Sunday, October 18, 2015

OpenAM (strikes back): The Rationale

This post is (I hope) the first from a series describing the almost (!) successful journey to use OpenAM to simulate SSO for a bunch of legacy applications (among them an in house implementation of OTRS).
To begin with the conclusion (so you might abandon reading the series): after successfully implementing the solution I decide to not go further with releasing it into production due to two main facts:
  • While sources are released under CDDL 1.0 license the binaries deployment is restricted to paid subscription (so you would have to compile yourself the binaries;looking at the way the source control is organised (part SVN (looking erratic), part GitHub) this looks not very promising
  • Comments on the way OpenAM is built from architecture point of view (like https://evolveum.com/blog/hacking-openam-level-nightmare/ )

The problem

As I mentioned the main goal was to implement a SSO type solution for legacy web application, main target being an in house implementation of OTRS.
Another tough restriction is to use as repository Active Directory but not as main data store (since our IT guys will not allow OpenAM to update the default schema).

The sketched solution

  • Use OpenAM as Identity Provider
  • Use OpenIG to implement custom rules at reverse proxy level; this is required for two mai purposes:
    • acting as a backend for the JEE agent
    • implementing a two step scenario for applications that require acquiring (!) a session cookie before a password replay POST can be executed
  • Use an JEE agent to implement password replay
VGhpcyBwb3N0IGlzIChJIGhvcGUpIHRoZSBmaXJzdCBmcm9tIGEgc2VyaWVzIGRlc2NyaWJpbmcgdGhlIGFsbW9zdCAoISkgc3VjY2Vzc2Z1bCBqb3VybmV5IHRvIHVzZSBPcGVuQU0gdG8gc2ltdWxhdGUgU1NPIGZvciBhIGJ1bmNoIG9mIGxlZ2FjeSBhcHBsaWNhdGlvbnMgKGFtb25nIHRoZW0gYW4gaW4gaG91c2UgaW1wbGVtZW50YXRpb24gb2YgT1RSUykuDQoNClRvIGJlZ2luIHdpdGggdGhlIGNvbmNsdXNpb24gKHNvIHlvdSBtaWdodCBhYmFuZG9uIHJlYWRpbmcgdGhlIHNlcmllcyk6IGFmdGVyIHN1Y2Nlc3NmdWxseSBpbXBsZW1lbnRpbmcgdGhlICBzb2x1dGlvbiBJIGRlY2lkZSB0byBub3QgZ28gZnVydGhlciB3aXRoIHJlbGVhc2luZyBpdCBpbnRvIHByb2R1Y3Rpb24gZHVlIHRvIHR3byBtYWluIGZhY3RzOg0KKiBXaGlsZSBzb3VyY2VzIGFyZSByZWxlYXNlZCB1bmRlciBDRERMIDEuMCBsaWNlbnNlIHRoZSBiaW5hcmllcyBkZXBsb3ltZW50IGlzIHJlc3RyaWN0ZWQgdG8gcGFpZCBzdWJzY3JpcHRpb24gKHNvIHlvdSB3b3VsZCBoYXZlIHRvIGNvbXBpbGUgeW91cnNlbGYgdGhlIGJpbmFyaWVzO2xvb2tpbmcgYXQgdGhlIHdheSB0aGUgc291cmNlIGNvbnRyb2wgaXMgb3JnYW5pc2VkIChwYXJ0IFNWTiAobG9va2luZyBlcnJhdGljKSwgcGFydCBHaXRIdWIpIHRoaXMgbG9va3Mgbm90IHZlcnkgcHJvbWlzaW5nDQoqIENvbW1lbnRzIG9uIHRoZSB3YXkgT3BlbkFNIGlzIGJ1aWx0IGZyb20gYXJjaGl0ZWN0dXJlIHBvaW50IG9mIHZpZXcgKGxpa2UgW2h0dHBzOi8vZXZvbHZldW0uY29tL2Jsb2cvaGFja2luZy1vcGVuYW0tbGV2ZWwtbmlnaHRtYXJlL10oaHR0cHM6Ly9ldm9sdmV1bS5jb20vYmxvZy9oYWNraW5nLW9wZW5hbS1sZXZlbC1uaWdodG1hcmUvKSApDQoNCiMgVGhlIHByb2JsZW0NCg0KQXMgSSBtZW50aW9uZWQgdGhlIG1haW4gZ29hbCB3YXMgdG8gaW1wbGVtZW50IGEgU1NPIHR5cGUgc29sdXRpb24gZm9yIGxlZ2FjeSB3ZWIgYXBwbGljYXRpb24sIG1haW4gdGFyZ2V0IGJlaW5nIGFuIGluIGhvdXNlIGltcGxlbWVudGF0aW9uIG9mIE9UUlMuDQoNCkFub3RoZXIgdG91Z2ggcmVzdHJpY3Rpb24gaXMgdG8gdXNlIGFzIHJlcG9zaXRvcnkgQWN0aXZlIERpcmVjdG9yeSBidXQgbm90IGFzIG1haW4gZGF0YSBzdG9yZSAoc2luY2Ugb3VyIElUIGd1eXMgd2lsbCBub3QgYWxsb3cgT3BlbkFNIHRvIHVwZGF0ZSB0aGUgZGVmYXVsdCBzY2hlbWEpLg0KDQogIyBUaGUgc2tldGNoZWQgc29sdXRpb24NCg0KKiBVc2UgT3BlbkFNIGFzIElkZW50aXR5IFByb3ZpZGVyDQoqIFVzZSBPcGVuSUcgdG8gaW1wbGVtZW50IGN1c3RvbSBydWxlcyBhdCByZXZlcnNlIHByb3h5IGxldmVsOyB0aGlzIGlzIHJlcXVpcmVkIGZvciB0d28gbWFpIHB1cnBvc2VzOg0KCSogYWN0aW5nIGFzIGEgYmFja2VuZCBmb3IgdGhlIEpFRSBhZ2VudA0KCSogaW1wbGVtZW50aW5nIGEgdHdvIHN0ZXAgc2NlbmFyaW8gZm9yIGFwcGxpY2F0aW9ucyB0aGF0IHJlcXVpcmUgYWNxdWlyaW5nICghKSBhIHNlc3Npb24gY29va2llIGJlZm9yZSBhIHBhc3N3b3JkIHJlcGxheSBQT1NUIGNhbiBiZSBleGVjdXRlZA0KKiBVc2UgYW4gSkVFIGFnZW50IHRvIGltcGxlbWVudCBwYXNzd29yZCByZXBsYXkNCg==

No comments :

Post a Comment