Presented by Rogerio A. Rondini Professional Services Manager & Solutions Architect, Smart Software at the ForgeRock Open Identity Summit, June 2013
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Case Study - Largest Brazilian Credit and Debtor Operator, A ForgeRock OpenAM Deployment
1. Open Identity SummitOpen Identity Summit
Brazilian Success History
Rogério A. Rondini
Professional Service Manager
Smart Software
2. Open Identity Summit
Speaker BIO
Former SUN solution architect
Over 15 years of experience on the
development of critic mission software
solutions
PhD in Electrical Engineering
Professor in computer science courses
4. Open Identity Summit
Brasil
Emerging economy
IT market handle 102bi in the last year –
growth of 11%
Has become a leader in open source adoption
5. Open Identity Summit
Smart Software
Young Company
Leaders are former Sun employee/consulting
Development and Integration focusing on
Open Source Solution
First ForgeRock partner in Brasil
6. Open Identity Summit
Smart Software
S.O e Virtualização
(Red Hat Partner)
Middleware
(Red Hat Partner)
B.I
(Pentaho Community)
BPM
(Bonita Software
Partner)
Portal and CMS
(Liferay Community Platform)
Security
(ForgeRock Gold Partner)
FullFull
OpenOpen SourceSource
StackStack
7. Open Identity Summit
Success History
Largest Latin America payment company
Leading in payment processing industry
1.3 million active merchants
Present in 99% of Brazilian municipalities
Annual grow rate of 20% in Financial Trading
Volume between 2011 and 2012
8. Open Identity Summit
Success History
Largest Latin America payment company
3 year of success deployment
First protected application on May, 2010
Dec, 2010 buy subscription support
Today it has around 10 protected applications
from different technologies
Continuous deployment approach
9. Open Identity Summit
Business Problem # 01
Myriad of application accessing LDAP, each of
your own way
– Without API standardization
– CHAOS on the department of Information
Security
– Performance bottleneck of LDAP Server
10. Open Identity Summit
Business Problem # 02
Employees must to authenticate in third-part
application (SaaS model) with your network
login
– Dump of LDAP DB to the third-part
application, causing synchronization problem
and security gap
11. Open Identity Summit
Business Problem # 03
Applications using different technology and
requiring different way of authentication
– Need for a solution which offers flexibility to
customization
12. Open Identity Summit
OpenAM Solution # 01
OpenAM central Authentication and
Authorization Server
No more direct access to LDAP DB
Continuous Deployment approach
14. Open Identity Summit
Ongoing deployment (continuous deployment)
C++ web application
Protected by Apache Policy Agent
Self-service password reset for external users
More .NET applications
calling REST interface
Websphere Portal Server
Webspehre Policy Agent
Custom Auth-Module
Custom self-service
OpenAM Solution # 01
15. Open Identity Summit
LDAP
OpenAMOpenAM
infrastructureinfrastructure
App A
Custom Weblogic
Auth-provider calling
WS/Rest interface
App B
Weblogic
Policy Agent
App C
JBoss
Policy Agent
App D
.NET App
calling REST
interface
SaaS apps
Fedlet
Federation
Cicle of Trust
OpenAM Solution # 02
16. Open Identity Summit
OpenAM Solution # 03
Web Sphere Portal Server integration
–WPS is not a simple JEE application
–OpenAM Web Sphere Policy Agent is not
sufficient to protect WPS
–Need a custom solution
17. Open Identity Summit
WPS Integration problem
... Custom User Registry
(AmAgentUserRegistry) does not
work with WPS
OpenAM Solution # 03
18. Open Identity Summit
WPS Integration problem
... OpenAM agent filter(AmAgentFilter) does not take
effect in WPS
... IBM recommends the use of Session Validation
Filter, a portlet filter not a servlet filter.
OpenAM Solution # 03
19. Open Identity Summit
The Solution...
1. Configure WebSphere Federated Repository
instead of Custom User Registry
2. Use Agent TAI (AmTrustAssociationInterceptor)
to perform SSO
3. Implements a custom Session Validation Filter
instead of agent filter
OpenAM Solution # 03
20. Open Identity Summit
Federated Repository...
Using default Websphere LDAPAdaptor class
Next step, to implement a custom VMM OpenAMAdaptor
Trust Association Interceptor...
OpenAM Solution # 03
22. Open Identity Summit
OpenAM Solution # 03
Legacy Portal X WPS Portal
–The problem statement is to enable access to
the user in both (WPS and Legacy) with a
single login
• Legacy system uses your own login implementation
• Legacy login implementation load a lot of information in
the http session
• Some profile attributes are stored in RDBMS
23. Open Identity Summit
OpenAM Solution # 03
Proposed solution
Protect legacy application with JEE Policy Agent
Withdraw legacy login servlet
Turn new portal (WPS) the entry point to users. SSO
between WPS and Legacy will solve the single login
problem
Implement a custom Post Authentication Plugin to load
session informations for legacy system, previously loaded
by legacy login servlet
24. Open Identity Summit
Final Remarks
OpenAM is the best Enterprise Class Access
Manager solution
Simple deployment
Open standards
Flexible to extends