White Paper Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack 1. Overview 2. OpenAM 3. OpenIDM 4. OpenDJ 5. Getting Started
Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack 1. Overview The following paper has been prepared to aid Sun IAM customers understand the technical benefits of upgrading from the Sun IAM products to the ForgeRock Open Identity Stack, an open source IAM platform based on the original Sun IAM products. Since the inception of ForgeRock over 4 years ago, the company has been committed to evolving the original open source Sun IAM products and providing an upgrade path to modern IAM. Sun Identity and Access Management (Sun IAM) Replacement Options: Option 1 Stuck in Time: Oracle Sustaining Support Option 2 Rip and Replace: Oracle Fusion Replacement Option 3 A New Sun IAM Future: The ForgeRock Open Identity Stack This option allows customers to continue running their existing Sun IAM deployment at an exorbitant cost. There are no innovations or new product releases. The offering grows stagnant and dated over time, eventually driving organizations to Option 2 or 3. This option requires customers to invest in completely new IAM infrastructure. This requires a rip and replace of existing Sun IAM infrastructure and expensive system integration costs to deploy a new platform. Building on the Sun IAM source code, ForgeRock s Open Identity Stack allows for a hybrid model where organizations can directly upgrade portions of their portfolio to ForgeRock products, minimize service costs by avoiding rip and replace, and continue to build out their Sun IAM platform backed by a best-in-class identity and access management product development company. 2 FORGEROCK.COM
Product comparison of ForgeRock Open Identity Stack to Oracle fusion products OpenAM Overview There are several key reasons OpenAM provides the best possible upgrade solution from Sun OpenSOO or Sun Access Manager. The OpenAM code source foundation comes from Sun and has continued to evolve and improve over time. Forgerock has audited and cleaned the entire Sun code base; and since the initial release of OpenAM, forgerock has written 100,000 lines of code, committed 10,000 code check-ins, and released 10 new versions of the product. The code source lineage is detailed in the following chart. In the case of OpenSOO, for example. OpenAM Code Source Lineage 2008 2009 2010 2011 2012 OpenAM 9.0 OpenAM 9.5 OpenAM 10.0 OpenAM 10.1 OpenSSO Build 6 OpenSSO Build 7 OpenSSO Build 8 ONE SINGLE PRODUCT FOR AAA+ FEDERATION OpenSSO Ent 8.0 U1 U1 P1 U1 P2 U1 P3 BROKEN INTO SEVERAL NON-COMPATIBLE PRODUCTS U2 Oracle Access Manager* Oracle Identity Federation* Oracle Entitlements Server* Oracle Adaptive AM* Oracle Fedlet* OPEN SOURCE CLOSED SOURCE * Must purchase all products above to replicate OpenAM functionality OpenAM Product Description OpenAM has a unique architecture to support use cases from complex enterprise access control, to multi-protocol federation, to SSO enablement for cloud systems. At the highest level, OpenAM consists of a single, self-contained Java application; service components such as session management; client-side APIs in C, Java, REST; service provider interfaces to enable custom plugins; and policy agents for web and app server containers to enforce access policies to protected web sites and web applications. Organizations with existing internal access management solutions can easily integrate OpenAM into their environment through API services. Maintaining all installation and configuration capabilities within one application vastly simplifies deployment. In addition, agent configuration, server configuration, and other tasks are simplified to be repeatable and scalable, so multiple instances of the solution can be deployed without additional effort. The embedded OpenDJ directory server eliminates the need to configure a separate directory to support the configuration and user stores; or if desired, users can utilize other LDAP directories such as Sun DSEE or databases as user stores instead. 3 FORGEROCK.COM
OpenAM Functional Diagram UI Layer Management End User Protected Resources Layer Web Agents JavaEE Agents WS Agents Access Layer Common REST OpenID Connect OAuth2 SAML WS Services Layer AuthN Federation Adaptive Risk AuthZ Session Management SSO Entitlements Password Management Logging Data Persistence Layer External Layer Authentication Systems User Directory Stores Reporting Tools SIEM, Analytics Tools OpenAM Advantages ForgeRock Legacy Vendors Cost-Effective Upgrade Path ForgeRock offers the most cost-effective path for existing Sun customers. Because it is based on the same code base, upgrading to OpenAM is just moving to the latest version of Sun OpenSSO. OpenAM is also designed as a single solution, meaning there are no additional license fees to get all the features one price gives you everything today and what s delivered in the future. Oracle recommends that you rip and replace Sun OpenSSO or Sun AM as the upgrade path to OAM. If you are an existing OAM customer then you probably already know the pain of moving from just OAM 10g to 11g. Unless there are significant business reasons to move to OAM, OpenAM is technically a better product, a more cost-effective solution, and an easier upgrade path. Comprehensive It is the only All-in-One Access Management solution that includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security in a single, unified product. Comparing OAM to OpenAM is not 1:1. OAM has 8+ individual products vs. 1 integrated OpenAM solution. You end up paying more for an accidental architecture through added deployment complexity and a steep learning curve. 4 FORGEROCK.COM
Developer-Friendly Designed for the developer using a single, common programming interface (REST), or if preferred, Java and C. Our key objective is to make it easier, faster, and less complex to implement IT and business requirements. Oracle products were designed to support Fusion App platform products first, your application environment second. Providing simple API access to developers to enable easy integration is not part of their DNA. Performance, Scalability, High Availability Supports large-scale implementations with thousands of logins and registrations per second. Requires fewer machines at scale, decreasing footprint. Load balancing and high availability with session failover across sites support complex, multi-site environments. Oracle designed OAM for the enterprise and Oracle Fusion apps, and now is saddled with an architecture that cannot effectively support large-scale deployments for ISPs, SaaS providers, and customer-facing services. Systems designed for a single purpose are not cost-effective or practical for alternative uses. Built-in Data Store OpenDJ comes embedded as a sessionpersistent store and a highly scalable and high-performance configuration store. There is no additional cost to use it straight out of the box with OpenAM. This saves you time and money with license and configuration issues. Or use your choice of datastore if desired. OAM does support almost any LDAP datastore but it s at your own cost. Separate install, config, license, and support contract. With a 100+ step checklist to install an OAM supported directory, it s anything but simple. OpenDJ is part of the OpenAM install process and is up and running in a few clicks. OpenIDM Overview To understand why we designed OpenIDM the way we did, it s important to know a bit about the history of user provisioning. Legacy user provisioning products were designed 10-15 years ago when IT used a three-tier web architecture for application development and attempted to consolidate all identities into a centralized directory service. These first-generation provisioning systems helped automate the administration of users to reduce cost and resource overhead. By building a system that connected to the mainframe, HR system, and email systems, departments and lines of business could manage their own policies for granting system access. Fast-forward to today, and the entire IT landscape has radically changed. It s now more complex than ever due to the explosion of devices, users, roles, and regulations, among many other requirements. While the original provisioning systems worked as point solutions, they had limited ability to fully integrate into the enterprise, limited flexibility to adapt to new business requirements, and were inherently complex to implement. For these reasons, OpenIDM was developed as a clean sheet design using a modern, lightweight, modular architecture that supports business use cases for identity administration and provisioning not only within the enterprise, but for cloud-based services delivered to the user across a wide variety of devices including mobile and desktop. Moving to OpenIDM from Sun Identity Manager provides a lightweight, developer-friendly solution. It will provide a flexible system that is easy to adapt to many different use cases that the business requires, not just today, but in 3 to 5 years, as the IT landscape continues to evolve. 5 FORGEROCK.COM
Product Overview OpenIDM is a User Administration and Provisioning solution purpose-built to manage user access and accounts across enterprise, cloud, social, and mobile environments. OpenIDM is 100% open source, offering a very different approach to application development, with a more reasonable cost model and improved flexibility to support the innovation required to stay competitive. Because the Java-based architecture is built on the OSGi framework, OpenIDM is able to provide lightweight, modular services such as automated workflow, user self-service, registration, password sync, data reconciliation, and audit logging, all accessible through the restful API using standard Java development tools. The OSGi framework enables modular, plug-and-play identity services if you want to use an alternative component, such as a workflow engine, with OpenIDM you can easily do so. In addition, OpenIDM leverages OpenICF (Open Source Identity Connector Framework) to vastly simplify resource connector development and sharing through the open source community. With complete flexibility in data and object schema, the OpenIDM architecture enables support for traditional on-premise applications as well as cloud service providers such as Workday, Google Apps, and Salesforce.com. Using SCIM (System for Cross-Domain Identity Management), open standards, and the REST API, OpenIDM is easy to configure straight out of the box, enabling user- provisioning and administration services for cloud providers without complex customization. This simplifies account creation, updates, deletions, and auditing without the cost and overhead of deploying multiple systems. OpenIDM Functional Diagram UI Layer ForgeRock UI Framework Access Layer Common REST Business Logic Layer JavaScript Groovy Java Services Layer Provisioning Services Password Management Report & Audit Service Directory Service OpenIDM Repository Task Scanner Workflow Engine Policy Service External Resources Layer 6 FORGEROCK.COM
OpenIDM Advantages ForgeRock Sun Identity manager Internet Scale Architecture With a next-gen architecture, OpenIDM is unique in its support for large-scale, hightransaction rate operations for customerfacing systems that deliver user self-service, password management, and account creation. With a high-speed reconciliation and sync engine, data is managed efficiently between multiple backend datastores to ensure data is clean and consistent. Sun Identity Manager was purpose-built for enterprise provisioning between HR, AD, and other backoffice systems. Because of the complex configuration, usually no more than 25 systems were connected. The Service Provider edition was an attempt to provide the scale needed for new externally facing applications. Open Standardsbased Connector Framework OpenIDM provides standard, out-of-the-box ICF connectors (based on OpenICF [Open Source Identity Connector Framework]) to the most widely used backend systems. Connector code is open, reusable, and can be shared through the OpenICF community. The original Sun Identity Manager connector code was proprietary and as such is not reusable when migrating. Oracle recognized this and moved new connector tools to support the OpenICF framework, which will help simplify some of the migration to OpenIDM. Developer-Friendly Simple RESTful interfaces provide APIs for managing all core operations of user administration, sync, and reconciliation. A server-side scripting engine is provided with JavaScript and Groovy supported out of the box. Sun Identity Manager provided limited API access for developers and the XPRESS scripting language was proprietary. XPRESS correlation rules can be migrated from XPRESS to JavaScript. Embeddable for SaaS/ Custom App OpenIDM has a modular architecture with a small footprint, and it s open source and developer-friendly. This makes OpenIDM an ideal solution to embed in a SaaS, IaaS, PaaS, or hosted service provider offering. Sun Identity Manager was purpose-built for enterprise workflow processes only. Any SaaS or service provider system requiring a lightweight, embeddable, developer-friendly solution will have to use another option such as OpenIDM. Independent UI Framework OpenIDM is the first provisioning solution designed with a UI that is decoupled from the core services. Through support of jquery and REST APIs, it allows complete customization of the presentation layer. Sun Identity Manager does not offer developer access to the admin UI. This is a traditional software app that has an admin console UI or CLI that can be used for managing configuration. Forms are used for the end user UI and can be modified as needed. 7 FORGEROCK.COM
Industry Standard Workflow Modeling OpenIDM supports a plug-and-play design that allows choice of either the embedded Activiti engine or another of the customer s choice. Activiti supports industry-standard BPMN 2.0 process definition models, which can not only exchange between different graphical editors, but can also execute as is on any BPMN 2.0-compliant engine. Sun Identity Manager has a flexible yet proprietary workflow design that was custombuilt and therefore cannot be changed. OpenIDM exposes the same capability but instead of using a proprietary workflow definition language, we leverage the industry standard BPMN 2.0 to specify workflows. ForgeRock is able to help customers migrate the proprietary notation to industry standard BMPN 2.0 notation. Flexible Data Model The object model is designed to support whatever the organization requires. The options are to configure OpenIDM to create a virtual identity with links to external systems (data sparse model), or to create a metadirectory that centrally stores a copy of identity attributes (data full model). Sun Identity Manager uses a data sparse data model, which is good if the organization doesn t have a lot of data to manage, sync, or reconcile between backend systems. OpenIDM provides the advantage of either data model, which is critical to the current needs of many businesses. OpenDJ Overview OpenDJ, initiated as the Sun Microsystems OpenDS project, was designed as a replacement for Sun Directory Server Enterprise Edition, and therefore provides the easiest migration path. ForgeRock is changing the decades old approach to LDAP directory services by simplifying the way developers gain access to the underlying directory service. OpenDJ is the first commercial open source solution that provides both an LDAP and REST-compliant directory service. With a design specifically developed for the Java platform, it can provide high-throughput performance for both reads and writes, configurable with replication for highlyavailable service, and secure protection of data with multiple levels of authentication and authorization. OpenDJ is also the easiest directory to deploy and manage for many different use cases whether it is for a large- scale cloud service directory, a consumerfacing directory, or an enterprise or network operating system (NOS) directory. With its 100% Java code base, OpenDJ runs on many platforms, including virtualized environments. All software and data are architecture-independent, so migration to a different OS or a different server is as simple as copying an instance to the new server. This increases the deployment flexibility, as well as the portability between different operating systems and system architectures. 8 FORGEROCK.COM
OpenDJ Functional Diagram UI Layer Management End User Access Layer Common REST LDAP SDK LDAPv3 Services Layer REST2LDAP Access Control Password Policy Groups Schema Management Caching LDAPv3 Replication Monitoring Auditing External Layer Active Directory Samba User Directory Stores Reporting Tools SIEM, Analytics Tools OpenDJ Advantages ForgeRock Oracle Internet Scale Architecture OpenDJ provides industry-leading performance with sub-millisecond read/write response times and low latency throughput, up to hundreds of thousands of operations per second. HA deployments supported with N-way multi-master replication, including data centers with geographic separation for managing failover and disaster recovery. Meets the most rigorous SLA requirements, from telco subscriber systems to missioncritical enterprise environments. Oracle has 3 different directory products to choose from. The Sun OpenDS code base provides the foundation for both Oracle Unified Directory and OpenDJ which means all the advantages of the Oracle product can be found in OpenDJ as well Internet scalability, HA, and support for use cases for the enterprise and cloud except OpenDJ is 100% open source with an actively and rapidly contributing community and the flexibility to customize code. Developer-Friendly OpenDJ is the first LDAP directory to support a range of developer options including a REST API, SCIM, LDAP, and DSML-based Web Services. And for the traditionalists, the OpenDJ SDK provides a library of Java classes and interfaces for accessing and implementing LDAP directory services. Oracle only provides access through traditional APIs like DSML and the Identity Governance Framework (IGF) ArisID Java Interfaces. 9 FORGEROCK.COM
Pass-Through Authentication OpenDJ enables simple to configure delegated authentication to another LDAP directory service, such as Active Directory, without the need to install other components or products. Delegated authentication removes security risks associated with synchronizing passwords (e.g. transfer of cleartext passwords). Oracle requires installation of other Oracle products such as the Directory Integration Platform for synchronization between other directory services, adding complexity and cost to every deployment. OpenDJ provides this feature standard out of the box as it is one of the baseline use cases for almost every enterprise. 5. Getting Started: Sun Upgrade Offering The ForgeRock Sun Upgrade offering has been designed to help organizations strategically plan for upgrading all or parts of their Sun IAM deployment. For many customers, this will be a very straightforward process, depending on the Sun products and versions deployed. The first step is the Sun Upgrade Assessment offering which is designed to help organizations map out their current IAM architecture and business processes. The assessment also includes an evaluation of technical and business needs against short and long-term strategies. The Assessment will produce a multi-point plan with recommendations that can be used for internal planning and budgeting. `It is our goal at ForgeRock to help organizations with their decision-making process as they work through use-case scenarios for existing and future requirements. The ForgeRock Sun Upgrade offering is designed to help organizations strategically plan an upgrade of all or part of their Sun IAM deployment. With a variety of resources available to our customers to help with this process, ForgeRock will be your trusted partner in mapping your current IAM architecture and business processes, and in evaluating your current needs against your short and long term strategies. Let s get started. Contact us at http://forgerock.com/products/sun-replacement/ About ForgeRock ForgeRock is redefining identity and access management for the modern web including public cloud, private cloud, hybrid cloud, and enterprise and mobile environments, ForgeRock products support mission-critical operations with a fully open source platform. ForgeRock s Open Identity Stack powers solutions for many of the world s largest companies and government organizations. For more information and free downloads, visit www.forgerock.com or follow ForgeRock on Twitter at www.twitter.com/forgerock. 10 ForgeRock is the trademark of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. FORGEROCK.COM