Upload
forgerock
View
120
Download
15
Tags:
Embed Size (px)
DESCRIPTION
DANIEL STROUD, CISSP-ISSAP, MCSE, Identity and Access Management Capabilities Lead, G2, Inc., at the European IRM Summit 2014.
Citation preview
November 2014
Enabling The eCitizen InA Distributed Environment
Daniel StroudIAM Capabilities [email protected]
Primary Goals
• Reusability
• Simplified Public Key Infrastructure (PKI) Authentication in a Distributed Lightweight Directory Access Protocol (LDAP) Environment
• Distributed Attribute Repository Support
• Simplified Transition to Attribute Based Access Control (ABAC)
• Disconnected Operations Support
• Reusability• Choose a robust Open Source solution• Distill complex configurations• Provide automation and standard packaging
• Simplified PKI Authentication• Allow end user PKI certificate linkage and
entrenchment• Allow multiple Certificate Revocation List (CRL)
definitions via HTTP
• Distributed Attribute Repository Support• Implement a pluggable interface with Virtual Directory
Service (VDS) capability
• Simplified ABAC Transition• Package default rules for protected resources
• Disconnected Operations Support• Implement in-memory and local LDAP caching
Technical Approach
REUSABILITYAn Introduction to the KickStart Console…
SIMPLIFIED PKI AUTHENTICATION
The Ideal Situation
Policy Agent
Web ApplicationOpenAM Server
J2EE Servlet Container
PKI Authority
Policy Agent
Web Application
J2EE Servlet Container
Policy Agent
Web Application
Container
CRL
Distributed PKI Environment
Policy Agent
Web Application OpenAM Server
J2EE Servlet Container
LDAP
PKI Authority
Policy Agent
Web Application
J2EE Servlet Container
Policy Agent
Web Application
Container
Web Server
CRLCRL
DISTRIBUTED ATTRIBUTE REPOSITORY SUPPORT
Distributed Attributes
Policy Agent
Web Application OpenAM Server
J2EE Servlet Container
LDAP
Authoritative Attribute Repo
Policy Agent
Web Application
J2EE Servlet Container
Policy Agent
Web Application
Container
SIMPLIFIED ABAC TRANSITIONAnother Look at the KickStart Console…
DISCONNECTED OPERATIONS SUPPORT
Disconnected
Policy Agent
Web Application OpenAM Server
J2EE Servlet Container
LDAP
Authoritative Attribute Repo
Policy Agent
Web Application
J2EE Servlet Container
Policy Agent
Web Application
Container