Upload
forgerock
View
1.146
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Breakout Session presented by Rob Jackson, Identity Solutions Architect at Nulli at the 2014 IRM Summit in Phoenix, Arizona
Citation preview
Human Information
Identity Management
Identity Solution Architects
Case Study: Utilizing OpenIDM with an External AJAX Interface
6/4/2014
Introduction
NullioForgeRock Strategic PartneroOpenSource Contributorso IAM Specialists since 1997oHQ in Calgary, AB, Canada
Servicing North America
Whitepaper
Consumer facing trendAvailable for download nulli.com blogAuthored by Hadi Ahmadi / Sandeep ChaturvediBased on current Customero Requirements
IDP for public sector applications Registration/verification Self-service user functions
o Detailed design was already completeo Interested in lightweight AJAX UI with REST
API (Internet-facing)
CREST (Commons REST)
Common REST API between products:oOpenIdMoOpenDJoOpenAM
Implementing CREST
Which API?oOverlap of functionalityoStrong pointsSecurity?o Internet-facing?Middle Tier?oRequired?Gotchas
Which API?
Overlap ExampleCreate User•OpenAM»../json/users/?_action=register
•OpenIdM»../managed/user/
•OpenDJ»../users/newuser
Which API?
CREST API
Registration
Provision LDAP
Provision (Multiple stores)
Password
Password Reset
OTP
Auth’n & Auth’z
Customizable
Workflow
Policy/Validation
Configuration
Self Service
Data Replication
Federation
OpenAM X X X X X X X X X
OpenIdM X X X X X X X X X X X
OpenDJ X X X X
Which API? - Summary
OpenIdMoWorkflowoMultiple Data StoresoMost FlexibleOpenAMoAuthentication/AuthorizationOpenDJoMore System->System
Security?
Reverse Proxy/Secure GatewayoReduce ‘Attack’ SurfaceoControl generalized API patterns
POST ../?action=somethingAPI Policies (OpenIdM)Authenticated vs AnonymousoToken/UID+PWDoOpenIdM protected by OpenAMXSS/CORSJSON Sanitization (embedded scripts, etc)
Middle Tier?
Business LogicoMultiple calls behindToken authenticationDMZ presenceAnonymous links from emailsHost non-identity contentsoCountry/city lists, etcoLanding pages/UI hostCAPTCHA
Gotchas
OpenIdM (Jetty) Protected by OpenAMoCan’t use OOTB Anonymous userReturning detailed user status from OpenAM Authentication REST API (Active/Inactive)oMultiple callsoAuthentication plugin?Functionality in OpenAM not as flexibleoOpenIdM custom end points
Architecture