Upload
forgerock
View
115
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Dr. Matthias Tristl, Senior Instructor at ForgeRock, presents a General Session providing a high-level overview of Bridge SPE at the 2014 IRM Summit in Phoenix, Arizona.
Citation preview
IRM Summit 2014
Bridge SPE
Matthias Tristl
2IRM Summit 2014
The Challenge• User has a local account• User needs access to a Cloud Service Governments
SaaS
Local AD or LDAP
3IRM Summit 2014
Solution
4IRM Summit 2014
What customers expect:
■ Local Action:– Create user locally– Give user a role / group membership
■ Results in the Cloud:– Automatic provisioning– Giving users the exact entitlement they need
Automatic Provisioning into SaaS platforms
5IRM Summit 2014
What customers expect:
■ Local changes of users are reflected:– Change attributes, entitlements or profiles– Deactivate user– Reactivate user
■ Process Requirements– “One catch all” process (i.e. for initial load) for full sync– Changes are synchronized in “near real time” like incremental sync
User Live Cycle
6IRM Summit 2014
Delegated Admin
What customers expect:
• Give a subset of administrators admin rights on CC for:• Configuration• Maintenance• Monitoring
• Privileges are given by local group membership
7IRM Summit 2014
■ Authentication strategies:– SSO vs. Password Sync
■ SSO Challenge:– Multi domain SSO
■ Even more comfort:– Integrated Windows Authentication (IWA)
SSO: Local and Cloud
8IRM Summit 2014
■ CC Server
■ CC Configuration UI
■ AD/LDAP connector
■ Cloud connector
■ Configuration DB: in process or remote
■ Scheduler
CC Components
9IRM Summit 2014
Cloud Connect Architecture
OSGIConfiguration Wizard
OpenIDM
Business Logic (Javascript, Groovy, Java)
Authentication JASPI (AD and IWA)
Jetty Web Server
Salesforce and LDAP
OAuth
Sa
lesf
orc
eL
DA
P
Co
nne
cto
r
Federation
ForgeRock UI Framework
Reporting and Recon
10IRM Summit 2014
■ A new User is created locally
■ CC checks against “ignored users rule”
■ CC checks for an existing association
■ CC eventually tries to find a target by an Association Rule
■ If none found, user will be created
■ After create, accounts will be associated
User Synchronization
11IRM Summit 2014
■ Rich client
■ Runs in browser
■ Connects over REST to CC
■ Is JavaScript based (plus jquery…)
The CC Configuration UI
12IRM Summit 2014
UI: Top Screen
13IRM Summit 2014
UI: Local connection I
14IRM Summit 2014
■ Base Context
■ User Filter– LDAP filter– user objectclasses
■ Group Filter– LDAP filter– group objectclasses
UI: Local Connection II
15IRM Summit 2014
■ Protocol– Uses REST– Eventually OAuth 2
■ Requirements (for Salesforce)– Connected App on SF with AuthZs:
■ Access your basic information
■ Access and manage your data
■ Perform requests on your behalf at any time
– SF Domain (for SSO)– Enable Multiple SAML configurations (for automatic SSO setup)
UI: Cloud Connection
16IRM Summit 2014
UI: Mapping Attributes I
17IRM Summit 2014
UI: Mapping Attributes II
18IRM Summit 2014
■ Situation: sync engine gets a list of the user’s AD group memberships in memberOf
■ AD groups map to SF Profiles
■ If the result would be more than one SF Profile, based on the AD group membership, the one with the highest precedence is used.
UI: Mapping Groups
19IRM Summit 2014
Change Default Association Rules in the UI:
User Association Rules
20IRM Summit 2014
■ Analyze Associations NowFull sync but without actions: creates statistics only
■ Sync Now: Full UpdatesUsually on a daily base or even less frequent
■ Schedule Updates (configure update interval):Same action as “Sync Now”
■ Live Updates (scheduled every 5 sec.)– Like an incremental sync– Only changed accounts are synced– Close to real time schedule
Full vs. Incremental Sync
21IRM Summit 2014
Sync Reports
22IRM Summit 2014
■ Based on SAML
■ Requires Domain on Salesforce
■ If automatic is available, then it is a one click configuration in Identity Connect!
■ Needs some configuration in the SF Domain
The CC SSO Mechanism
23IRM Summit 2014
IWA Authentication Architecture
Assumption: Client and KDC are in the same domain
24IRM Summit 2014
IC Cluster architecture
RepositoryIC
File system
IC
File system
Browser
25IRM Summit 2014
Cloud Connect SPE vs. EE Packaged as software
appliance with Admin UI
Synchronization from Enterprise to multiple SaaS
Reconciliation and reporting
SAML2 and OAuth2
SSO / IWA
End User Dashboard
Runs With Any SSO Product
ICF