacy IAM to ForgeRock: What We LearnedForgeRock Identity Summit 2015 - London
EUROPE’S LEADING ONLINE FASHION PLATFORM
15 countries3 fulfillment centers16+ million active customers2.2+ billion € revenue 2014130+ million visits per month9.000+ employees
Visit us: tech.zalando.com
Our (legacy) infrastructure
OUR INFRASTRUCTURE
OUR INFRASTRUCTURE
DataCenter IGütersloh, Germany
DataCenter IIBerlin, Germany
DataCenter IIIBerlin, Germany
APP 1
APP 2
APP 3
APP 4
APP 5
APP 6
APP 1
APP 2
APP 3
APP 4
APP 5
APP 6
APP 1
APP 2
APP 3
APP 4FW FW
GLOBAL TRAFFIC MANAGEMENT
Problem: it won’t scale!
● Adding new instances is not straightforward● Inefficient resource management● Dependency hell
Let’s move to the cloud!
2013/14 2014
Pequod
2013
Noah’s ArkzCloud
MOVING TO THE CLOUD
PequodNoah’s ARKzCloud
2015
MOVING TO THE CLOUD
Welcome AWS + ForgeRock stack
THE PATH TO AWS
One AWS account per teamsecured via SSL and OAuth 2.0
Deployment based on Docker
Usage of REST + OAuth is mandatory
Bye Monolith, hello Microservices
Public Internet
*.foo.zalan.do *.bar.zalan.do
Team “Foo” Team “Bar”ELB ELB
EC2Instance
EC2InstanceEC2
InstanceEC2Instance
EC2InstanceEC2
InstanceDatacenter LB
EC2InstanceEC2
InstanceLegacyInstance
THE PATH TO AWS
All good on paper, but:
How can we protect communications between the new AWS instances and our legacy services?
(We’re talking about 200+ projects and 1600+ instances!)
Public Internet
*.foo.zalan.do *.bar.zalan.do
Team “Foo” Team “Bar”ELB ELB
EC2Instance
EC2InstanceEC2
InstanceEC2Instance
EC2InstanceEC2
InstanceDatacenter LB
EC2InstanceEC2
InstanceLegacyInstance
THE PATH TO AWS
?
“We build too many walls and not enough bridges.”
Isaac Newton
Our challenges
● AWS needs to contact our DCs● Legacy services have no OAuth support● Modifying them is too cumbersome (and nobody
wants to do it)
OpenIG
A bit about OpenIG:● ForgeRock’s reverse proxy server● Provides OAuth 2.0 authentication● No need to modify code on legacy services
Public Internet
*.foo.zalan.do *.bar.zalan.do
Team “Foo” Team “Bar”ELB ELB
EC2Instance
EC2InstanceEC2
InstanceEC2Instance
EC2InstanceEC2
InstanceDatacenter LB
EC2InstanceEC2
InstanceLegacyInstance
THE PATH TO AWS (improved)
OpenIG
OpenIG
So… how to deploy it?
EASY!
Step One: 05-heartbeat.json
Step Two: 06-wsdl.json
my_example
Step C: 99-default.json
my_example
Step Δ: config.json
80
Step 5(bIV-Δ): server.xml
/usr/share/logs/123
openig_123
80
/usr/share/local/123
Final Step!
Or...
Automation to the rescue!
DeployCtl
● Our good old deployment tool● Poor… but sexy!● Exclusively for DC deployments● Most teams know how to use it
DeployCtl + OpenIG
● Minor modifications to accept OpenIG deployments● Simplified configuration steps● Specific developments in OpenIG, to handle SOAP
WS calls
Usage of DeployCtl
● OpenIG is deployed just like any other instance● A single OpenIG deployment for each service
instance - one-to-one mapping● Teams can deploy OpenIG for their services on
demand with minimal effort
DeployCtl - Project Scan
DeployCtl - OpenIG Configuration
DeployCtl - Select Service I
DeployCtl - Select Service II
DeployCtl - Build & Distribute
DeployCtl - Switch
DeployCtl - Deployed Instances
Wrapping it up
● Some automation and scripting helped speed up deployment
● By using familiar processes and tools we minimized the deployment learning curve
● OpenIG made it possible to make most of our legacy services readily available for AWS instances
Where to Find Us:Tech Blog: tech.zalando.com
GitHub: github.com/zalando
Twitter: @ZalandoTech
Instagram: zalandotech
Jobs: http://tech.zalando.com/jobs
THANK YOU!
Do we still have time for questions?