2013 Open Stack Identity Summit - France

Corelio Media An Open Identity Stack case study

Introducing

The case •  Custom built CRM system with provisioning

•  Custom SSO implementations

•  Room for improved privacy protection

•  Per application social media integration

•  In code authorization

Goals and challenges •  Single Sign On

•  Centralized policy & session management

•  Multi-tenant support

•  Identity management for 4.1M identities

•  3 month time constraint

Priorities •  Performance

•  Ease of application integration

•  User comfort & privacy

Requiring the full stack •  Central user store: OpenDJ

•  SSO & policy enforcement: OpenAM

•  Provisioning of user store: OpenIDM

The agent approach •  Simple architecture

•  Agents scale with infastructure

•  Distributed high availability architecture

•  No impact on out-of-scope servers

Special cases •  IP authentication

•  Instant sync

•  Remember me

•  Entitlements

•  Mobile applications

Remember me

Remember me

Persistent cookie (DProPCookie)

Session cookie (iPlanetDirectoryPro)

P S

Session cookies issued after successful authentication

Remember me

S

Close and reopen browser

P

Remember me But if browser doesn’t close, then at session time-out

S

Expired Session cookie (iPlanetDirectoryPro)

P

Remember me Solution: persist session cookie If session times-out, expired cookie won’t be sent

S

S

P

com.iplanet.am.cookie.timeToLive

openam.session.persist_am_cookie

Entitlements •  Access policies are URL based

•  Define virtual URL policies

•  Application checks authorization

•  Through OpenAM authorization REST API

Entitlements Policy: Allow URL: http://www.standaard.be/avond/* Group: Subscribers

HTTP_UID=987654 HTTP_mail=jdoe@sample.com HTTP_sn=doe HTTP_givenname=john

http://www.standaard.be/avond/art.aspx?id=23

Entitlements

http://www.standaard.be/avond/art.aspx?id=23&action=comment

Policy: Allow URL: http://virtual.standaard.be/comment Group: White listed commenter

Mobile applications •  Apps cannot be impacted

•  Third party not to store credentials

•  Client credential OAuth profile

•  Patches required in OpenAM XPress 10.1.0

Mobile applications

Third party

Content server

e-mail/password

OA

uth

toke

n

cont

ent

e-mail/OAuth token

Project results •  Successfull launch of every tenant

•  Agile policy management

•  Centralized secure password storage

•  Session quota for subscribers enforced

Lessons learned •  Value of ForgeRock support

•  Avoid crosstalk through sticky sessions

•  Use dedicated application pools in IIS

•  Use OpenDJ entry cache for large static groups

•  But don’t preload the entry cache

Roadmap •  Session quota for mobile apps

•  Open Identity Stack upgrade

•  Media ID

•  Metering

Thank you Robin Gorris

Partner - Senior Architect +32 (0)474 40 99 91 robin.gorris@is4u.be

Business Park King Square Veldkant 33A - 2550 Kontich

http://www.is4u.be