Posts Tagged ‘SCIM’
[DevoxxFR2013] Security for Enterprises in a Cloudy and Mobile World
Lecturer
Ludovic Poitou serves as Product Manager at ForgeRock, overseeing directory products, and holds the position of General Manager for ForgeRock France. With a background in open-source Java and LDAP, he previously worked at Sun Microsystems as a developer and architect for directory solutions, later engaging in community management.
Abstract
Ludovic Poitou examines evolving enterprise security demands amid mobile proliferation, social networks, and cloud computing. Centering on identity management, he analyzes ForgeRock’s Open Identity Stack—an open-source Java solution—detailing standards like OAuth, OpenID Connect, and SCIM. The discussion evaluates impacts on information systems infrastructure and application architecture, advocating adaptive strategies for secure access in hybrid environments.
Shifting Paradigms: Mobile, Cloud, and Social Influences on Security
Poitou identifies three transformative trends reshaping information security: ubiquitous mobile devices, pervasive social platforms, and cloud services adoption. These necessitate reevaluating traditional perimeters, as data flows beyond firewalls to diverse endpoints.
Mobile introduces BYOD challenges—personal devices accessing corporate resources—demanding granular controls. Cloud shifts storage and processing externally, requiring federated trust. Social networks amplify identity federation needs for seamless yet secure interactions.
At the core lies identity management: provisioning, authentication, authorization, and storage across lifecycles. ForgeRock, emerging post-Sun acquisition, builds on open-source projects like OpenDJ (LDAP server) to deliver comprehensive solutions.
Core Components of Open Identity Stack: Directory, Access, and Federation
ForgeRock’s stack comprises OpenDJ for LDAP-based storage, OpenAM for access management, and OpenIDM for identity administration. OpenDJ handles scalable directories; OpenAM manages SSO, federation; OpenIDM orchestrates provisioning.
Poitou highlights Java foundations enabling portability. Development centers in Grenoble support global operations.
This modular approach allows tailored deployments, integrating with existing systems while supporting modern protocols.
Emerging Standards: OAuth, OpenID Connect, and SCIM for Interoperability
Addressing federation, Poitou details OAuth 2.0 for delegated authorization—clients obtain tokens without credentials. Variants include authorization code for web, implicit for browsers.
OpenID Connect layers identity atop OAuth, providing ID tokens (JWT) with user claims. This enables authenticated APIs, profile sharing.
SCIM standardizes user/group provisioning via REST, simplifying cloud integrations. Poitou contrasts with LDAP’s genericity, noting SCIM’s user-centric focus.
Code illustration (conceptual OAuth flow):
// Client requests token
HttpResponse response = client.execute(new HttpPost("token_endpoint"));
// Server validates, issues JWT
JWTClaimsSet claims = new JWTClaimsSet.Builder()
.subject(userId)
.build();
SignedJWT signedJWT = new SignedJWT(header, claims);
These standards facilitate secure, standardized exchanges.
Architectural Implications: Token-Based Authorization and Device Management
Traditional session cookies falter in mobile/cloud; tokens prevail. Applications validate JWTs statelessly, reducing server load.
Poitou discusses administrative token generation—pre-authorizing apps/devices without logins. OpenAM supports this for seamless access.
Infrastructure evolves: decouple authentication from apps via gateways. Hybrid models blend on-premise directories with cloud federation.
Challenges include token revocation, scope management. Solutions involve introspection endpoints, short-lived tokens.
Practical Deployment and Future Considerations
ForgeRock’s stack deploys flexibly—on-premise, cloud, hybrid. OpenDJ scales horizontally; OpenAM clusters for high availability.
Poitou stresses user-centric policies: dynamic authorizations based on context (location, device).
Emerging: UMA for resource owner control. Standards mature via IETF, OpenID Foundation.
Enterprises must adapt architectures for agility, ensuring compliance amid fluidity.