ENABLING CONTENT
AL MALINESR. ENTERPRISE ARCHI TECTFDI C ENTERPRISE TECHNOLOGY BRANCHENTERPRISE ARCHI TECTURE PROGRAM SECTI ON
FDIC1
Agenda
Quick IntroIdentity is a Strategic AssetContent Analysis with Services – A Geospatial
ExamplePublishing ContentQ & A
2
me
FDIC (almost 4 years) Division of Information Technology
Enterprise Technology Branch Enterprise Architecture Program Section
• Al Maline• [email protected]• 703-516-5230
Prior to FDIC Enterprise Architect Software Developer (Java, Application Express) PeopleSoft Administrator Oracle Database Administrator Unix Administrator Clients such as: PBGC, MSRC, Silicon Graphics, General Motors
3
WE CAN NOT SHARE CONTENT IF WE DO NOT KNOW
WHO YOU ARE
Identity is a Strategic Asset4
Current Practice
Identity silos FDIC Connect for Financial Institutions Non-Depository Claims E-FOIA FDIC Active Directory
Multiple methods of managing identity
5
Why does a consistent identity matter?
Can not answer simple questions How many submitters of claims also submit an E-FOIA
request?Can not deploy new solutions quickly (or
inexpensively) if each application needs to solve the identity management problem
Can not reliably or easily communicate with ALL of our customers
Identity becomes a stumbling block instead of an enabler
6
Where does security happen?
Untrusted Zone
Federation Zone
Trusted Zone
Restricted Zone
Perimeter
Perimeter
Perimeter
Internet
Anonymous Users
AuthenticatedUsers
Controlled Administrative
Access
Identity Authorized
Identity Assigned
No Identity
7
How is identity assigned?
Security Assertion Markup Language (SAML) 2.0
XML document that contains: Issuer element, which contains the unique identifier
of the identity provider Signature element, which contains an integrity-
preserving digital signature Subject element, which identifies the authenticated
principal Conditions element, which gives the conditions
under which the assertion is to be considered valid Authentication-Statement element, which
describes the act of authentication at the identity provider
Attribute-Statement element, which asserts a multi-valued attribute associated with the authenticated principal
8
How is identity assigned?
Identity Source(identity provider)
Destination Application(service provider)
AuthenticationAuthority
ResourceManager
User
1) Authentication
2) Assertion
4) R
esou
rce
3) R
eque
st +
A
sser
tion
9
Anonymous Users
Untrusted Zone
Federation Zone
Trusted Zone
Restricted Zone
Perimeter
Perimeter
Perimeter
Internet
Anonymous Users
AuthenticatedUsers
Controlled Administrative
Access
Anonymous Client
Content Dispatcher
Content Management
Content Services
Anonymous users are all assigned the same identity – “Anonymous” and are authorized accordingly.
10
Self Registration
Untrusted Zone
Federation Zone
Trusted Zone
Restricted Zone
Perimeter
Perimeter
Perimeter
Self Registered User
SAML Producer
SAML Consumer
Directory
Content Dispatcher
Content Management
Content Services
Users that register themselves and have their email address verified are authorized to see and add to the content that they have previously submitted.
11
Partners
Partner Zone
Untrusted Zone
Federation Zone
Trusted Zone
Restricted Zone
Perimeter
Perimeter
Perimeter
Partner Client
SAML Producer
Directory
Partner Security
Administrator
Delegated Administration
SAML Consumer
Content Dispatcher
Content Management
Content Services
Business partners, such as financial institutions, that do not have their own Identity Management infrastructure would use an FDIC provided, delegated administration module, to manage their user identities.
12
Federated Partner
Partner Zone
Untrusted Zone
Federation Zone
Trusted Zone
Restricted Zone
Perimeter
Perimeter
Perimeter
Federated ClientSAML Producer
Directory
Federated Security
Administrator
Security Administration
SAML Consumer
Content Dispatcher
Content Management
Content Services
Business partners that do have their own Identity Management infrastructure would be the source of the SAML assertions for their users.
13
FDIC User
Untrusted Zone
Federation Zone
Trusted Zone
Restricted Zone
Perimeter
Perimeter
Perimeter
Content Management
Content ServicesSAML
Consumer
FDIC Prod
Active Directory
SAML ProducerActive Directory
Federation Services
Per
ime
ter
Content Dispatcher
Telecommuting User
Remote Desktop
Fast Access
Internal User
FDIC users (bother internal and telecommuting) would also be provided a SAML assertion to gain access to applications.
14
Cloud User
Hosting Provider
Untrusted Zone
Federation Zone
Trusted Zone
Restricted Zone
Perimeter
Perimeter
Perimeter
Content ServicesSAML Consumer
FDIC Prod
Active Directory
SAML ProducerActive Directory
Federation Services
Trust Relationship
Per
imet
er
Content Dispatcher
Internal User
Perimeter
Content Management
FDIC users of a cloud service provider would use the same model in reverse.
15
Analysis of Content
GEOSPATIAL APPLICATION ARCHITECTURE
16
Requirements
Create a visual presentation of Failed, Problem and MDI (Minority Depository
Institution) Institutions and display within States Counties Congressional Districts
17
Demo18
Technology
Oracle Maps Javascript API Slippy Map for Draggable
Display of Map Tiles Feature of Interest
Interactions Oracle Mapviewer
Tile Cache Feature Server
Oracle Spatial Database Spatial interactions Materialized Views PL/SQL Functions Mapping Metadata
Client BrowserJavaScriptHTML rendering
HTTP
Middle TierWeblogicMapviewer(Map/Feature rendering)
JDBC
Data TierTables with Spatial AttributeSpatial IndexesMetadata
19
Technology
JQuery HTML Document
Traversing Event Handling AJAX Interactions
JQuery UI User Interface
Widgets
20
Technology
JQuery Datatables Plugin Table pagination Filtering Multi-Column Sorting
Java Servlet Apache POI library
21
oraclemaps.js(mapping API)
bankLayer.js(model +
view updating)
RSAM.js(model +
view updating)
HTML Only
RSAM.css
map.jsp(view)
JQuery• Page
Enhancement
• Event Routing to Model
JavaScript/JQuery• Manages Map
Themes
• Updates View Tables
Presentation Architecture
JSON 2 Excel
Java Servlet• Convert JavaScript
Object Notation to Excel
OracleMapviewer
• Renders map tiles
• Fetches Features
dataTables.js(table controller)
mapPage.js(controller)
Behavior mappingbetween view
And model
22
Geometry Themes
Styles
Areas
Colors
Lines
Markers
Advanced
Spatial Tables(Tables, Views, Materialized Views)
One Geometry Column(SDO_GEOMETRY)
Spatial Metadata(USER_SDO_GEOM_METADATA)
Spatial Index
OracleMapbuilder
Creates
Using
Base Maps
Use
Renders and Caches Base Map Tiles
Queries for Features (and caches)
OracleMapviewer
Map/Feature Architecture
Creates
Service Application Metadata 23
Spatial Data Architecture
PL/SQL FunctionUsing Spatial Query
select count(*) into v_count from FDIC_ALL_INST where sdo_relate(region,location, 'MASK=ANYINTERACT')='TRUE';
Tables withSpatial Column
MaterializedView with
Spatial Column
24
Security Architecture
Weblogic
«ear»Oracle Mapviewer
«war»Mapping Application
Oracle HTTP Server
«shared lib»mod_osso
«executable»Apache HTTP Server
«file»SSO Configuration
«file»Mapviewer Config
RSAM Database
Spatial Schema
«pl/sql package»web_user_info
«table»RSAM_USER_AUDIT
map_data_source: name="RSAM" plsql_package="web_user_info" web_user_type="OSSO_USER"
OID
LDAP Directory
OSSO Identity AsserterOID Authenticator
Active Security Realm
«pl/sql package»LDAP Group Verification
Web Context Config
Perminiter Authentication with Oracle Single Sign On
Mapviewer accepts HTTP header and sets identity by calling PL/SQL package for each request
Mapviewer Themes can use identity set in PL/SQL package for filtering data
25
Enterprise GIS Architecture
Spa
tial D
ata
Man
agem
ent
(Ora
cle
Spa
tial)
Use
r S
uppl
ied
Laye
rs &
Com
plex
Geo
proc
essi
ng (
Arc
GIS
)
Application D
evelopment
Using an E
lastic Resource (M
apviewer)
GIS Architecture
26
27
Content Management
NOW THAT WE KNOW WHO YOU ARE,
AND WE HAVE CONTENT TO SHARE,
HOW DO WE ENABLE IT?
28
Requirements - Content
Enabling Content Company and industry news Staff directory and employee profile pages Expertise finders (locating coworkers with specific
knowledge) Integrating internal and external information
sources Keeping the intranet up-to-date (content
management) Employee self service Multimedia and video on intranets Consistent navigation Data analysis and visualization
29
Requirements - Community
Community Employee and department weblogs CEO blogging On boarding of new employees Corporate calendars Project collaboration tools Discussion boards Internal wikis Online meeting
30
Requirements - Technology
Technology Robust Search Mobile intranets (including iPhone apps for intranet
access) Personalization Customization Alerts Video platform Database Integration (from other systems)
31
Goals
Build value for usersEnable integration and personalizationEstablish new communication channels
Bi-directionalScale
Number of users Amount of content
32
Problems with Existing Architecture
Existing architecture Static content Manual processes Content and presentation intermingled
Content can not be reused No place to store newly captured content
StaticContent
WebServer
Browser
Dreamweaver
ManualUpdates
33
Need a better architecture
Support for Content directed applications
Web Content Management is only one content application Multiple repositories
SharePoint Documentum Internally Managed
Website author roles in production In-Page editing
Drag and Drop Workflow
Page approval Content integration and aggregation
Live dashboards Integration with content services
Digital Asset Management Scaling & Cropping, Metadata Extraction, Thumbnail
Generation, Format Transcoding
Need a better architecture
ContentRepository
ContentServices
ContentApplicationsBrowser
34
Need a better standards based architecture
ContentRepository
ContentServices
ContentApplications
JavaContentRepository(JCR 2.0)
RESTbased services
JSP + scripting language support
JavaScriptJSONAJAX
Browser
Web 2.0 Content Driven Applications
35
Open source architecture
ContentRepository
ContentServices
BrowserContent
Applications
JavaContentRepository(JCR 2.0)
RESTbased services
JSP + scripting language support
JavaScriptJSONAJAX
Apache Sling Apache Jackrabbit
Web 2.0 Content Driven Applications
36
Architecture that supports portals
ContentRepository
ContentServices
BrowserContent
Applications
JavaContentRepository(JCR 2.0)
RESTbased services
JSP + scripting language support
JavaScriptJSONAJAX
Widget
Portlet
Gadget
Widget
A portal is simply a web page with configurable widgets that transforms content
Apache Sling Apache Jackrabbit
Web 2.0 Content Driven Applications37
Architecture that supports services
ContentRepository
ContentServicesBrowser
ContentApplications
JavaContentRepository(JCR 2.0)
RESTbased services
JSP + scripting language support
JavaScriptJSONAJAX
Widget
Portlet
Gadget
Widget
The OSGi framework is a module system and service platform that implements a complete component model
Apache Sling Apache Jackrabbit
Web 2.0 Content Driven Applications
Apache FelixOSGi
Services
ServiceService
38
39
Day Software (now Adobe)
Web Content Management solution based on open standards and open source Day contributed and uses Apache Open Source:
Content Repository Content Services Service Integration
DayContent
Repository
Content Services
Browser
ContentApplications
SharePoint
Documentum
ContentAdapters
Widget Widget
Portlet Portlet
Gadget Gadget
Day CQ5 WCM
40
In page editing
41
Drag and drop
42
Workflow
43
Demo
44
Q&A
Questions