of 23
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
1/23
2013 Open Stack Identity Summit - France
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
2/23
Corelio Media
An Open Identity Stack case study
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
3/23
Introducing
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
4/23
The case
Custom built CRM system with provisioning Custom SSO implementations Room for improved privacy protection Per application social media integration In code authorization
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
5/23
Goals and challenges
Single Sign On Centralized policy & session management Multi-tenant support Identity management for 4.1M identities 3 month time constraint
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
6/23
Priorities
Performance Ease of application integration User comfort & privacy
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
7/23
Requiring the full stack
Central user store: OpenDJ SSO & policy enforcement: OpenAM Provisioning of user store: OpenIDM
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
8/23
The agent approach
Simple architectureAgents scale with infastructure Distributed high availability architecture No impact on out-of-scope servers
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
9/23
Special cases
IP authentication Instant sync Remember me Entitlements Mobile applications
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
10/23
Remember me
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
11/23
Remember me
Persistent cookie
(DProPCookie)
Session cookie
(iPlanetDirectoryPro)
P S
Session cookies issued after successful authentication
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
12/23
Remember me
S
Close and reopen browser
P
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
13/23
Remember me
But if browser doesnt close, then at session time-out
S
Expired Session cookie(iPlanetDirectoryPro)
P
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
14/23
Remember me
Solution: persist session cookieIf session times-out, expired cookie wont be sent
S
S
P
com.iplanet.am.cookie.timeToLive
openam.session.persist_am_cookie
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
15/23
Entitlements
Access policies are URL based Define virtual URL policiesApplication checks authorization Through OpenAM authorization REST API
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
16/23
Entitlements Policy: AllowURL: http://www.standaard.be/avond/*Group: Subscribers
HTTP_sn=doeHTTP_givenname=john
http://www.standaard.be/avond/art.aspx?id=23
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
17/23
Entitlements
http://www.standaard.be/avond/art.aspx?id=23&action=comment
Policy: AllowURL: http://virtual.standaard.be/
commentGroup: White listed commenter
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
18/23
Mobile applications
Apps cannot be impacted Third party not to store credentials Client credential OAuth profile Patches required in OpenAM XPress 10.1.0
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
19/23
Mobile applications
Third party
Content server
e-mail/password
OAuthtoken
content
e-mail/OAuth token
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
20/23
Project results
Successfull launch of every tenantAgile policy management Centralized secure password storage Session quota for subscribers enforced
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
21/23
Lessons learned
Value of ForgeRock supportAvoid crosstalk through sticky sessions Use dedicated application pools in IIS Use OpenDJ entry cache for large static groups But dont preload the entry cache
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
22/23
Roadmap
Session quota for mobile apps Open Identity Stack upgrade Media ID Metering
8/12/2019 coreliomediacasestudybyis4u-131031164001-phpapp02(1)
23/23
Thank you
Robin GorrisPartner - Senior Architect
+32 (0)474 40 99 91
Business Park King SquareVeldkant 33A - 2550 Kontich
http://www.is4u.be