[OpenAM] Integration of CA Identity Manager with OpenAM
Jari Ahonen
jah at progress.com
Tue May 1 08:46:00 EDT 2012
Hi Nick,
We have implemented SSO between OpenAM and CA SiteMinder and that took some custom development to get working as we wanted. The SiteMinder integration code that ships with OpenAM had some notable shortcomings in our deployment scenario (in other words it didn't work) so we decided to so some significant changes to the code.
To me it seems Identity Manager is quite a different thing than SiteMinder so I'm not sure how relevant the SiteMinder integration code might be with Identity Manager. From a quick glance of the document you linked to it would seem that the role of SiteMinder when used together with Identity Manager is somewhat analogous to having an OpenAM agent on the servlet container that runs Identity Manager. This is not really the same thing as integrating SiteMinder and OpenAM together as cross-platform SSO system.
- Jari
-----Original Message-----
From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org] On Behalf Of Nick Belaevski
Sent: Sunday, April 29, 2012 1:09 AM
To: openam at forgerock.org
Subject: [OpenAM] Integration of CA Identity Manager with OpenAM
Hello all,
Does anybody have experience of integrating CA Identity Manager with
OpenAM? To be sure about the context, below is the concrete explanation
of what I am looking for. CA IdM has some advanced features that are
available only when CA IdM is integrated with CA SiteMinder. And the
goal is to provide such level of integration between IdM and OpenAM,
that those features are supported, but without SiteMinder being used.
The list of advanced features:
- Advanced Authentication
- Access Roles and Tasks
- Directory Mapping
- Advanced Password Policies
- Skins for Different Sets of Users
- Locale Preferences for a Localized Environment
Detailed information is available at CA IdM implementation guide:
https://support.ca.com/cadocs/0/CA%20Identity%20Manager%20r12%205%20SP9-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?463353.html
The most important features that we need are: Advanced Authentication
and Advanced Password Policies in the first place; Access Roles and
Tasks in the second.
Talking about integration efforts, here is my vision:
1) Advanced Authentication feature is pretty basic and involves
enablement of SSO by developing authentication module for IdM that will
translate OpenAM token into something that IdM understands. There is an
example of such module for SiteMinder in the OpenAM distribution.
Hopefully, IdM module won't be much more complicated.
2) Advanced Password Policies feature can be tricky. IdM uses
proprietary (AFAIK undocumented) format for password field that includes
not only password information, but additional data, such as passwords
previously used and password expiration criteria. As type of password
field is specified as binary in the CA documentation, I see this as an
additional risk.
For this feature, it would be good to have capability of managing those
policies via existing IdM UI.
3) Access Roles and Tasks feature. After discussion with local CA gurus,
it appears that development of IdM authorization policies store based on
OpenAM entitlements would be the most straightforward way. But right
now, this area is a complete terra incognita for me.
Thanks for reading this letter! Looking forward to advices, thoughts and
experience sharing (even negative experience) you could provide on the
topic of CA IdM + OpenAM.
P.S. More information about CA IdM (both user guides and API docs) is
available at
https://support.ca.com/cadocs/0/CA%20Identity%20Manager%20r12%205%20SP9-ENU/Bookshelf.html
.
--
Best regards,
Nick Belaevski
_______________________________________________
OpenAM mailing list
OpenAM at forgerock.org
https://lists.forgerock.org/mailman/listinfo/openam
More information about the OpenAM
mailing list