August 23, 2020 at 6:14 pm #28201
I am looking for a self service integration of applications to openAM. The applications currently are web based, mainframe, thick client and vendor products outside the organization network. The applications are lined up for SAML and OpenID integration with openAM. The current process takes time for application to do feasibility and onboarding them to central OpenAm. Considering the high volume of apps in the estate, any suggestions on to improve the quality of service and quicker on boarding by self service by the application teams or centrally creating a service at openam which can be called up different application teamsAugust 24, 2020 at 5:42 pm #28202
For OAuth2 + OpenID, I would suggest to look into
Dynamic Client Registrationwhich is defined as part of the OpenID spec and supported out of the box. For SAML2 and in my knowledge, the spec does not define such registration/integration. That said, AM does provide REST API
/realm-config/federationthat one can use to query and may be set-up
COT.August 24, 2020 at 7:27 pm #28205
I am looking for operationalizing smarter and quicker on boarding of applications with a scalable model for integrating to OpenAM. Any pointers to strategize onboarding would help. At the moment apps are evaluating POC to confirm the approach of SAML or OpenID, followed by development of use cases related to single sign on journey, followed by integration and user testing before they cut over to production. Considering each app will have multiple URL covering multi countries it takes longer time to complete the application rollout completely. Hence the need arises to strengthen and strategize a model which will give a self based model for the app team to build, test and run in production seamlessly faster and quickerAugust 25, 2020 at 4:44 pm #28208
IMHO it’s a loaded question with a lot of unknowns. If you have a lot of apps – IMHO it would be nice to publish some sort of an onboarding Registration and Discovery Service through which clients can fulfill registration requirements without requiring an AM administrator and learn supported features. For example, a mobile app would follow the OpenID Connect workflow for registration, whereas, a legacy web based app may decided to follow SAML2 workflow. Since each app is responsible for registering themselves, the onus is on them to provide the correct set of URLs e.g. redirect_uri or ACS urls, etc. This is essentially automating the registration process and a super high-level design. Some questions you will need to address – how do you trust a client/app, internal app/client vs. external, firewalls, proxies, internal vs. external users, etc.
IMO such a solution design is doable using IG but will need to be discussed in-depth to ensure all scenarios are covered.
I hope this provides you with some ideas and open floor for further discussion. Thanks.August 25, 2020 at 8:38 pm #28211
Thanks . Is there any references or documents on such design on registration using IG. Are there any case study on large scale onboarding of applications done, which relatively eases and fasten the on-boarding timeAugust 25, 2020 at 10:06 pm #28215
I am not aware of any direct documentation to this solution. The reason I brought up Identity Gateway (IG) – is because the component in discussion which does the registration and provides discovery service will need to communicate with AM over REST. As part of this solution one may need to perform tasks like – Encryption/Decryption, usage of Keystore API, Transform Requests/Responses, Read/Write JWTs, Create HTML, Authenticate with AM, Proxy AM discovery documents like OpenID or JWK_URI, etc. And IG being built on the RP model and with many out of the box filters, IMHO it’s a good fit for such tasks.
And please note this is one suggestion that comes to mind and I would love to hear from the community for any other possible solutions/or ideas around this problem.
JatinderSeptember 12, 2020 at 7:46 pm #28266suresh_a5Participant
Jatinder, thanks for your input
You must be logged in to reply to this topic.