Human Information
Identity Management
Identity Solution Architects
Case Study: Utilizing OpenIDM with an External AJAX Interface
6/4/2014
Introduction
NullioForgeRock Strategic PartneroOpenSource Contributorso IAM Specialists since 1997oHQ in Calgary, AB, Canada
Servicing North America
Whitepaper
Consumer facing trendAvailable for download nulli.com blogAuthored by Hadi Ahmadi / Sandeep ChaturvediBased on current Customero Requirements
IDP for public sector applications Registration/verification Self-service user functions
o Detailed design was already completeo Interested in lightweight AJAX UI with REST
API (Internet-facing)
CREST (Commons REST)
Common REST API between products:oOpenIdMoOpenDJoOpenAM
Implementing CREST
Which API?oOverlap of functionalityoStrong pointsSecurity?o Internet-facing?Middle Tier?oRequired?Gotchas
Which API?
Overlap ExampleCreate User•OpenAM»../json/users/?_action=register
•OpenIdM»../managed/user/
•OpenDJ»../users/newuser
Which API?
CREST API
Registration
Provision LDAP
Provision (Multiple stores)
Password
Password Reset
OTP
Auth’n & Auth’z
Customizable
Workflow
Policy/Validation
Configuration
Self Service
Data Replication
Federation
OpenAM X X X X X X X X X
OpenIdM X X X X X X X X X X X
OpenDJ X X X X
Which API? - Summary
OpenIdMoWorkflowoMultiple Data StoresoMost FlexibleOpenAMoAuthentication/AuthorizationOpenDJoMore System->System
Security?
Reverse Proxy/Secure GatewayoReduce ‘Attack’ SurfaceoControl generalized API patterns
POST ../?action=somethingAPI Policies (OpenIdM)Authenticated vs AnonymousoToken/UID+PWDoOpenIdM protected by OpenAMXSS/CORSJSON Sanitization (embedded scripts, etc)
Middle Tier?
Business LogicoMultiple calls behindToken authenticationDMZ presenceAnonymous links from emailsHost non-identity contentsoCountry/city lists, etcoLanding pages/UI hostCAPTCHA
Gotchas
OpenIdM (Jetty) Protected by OpenAMoCan’t use OOTB Anonymous userReturning detailed user status from OpenAM Authentication REST API (Active/Inactive)oMultiple callsoAuthentication plugin?Functionality in OpenAM not as flexibleoOpenIdM custom end points
Architecture