An IAM for Beginner's session presented by Dr. Matthias Tristl, ForgeRock Senior Instructor
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
13. OpenAM Key Functionality
Provides single sign-on to web resources and create a
sign on once, access everywhere environment
Centralized policy based authentication and
authorization
Enables policy enforcement
Tracks all user authentication related events
Extends access beyond organizational boundaries
Authentication
Authorization
Single Sign-On
Federation
Entitlements
Web Services Security
Auditing/Logging
Adaptive AuthN
21. Authentication:
Where does the request come from?
■
Common use case: User requests access to a web page
■
Other Use Cases: Applications can request authentication
programatically through REST or SOAP web services and
OpenAM SDK
21
22. Authentication: Which Credentials?
■
OpenAM works with most authentication methods without
customization
■
21 out of the box Authentication modules
■
Custom modules can be created easily
22
25. Authorization
■
Authentication is not enough
■
Authorization determines:
– WHO can do
– what ACTIONS
– with what RESOURCES
– under which CONDITIONS?
■
Uses Policies to define those rights
25
28. Federation
■
Federation is the process of linking identities across
heterogeneous Access Management products
■
It is a trust relationship whereby a Service Provider
(SP) trusts that an Identity Provider (IDP) has
successfully authenticated a user
■
It is Standard Based
28
29. The Goals of Federation
■
Federation enables Single Sign On and Single
Logout between partners
■
Federation allows rapid integration
– during company acquisitions
– between heterogeneous systems
■
Federation allows basic Identity Data Sharing
■
Helps to keep multiple internet accounts under
control
29
32. OpenAM Federation
■
OpenAM provides first class federation support
■
Federation Protocol support
–
SAML2, WS-Federation, ID-FF, OAuth2
■
Federated Web Services
■
Multi-Protocol Hub
–
Allows OpenAM to act as a broker between different federation protocols
■
Plug-in points allow for easy customization
■
Fedlet for applications that do not support standard protocols
32
IN this slide the notes – and the instructor – will insist on some basic and unified concept, where one chosen server is used to keep the federated information and issue tokens following user authentication. Relying parties (service provider/resource servers) can consume those tokens to give access to some resources. Trust relationship must exist between the “Assertion provider” and the relying parties; relying parties are ot directly linked/trusting each other; we usually speak of assertion for saml2 (for WS-federation, the assertion is wrapped in what then becomes a token) and token for oauth2;