openam best practices - corelio media case study
DESCRIPTION
IS4U Senior Architect Robin Gorris shares OpenAM Best practices at Corelio Media, presented as part of our Case Study session with Everett and ACA, moderated by ForgeRock VP of Services Steve Ferris and Director of Support Tim Rault-Smith.TRANSCRIPT
2013 Open Stack Identity Summit - France
Corelio Media An Open Identity Stack case study
Introducing
The case • Custom built CRM system with provisioning
• Custom SSO implementations
• Room for improved privacy protection
• Per application social media integration
• In code authorization
Goals and challenges • Single Sign On
• Centralized policy & session management
• Multi-tenant support
• Identity management for 4.1M identities
• 3 month time constraint
Priorities • Performance
• Ease of application integration
• User comfort & privacy
Requiring the full stack • Central user store: OpenDJ
• SSO & policy enforcement: OpenAM
• Provisioning of user store: OpenIDM
The agent approach • Simple architecture
• Agents scale with infastructure
• Distributed high availability architecture
• No impact on out-of-scope servers
Special cases • IP authentication
• Instant sync
• Remember me
• Entitlements
• Mobile applications
Remember me
Remember me
Persistent cookie (DProPCookie)
Session cookie (iPlanetDirectoryPro)
P S
Session cookies issued after successful authentication
Remember me
S
Close and reopen browser
P
Remember me But if browser doesn’t close, then at session time-out
S
Expired Session cookie (iPlanetDirectoryPro)
P
Remember me Solution: persist session cookie If session times-out, expired cookie won’t be sent
S
S
P
com.iplanet.am.cookie.timeToLive
openam.session.persist_am_cookie
Entitlements • Access policies are URL based
• Define virtual URL policies
• Application checks authorization
• Through OpenAM authorization REST API
Entitlements Policy: Allow URL: http://www.standaard.be/avond/* Group: Subscribers
HTTP_UID=987654 [email protected] HTTP_sn=doe HTTP_givenname=john
http://www.standaard.be/avond/art.aspx?id=23
Entitlements
http://www.standaard.be/avond/art.aspx?id=23&action=comment
Policy: Allow URL: http://virtual.standaard.be/comment Group: White listed commenter
Mobile applications • Apps cannot be impacted
• Third party not to store credentials
• Client credential OAuth profile
• Patches required in OpenAM XPress 10.1.0
Mobile applications
Third party
Content server
e-mail/password
OA
uth
toke
n
cont
ent
e-mail/OAuth token
Project results • Successfull launch of every tenant
• Agile policy management
• Centralized secure password storage
• Session quota for subscribers enforced
Lessons learned • Value of ForgeRock support
• Avoid crosstalk through sticky sessions
• Use dedicated application pools in IIS
• Use OpenDJ entry cache for large static groups
• But don’t preload the entry cache
Roadmap • Session quota for mobile apps
• Open Identity Stack upgrade
• Media ID
• Metering
Thank you Robin Gorris
Partner - Senior Architect +32 (0)474 40 99 91 [email protected]
Business Park King Square Veldkant 33A - 2550 Kontich
http://www.is4u.be