thomson reuters case study
DESCRIPTION
Presented by Tim Vogt, Senior Technologist, Thomson Reuters at ForgeRock Open Identity Summit, June 2013.TRANSCRIPT
Open Identity Summit
The platform we builtOn OpenAM and OpenDJ
Tim Vogt, ArchitectThisana Pienlert, Technical Lead
Thomson Reuters
Open Identity Summit
About us…
Open Identity Summit
About us…
Open Identity Summit
What is “Thomson Reuters Eikon” ? A desktop application: A financial information product
A platform that delivers content, market data, infrastructure services, hosted applications.
The platform’s tasks:
Inbound: Protect its own value
Outbound: Deliver the right stuff to the right people in a quick & easy way
With an identity hat on: The individual end user is less interesting than the services they’re
paying for.
Managing Identity is a necessary evil rather than a purpose.
Open Identity Summit
A bit of history Previous product generations were “fat” in many
ways: a fat desktop application, dedicated infrastructure, hard to provision and complex to manage.
No true authentication, instead a complex, multi-layered authorisation system reliant upon trusted connections.
Previous attempts to “go hosted” and consolidate on a platform were not unsuccessful, but did not deliver the desired economy of scale.
Thomson had a web-based delivery platform, backed by an existing ID&AM architecture.
“Common Platform” was to turn things around, providing single sign-on, federation capabilities, centralised permissioning, replicated storage and a self-admin framework.
Renewed focus on “customer first”: Ease of use, convenience, performance.
Content DB
Real-time distribution network
Deployed Distribution
Infrastructure
DataSources
ThomsonOne
Internet
Open Identity Summit
Shape-shifting Platform - Version 1
AAA
CCRM
Open Identity Summit
Shape-shifting Platform - Version 2
AAA
CCRM
AAA
oAuth
SAML2
FederationOpenID
App store
Eikon API
Eikon cloud
Open Identity Summit
Shape-shifting Platform – The Future ?
AAA
CCRMSingle Identity
Master
Eikon might turn into an execution framework,
managing the interactions with the platform from the
desktop.
Open Identity Summit
How Security Awareness changed
Account management
Access control
Authentication policies
Session policies
Auditing
For customer acceptance, security must be visibly solid and flawless, whilst ensuring intuitiveness for the end user.
Stop making things so difficult and complex ! My clients [developers] need
convenience.Expire passwords !
Terminate sessions !Require second factor !Introduce fingerprint
readers !
2013:2011:
2007:
Open Identity Summit
Lessons learnt
Business people don’t always appreciate architectural guidance – but they need it, especially in the IDAM space.
Whether or not industry buzz brings useful technological developments worth adopting is often a question of timing.
It’s the quick and easy solutions that score and bring visible success – the challenge is to keep them under control and avoid
Keep calm and carry on, absorb the pain, do the right thing.
Open Identity Summit
The stack
Java
SOLARIS 10
Java
SWS 7
Sun AM 7.1
DSEE 6
Apache /Tomcat
Open AM 9.x
DSEE 6OpenDJ
MigrationPhase 1(2011)
Phase 2(2013)
SOLARIS 10Right now !
Open Identity Summit
TIMELINE FOR PRODUCT OPTIONS (2010)
2010 Q2
AM 7.1-TR
2011 Q2 2012 Q2 EOY 2012 EOY 2013
CP 1.0 CP 1.5
OpenSSO 8U2
End of premier support
OpenAM 9
OAM 11gR2
EOY 2014…..
Open Identity Summit
What SunAM/OpenAM had to do for us SSO:
between web and non-web applications
covering HTTP and non-HTTP protocols.
across two physically separate delivery networks
across multiple global sites
Exclusive Sign-On: Enforcing a single device, single session per user globally
Site affinity: Direct all access to user’s home site or failover site
Session refresh: Virtually infinite session duration
Heavily customised authentication flows
24x7 availability, non-disruptive maintenance
120,000 active users per data centre, 50 logins per second
Open Identity Summit
…and what we had to do to them: Request various functional enhancements:
Persistent cookie for master token
Communication between DAS and AM
Better support for hardware-load balanced set-ups: DAS, PA (POST data preservation)
Request many fixes:
PA (for IIS)
Session housekeeping and failover
MQ
Consistent updates of cached state and config information
Open Identity Summit
What we expect from OpenAM Solve the Policy Agent pain:
Ensure stability
Suitable, stable, manageable alternatives for different use cases: OpenIG, Fedlet, …
Stabilise session failover and global session replication
Consistent replication of distributed state information
Complete REST framework including authorisation
Open Identity Summit
What we expect from OpenDJ A successful migration on June 22nd
Rock-solid replication
Fix session failover and replication in OpenAM
Complete and reliable monitoring
Write performance
Scale & Stability
Q & A