Embed Size (px)
Citation preview
Progress Software
Identity Management 101
Sarah MarshallOpenEdge QA Architect
May 2012
© 2011 Progress Software Corporation. All rights reserved.2
What is Identity Management?
About protecting your data
About verifying and controlling who accessing your data
About minimizing where and when you verify who is accessing your data
And what happens if your not authorized!
© 2011 Progress Software Corporation. All rights reserved.3
Edna Mode
© 2011 Progress Software Corporation. All rights reserved.4
Building blocks to IdM
© 2011 Progress Software Corporation. All rights reserved.5
Building blocks to IdM
Authentication systemsSystems you will use (or are using) to maintain your list of users
© 2011 Progress Software Corporation. All rights reserved.6
Building blocks to IdM
Domain configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
© 2011 Progress Software Corporation. All rights reserved.7
Building blocks to IdM
Domain configuration
Authorization configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
Configurations for individual users defining their access privileges
© 2011 Progress Software Corporation. All rights reserved.8
Building blocks to IdM
Domain configuration
Architecture to support IdM
Authorization configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
Configurations for individual users defining their access privileges
Single point of identity management for all systems
© 2011 Progress Software Corporation. All rights reserved.9
The CLIENT-PRINCIPAL
Built in ABL security token
Set current identity in any session db connection
Created by the AVM if not created explicitly
Manage a user’s login session
CREATE CLIENT-PRINCIPAL hCPhCP:INITIALIZE(…)
SECURITY-POLICY:SET-CLIENT(hCP)SET-DB-CLIENT(<dbname>, hCP)
SETUSERID(<userid>, <psswd>, <dbname>)cmd> $PROEXE –U <userid> -P <psswd>
rCP = hCP:EXPORT-PRINCIPALhCP:LOGOUT()
© 2011 Progress Software Corporation. All rights reserved.10
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.11
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.12
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.13
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.14
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.15
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.16
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.17
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.18
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.19
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
Authentication systems
© 2011 Progress Software Corporation. All rights reserved.20
LDAP
The Game Board
Login
START
Create C-P
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
Authentication systems
KerberosLDAP
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.21
LDAP
The Game Board
Login
START
Create C-P
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
Authentication systems
LDAPKerberos
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.22
LDAP
The Game Board
Login
START
Create C-P
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
Authentication systems
KerberosLDAP
OpenID
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.23
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
Authentication systems
_Domain-type: _oeusertable_oslocal_extssoUser Defined
_sec-authentication-system
© 2011 Progress Software Corporation. All rights reserved.24
What are domains? Domain configuration
© 2011 Progress Software Corporation. All rights reserved.25
Defining domains
• Have roles and responsibilities in common
• Have level of security in common
• Have data access privileges in common
_Domain-name_Domain-type_Domain-description_Domain-access-code_Domain-runtime-options_Tenant-name
_sec-authentication-domain
Domain configuration
© 2011 Progress Software Corporation. All rights reserved.26
Using domains
OEDB1
Domain configuration
OEDB2
OEDB3
OEDB4
The client uses the domains defined in a database
Client
SECURITY-POLICY:LOAD-DOMAINS(DB1)
1. Each database can use it’s own domain registry
2. Each database can share the session’s registry
© 2011 Progress Software Corporation. All rights reserved.27
User permissions Authorization configuration
• Authorization for individuals
• Table and field level permissions: CAN-* fields
• Runtime persmission: CAN-DO()function
CAN-DO(“*.Admin”)
© 2011 Progress Software Corporation. All rights reserved.28
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
© 2011 Progress Software Corporation. All rights reserved.29
Security Token Service
Security Token ServiceUser Credentials
• take login information
• runs authentication plug-in
• seals CLIENT-PRINCIPAL
• makes it available to the application
Create C-P
User Account System
Authentication
LDAPLDAP
LDAPAS
CDB
Architecture to support IdM
© 2011 Progress Software Corporation. All rights reserved.30
Security Token Service
Login
START
Expired!
Logout
Game overFINISH
OEDB
Client
Logged in
ASDB
ASCDB
Security Token Service
Architecture to support IdM
© 2011 Progress Software Corporation. All rights reserved.31
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
Credentials
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
© 2011 Progress Software Corporation. All rights reserved.32
ASAS
AS
DBDB
DB
DB
Domains
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCIDCCID = Client Context Identifier
Architecture to support IdM
© 2011 Progress Software Corporation. All rights reserved.33
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
© 2011 Progress Software Corporation. All rights reserved.34
Anatomy of an STS
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
ABLClients
OpenClients
AdapterClients
© 2011 Progress Software Corporation. All rights reserved.35
Anatomy of an STS
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
ABLClients
OpenClients
AdapterClients
© 2011 Progress Software Corporation. All rights reserved.36
ASAS
AS
DBDB
DB
DB
Domains
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
Architecture to support IdM
© 2011 Progress Software Corporation. All rights reserved.37
ASAS
AS
DBDB
DB
DB
Domains
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
Architecture to support IdM
© 2011 Progress Software Corporation. All rights reserved.38
Anatomy of an STS
LDAP _User OpenIDOEDB
TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
ABLClients
OpenClients
AdapterClients
© 2011 Progress Software Corporation. All rights reserved.39
Building blocks to IdM
Domain configuration
Architecture to support IdM
Authorization configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
Configurations for individual users defining their access privileges
Single point of identity management for all systems
