OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Transcription

1 OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM, the only all-in-one open source access management solution, provides the most innovative and comprehensive set of services required for consumer facing identity relationship management as well as traditional access management capabilities. Designed from inception to provide services for the web, cloud, mobile devices and things, OpenAM has a highly scalable, modular, easy to deploy architecture that includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security - in a single, unified product. Modern customer facing identity solutions need to employ a light touch when dealing with users, all while providing the highest possible security. They need to deliver a great, easy to use service, empowering the user wherever possible, such as through easy self-registration or password reset. Otherwise they are very quick to go somewhere else. Administrators need to be able to provide the delivery of a rich and personalized experience, and need to provide modern contextual authentication as well as fine grained authorization. Developers expect to be able to produce services based on latest open standards, and need to be able to build and provide those from any device. The latest OpenAM release delivers on all of these requirements making it great for users, administrators and developers alike. Unique Only all-in-one access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security, in a single, unified product. New and improved user self-service capabilities cater to potentially very large user communities, assuring ease of use for demanding users all while maintaining highest security levels. Easy configuration of contextual and adaptive authentication through extensible scripts, and fine grained authorization with a new policy editor and policy REST APIs. Improved session handling through streamlined management of session tokens and session failover across sites. Many more REST APIs are exposed (e.g. user self-service, policy, security token service), open standards such as OAuth 2.0 and OpenID Connect are enforced more strictly, token transformations are possible (e.g. OpenID Connect to SAML 2.0), and versioning of REST APIs are possible. OpenAM is based on the Sun OpenSSO codebase offering a simple upgrade for former Sun customers to continue with their current access management investment.

2 Delivering on Identity Relationship Management Kabel Deutschland, a Vodafone Company, achieved stable and high-performance access with ForgeRock OpenAM, providing this both externally to its end customers as well as internally to sales support portals. ForgeRock OpenAM provides secure, personal access to the Toyota Touch 2 with Go device. Built into the vehicle s dashboard, the device provides information, entertainment, enhanced navigation, and connected services. We needed to go beyond an employee-centric solution and grant our customers secure access to the relevant parts of our internal systems. We had to find a flexible platform that could handle identities for our internal and external users, ensure that each person only gained access to the relevant parts of the systems, and scale to support millions of users. We chose ForgeRock to provide a state of the art, customer IAM solution with a highly reliable support structure. ForgeRock OpenAM enables us to deliver a real-world Internet of Things experience allowing us to use the car itself as an identity to provide authentication to the services platform. KOSTAS GKIRKiZAS, Senior Project Manager, Car IT Information Systems, Toyota Motor Europe MATTHIAS RÜBEL-OTTERBACH, Head of Web Application Development, Kabel Deutschland, A Vodafone Company

3 Modular Architecture 100% Java-based architecture allows deployment across many platforms. Developer and admin friendly, with task based GUI, REST, C and Java developer tools, and comprehensive documentation. Service provider interfaces (SPI s) provide a framework to extend all service modules such as adding custom authentication modules, federation plug-ins, policy conditions. Performance, Scalability, High Availability Supports large-scale implementations with millions of users and thousands of authentications per second. Requires less hardware at scale, decreasing datacenter cost and complexity. High availability with out-of-the-box persistent session failover enables support of complex, multi- site environments. OpenDJ comes embedded as a configuration store and a highly scalable and high-performance sessionpersistent store. User Self-Service Zero administration cycles needed to onboard and maintain user accounts. Users are empowered to work to their own schedule. Service is automatic and immediate. Service is exposed over REST enabling custom or mobile front-ends to utilize it. Social Authentication Makes it as easy as possible for new users to be able to access protected resources. Draws new customers in by removing the need to complete lengthy registration forms. Administrators can integrate with Social IDPs in less than 1 minute. Contextual Authentication (using new Scripting Engine) Easy to write scripts, which can call external identity proofing services, ensure a greater knowledge about who the user is and what their context is. Scripts can be used to assess risk, calling up stronger authentication mechanisms only when necessary, which makes life easier for users whilst maintaining the security of the system. These custom scripts increase the level of assurance and intelligence that the service provider has, enabling a more informed interaction with the user. Scripted Device Identification Modules A device identification script can be used to make a risk-based assessment of authenticity. Users logging in from unknown devices are more risky than those from previously identified ones. Additional factors can be employed to mitigate risk in these cases, whilst a streamlined process can be used to make life easier for transactions from trusted devices. Fine-grained policy APIs The APIs exposed in OpenAM 12 enable sophisticated policies to be authored. These policies can ensure the right information goes to the right people under the right conditions. Externalizing policies with OpenAM simplifies applications, and provides post-application deployment flexibility. Extended Authorization Subjects OpenAM can control who can do what, to which resources, under certain specific conditions. OpenAM 12 extends how we specify the who to allow the use of an OpenID Connect token. This can be used for authorization in scenarios where there is no current user session, for example, when an offline batch processing routine acts on behalf of a user.

4 New Policy Editor This delivers greater control over who can do what, when, and under which conditions. Using point and click, drag and drop operations, sophisticated policies can be built to deliver controlled access to resources. Policy Export and Import By allowing policies to be externalised to rich XACML-format files, policies can be held in version control repositories. Policies can then be restored or pushed into production by importing them back into OpenAM. It can also be used to track who has made changes to a given policy over time, and what those changes were. Mobile Support Widely used in mobile and web applications, OAuth 2.0 and OpenID Connect standards are rigorously enforced ensuring greater interoperability and consistent behaviour for developers. The Mobile Profile is an emerging standard which extends OpenID Connect to deliver attributes which are important in the mobile world. By including Level of Assurance and other information as part of the token, OpenID Connect can be used in deployments requiring high security, whilst delivering a convenient experience for the end user. Adaptive Authentication including device fingerprinting ensures mobile devices are trusted. REST APIs allow developers to create device agnostic applications. The same API can be used to access OpenAM from a Web or a native mobile application. OATH/Soft Token Generator, MSISDN and HOTP (One Time Password) capabilities enable multifactor and mobile authentication. Cloud Support Easily create federated SSO connections with SaaS apps via a GUI-based wizard or can use out-of- the-box Salesforce.com, Google Apps connectors among others. Easily setup social authentication with Google, Facebook, MSN, or any OAuth 2.0 provider. Simple click through setup of Federation IDP and SPs using SAML, OpenID Connect and OAuth 2.0. Developer Support Exposes functions as simple identity web services, so developers can easily invoke them during the app development process. Provides client application programming interfaces with REST, Java and C APIs. RESTful APIs enable JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using simple REST clients.

5 REST STS for Token Transformation A token transformation service which makes life easier for developers to convert between many identity token types, such as SAML assertions, OpenID Connect tokens, X.509 certificates and Single-Signon tokens. For example, a mobile app developer which has possession of an OpenID Connect Token can easily generate a SAML assertion to access resources held by a federated service provider. REST API Versioning Developers calling OpenAM REST APIs can be insulated from interface changes by using a specific version of an API. Server upgrades will not break existing clients. Extensive Standards Support All major federation protocols: SAML 1.x, SAML 2.0 (SP, IdP, ECP, and IdP Proxy), WS-Federation (asserting, relying party). Next gen-federation standards for cloud and mobile include full implementation of OpenID Connect and OAuth 2.0 (consumer, provider, authorization server). All Web Services security standards- Liberty ID-WSF, WS-I Basic Security Profile, WS-Trust (STS), and WS-Policy. FICAM (Federal Identity, Credential, and Access Management) compliant - initiative defined by the U.S. Federal Government to simplify identity and access management across government systems. OATH and HOTP standards that allow a mobile phone to be used as a second factor authentication. XACML for fine-grained authorization policy definition, import, export. Support included for IPv6, Java 6, 7, and 8. SAN FRANCISCO VANCOUVER OSLO BRISTOL GRENOBLE LONDON About ForgeRock ForgeRock, the fastest growing identity relationship management vendor in the world, is building secure customer relationships across the modern Web. Focused on using digital identities to grow revenue, extend reach, and launch new business models, ForgeRock s Open Identity Stack powers solutions for many of the world s largest companies and government organizations. Founded in 2010, ForgeRock s leadership team brings 80 combined years of experience in the software industry and includes open source icons and innovators, with investors from three of the leading global venture capital firms Accel Partners, Foundation Capital and Meritech Capital. For more information and free downloads, visit or follow ForgeRock on Twitter at ForgeRock is the trademark of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. FORGEROCK.COM