Open Identity Summit

The platform we builtOn OpenAM and OpenDJ

Tim Vogt, ArchitectThisana Pienlert, Technical Lead

Thomson Reuters

Open Identity Summit

About us…

Open Identity Summit

About us…

Open Identity Summit

What is “Thomson Reuters Eikon” ? A desktop application: A financial information product

A platform that delivers content, market data, infrastructure services, hosted applications.

The platform’s tasks:

Inbound: Protect its own value

Outbound: Deliver the right stuff to the right people in a quick & easy way

With an identity hat on: The individual end user is less interesting than the services they’re

paying for.

Managing Identity is a necessary evil rather than a purpose.

Open Identity Summit

A bit of history Previous product generations were “fat” in many

ways: a fat desktop application, dedicated infrastructure, hard to provision and complex to manage.

No true authentication, instead a complex, multi-layered authorisation system reliant upon trusted connections.

Previous attempts to “go hosted” and consolidate on a platform were not unsuccessful, but did not deliver the desired economy of scale.

Thomson had a web-based delivery platform, backed by an existing ID&AM architecture.

“Common Platform” was to turn things around, providing single sign-on, federation capabilities, centralised permissioning, replicated storage and a self-admin framework.

Renewed focus on “customer first”: Ease of use, convenience, performance.

Content DB

Real-time distribution network

Deployed Distribution

Infrastructure

DataSources

ThomsonOne

Internet

Open Identity Summit

Shape-shifting Platform - Version 1

AAA

CCRM

Open Identity Summit

Shape-shifting Platform - Version 2

AAA

CCRM

AAA

oAuth

SAML2

FederationOpenID

App store

Eikon API

Eikon cloud

Open Identity Summit

Shape-shifting Platform – The Future ?

AAA

CCRMSingle Identity

Master

Eikon might turn into an execution framework,

managing the interactions with the platform from the

desktop.

Open Identity Summit

How Security Awareness changed

Account management

Access control

Authentication policies

Session policies

Auditing

For customer acceptance, security must be visibly solid and flawless, whilst ensuring intuitiveness for the end user.

Stop making things so difficult and complex ! My clients [developers] need

convenience.Expire passwords !

Terminate sessions !Require second factor !Introduce fingerprint

readers !

2013:2011:

2007:

Open Identity Summit

Lessons learnt

Business people don’t always appreciate architectural guidance – but they need it, especially in the IDAM space.

Whether or not industry buzz brings useful technological developments worth adopting is often a question of timing.

It’s the quick and easy solutions that score and bring visible success – the challenge is to keep them under control and avoid

Keep calm and carry on, absorb the pain, do the right thing.

Open Identity Summit

The stack

Java

SOLARIS 10

Java

SWS 7

Sun AM 7.1

DSEE 6

Apache /Tomcat

Open AM 9.x

DSEE 6OpenDJ

MigrationPhase 1(2011)

Phase 2(2013)

SOLARIS 10Right now !

Open Identity Summit

TIMELINE FOR PRODUCT OPTIONS (2010)

2010 Q2

AM 7.1-TR

2011 Q2 2012 Q2 EOY 2012 EOY 2013

CP 1.0 CP 1.5

OpenSSO 8U2

End of premier support

OpenAM 9

OAM 11gR2

EOY 2014…..

Open Identity Summit

What SunAM/OpenAM had to do for us SSO:

between web and non-web applications

covering HTTP and non-HTTP protocols.

across two physically separate delivery networks

across multiple global sites

Exclusive Sign-On: Enforcing a single device, single session per user globally

Site affinity: Direct all access to user’s home site or failover site

Session refresh: Virtually infinite session duration

Heavily customised authentication flows

24x7 availability, non-disruptive maintenance

120,000 active users per data centre, 50 logins per second

Open Identity Summit

…and what we had to do to them: Request various functional enhancements:

Persistent cookie for master token

Communication between DAS and AM

Better support for hardware-load balanced set-ups: DAS, PA (POST data preservation)

Request many fixes:

PA (for IIS)

Session housekeeping and failover

MQ

Consistent updates of cached state and config information

Open Identity Summit

What we expect from OpenAM Solve the Policy Agent pain:

Ensure stability

Suitable, stable, manageable alternatives for different use cases: OpenIG, Fedlet, …

Stabilise session failover and global session replication

Consistent replication of distributed state information

Complete REST framework including authorisation

Open Identity Summit

What we expect from OpenDJ A successful migration on June 22nd

Rock-solid replication

Fix session failover and replication in OpenAM

Complete and reliable monitoring

Write performance

Scale & Stability

Q & A