Presented by John Barco, VP of Product Management at ForgeRock Open Identity Stack Summit, France 2013.
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
3. OpenAM: What does it do?
Access Management
Protects an organization
by providing the right
people with the right
access at the right time
Federation
Allows identity and
entitlements to be portable
across autonomous
domains
3
4. OpenAM 11.0 Highlights
■
New Session Fail-Over with optimized architecture
■
OpenID Connect for developer friendly Federation
■
Developer friendly REST APIs enhancements
■
Access Management for Mobile
■
Adaptive Authentication Device Fingerprinting
■
Updated agents v3.3; New Varnish policy agent
■
IPv6 Support
■
Java 7 Support
4
5. Scaling for the Modern Web
10K
100M
Users
Users
5K
5M
Concurrent
sessions
Concurrent
sessions
50
2,500
AuthN/Sec
AuthN/Sec
5
7. New Session Fail-Over
■
Next generation design
– Removed the need of additional components (Message queue and
Berkely DB)
■
Based on OpenDJ performance and replication
capabilities
■
Built for simplicity, scale and replication
■
Easy to configure and set up
7
8. OpenID Connect
= Identity, Authentication
+ OAuth
• REST-based, friendly and secure
federation, built on top of OAuth 2.0
• Ideal for Mobile and lightweight devices
• Full implementation in OpenAM 11.0 (all flows
including session mgmt)
8
9. REST Enhancements
■
Authentication REST API got better
■
Not only user & password
■
Any authentication module (x.509, Multi-factor, etc)
■
Password Reset REST API
■
Customers can build their own user interface
■
REST APIs part of the OpenAM standard offering
9
10. ■
■
Securely enable access to on-prem or
SaaS applications from any device
Platform independent support for
Android, iOS, and other mobile using
REST APIs
■
OpenAM provides OATH and HOTP
for strong AuthN
■
Native
App
Native
App
Web
App
Web
App
REST/OAuth2/OpenID Connect
OpenAM Mobile
Risk-based authentication to enhance
security
Login
App
10
11. Adaptive Authentication
Device Fingerprinting
■
Adaptive Authentication can be
added when authenticating using
a mobile, or desktop
■
New Device Fingerprinting feature
adds additional risk assessment
to validate if the device is trusted
11
12. Summary
Simple
- Single package solution, easy to install and POC
Breadth
- Most features and standards support in a single product
Flexible / Extensible
- Open standard, APIs enable complete customization
Scale
- Built for managing millions of user identities
12
15. OpenIDM: What does it do?
Manage Identities
Centrally manage account
lifecycle, audit & report
entitlements and enable
self service cost savings
Embedded
RESTful interface easily
integrates into modern
application stacks to
manage identities
15
16. OpenIDM 3.0 Highlights
■
Roles
■
Common User Interface
■
Reference implementation for Reporting
■
Continued support of OpenICF
– Google Apps, Workday, Powershell & Scripted REST
– Contribution of Advanced Connectors (RACF, SAP & TAM)
■
Multi-Tenant deployment model
■
IAG coverage with BrainWave partnership
■
Emerging opportunities in BaaS & Cloud Brokers
16
17. Summary
Simple
- Single package solution, easy to install and prove
Open
- The only supported open source provisioning solution in the market
Modular & Extensible
- Standards-based, embeddable featuring REST interfaces
Scale
- Built for managing millions of user identities
17
19. Bridge SPE Overview
■
On-premise appliance to…
– Synchronize identities into SaaS providers
– Provide SSO / IWA
– …that’s super easy to setup
■
v1 uni-directional AD-to-Salesforce
■
Bi-directional support and multisource/target
■
OEM business model
19
20. Bridge SPE: How does it work?
■
Lightweight install
– .zip file
■
Configure source & target
– Source properties & target OAuth
■
Synchronize users
– Attribute Mapping
■
SSO with Kerberos / IWA
20
23. High Level Strategy
■
Providing the Identity repository for the hybrid cloudenterprise.
■
Made easy for the Administrators and the developers
■
Customers want a reliable, highly available directory
service that scales vertically and horizontally
anywhere.
23
25. REST to LDAP
■
Provides a new way to
access the directory data
■
One familiar to most
developers :
– HTTP / REST / JSON
■
SCIM like (and soon
compliant)
■
Available embedded in
OpenDJ or web
application
25
26. Scaling for the Cloud
■
Horizontal and elastic
scalability
■
Complete support for
multi-tenants
26
27. What you need to know
■
OpenDJ 2.6.0 released end of June 2013
■
OpenDJ 3.0 will come mid 2014, with
Proxy services
■
REST to LDAP is a game changer.
– Try it now and give us feedback.
27
28. Summary
Developer Friendly
- LDAP, REST/JSON, WEB Services
100% Pure Java
- Runs Anywhere, Embeddable
Very High Performance
- For both READS and WRITES
Highly Scalable and Available
- Scale to 100M+ users, Multi-Master Replication for HA / Geo Avail.
28