identity summit uk: keep talking: lessons learned during our migration from legacy iam to forgerock
TRANSCRIPT
![Page 1: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/1.jpg)
Keep TalkingMigrating from Legacy IAM to ForgeRock: What We LearnedForgeRock Identity Summit 2015 - London
![Page 2: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/2.jpg)
EUROPE’S LEADING ONLINE FASHION PLATFORM
15 countries3 fulfillment centers16+ million active customers2.2+ billion € revenue 2014130+ million visits per month9.000+ employees
Visit us: tech.zalando.com
![Page 3: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/3.jpg)
![Page 4: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/4.jpg)
Our (legacy) infrastructure
![Page 5: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/5.jpg)
OUR INFRASTRUCTURE
![Page 6: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/6.jpg)
OUR INFRASTRUCTURE
DataCenter IGütersloh, Germany
DataCenter IIBerlin, Germany
DataCenter IIIBerlin, Germany
APP 1
APP 2
APP 3
APP 4
APP 5
APP 6
APP 1
APP 2
APP 3
APP 4
APP 5
APP 6
APP 1
APP 2
APP 3
APP 4FW FW
GLOBAL TRAFFIC MANAGEMENT
![Page 7: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/7.jpg)
Problem: it won’t scale!
● Adding new instances is not straightforward● Inefficient resource management● Dependency hell
![Page 8: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/8.jpg)
Let’s move to the cloud!
![Page 9: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/9.jpg)
2013/14 2014
Pequod
2013
Noah’s ArkzCloud
MOVING TO THE CLOUD
![Page 10: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/10.jpg)
PequodNoah’s ARKzCloud
2015
MOVING TO THE CLOUD
![Page 11: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/11.jpg)
Welcome AWS + ForgeRock stack
![Page 12: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/12.jpg)
THE PATH TO AWS
One AWS account per teamsecured via SSL and OAuth 2.0
Deployment based on Docker
Usage of REST + OAuth is mandatory
Bye Monolith, hello Microservices
![Page 13: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/13.jpg)
Public Internet
*.foo.zalan.do *.bar.zalan.do
Team “Foo” Team “Bar”ELB ELB
EC2Instance
EC2InstanceEC2
InstanceEC2Instance
EC2InstanceEC2
InstanceDatacenter LB
EC2InstanceEC2
InstanceLegacyInstance
THE PATH TO AWS
![Page 14: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/14.jpg)
All good on paper, but:
How can we protect communications between the new AWS instances and our legacy services?
(We’re talking about 200+ projects and 1600+ instances!)
![Page 15: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/15.jpg)
Public Internet
*.foo.zalan.do *.bar.zalan.do
Team “Foo” Team “Bar”ELB ELB
EC2Instance
EC2InstanceEC2
InstanceEC2Instance
EC2InstanceEC2
InstanceDatacenter LB
EC2InstanceEC2
InstanceLegacyInstance
THE PATH TO AWS
?
![Page 16: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/16.jpg)
“We build too many walls and not enough bridges.”
Isaac Newton
![Page 17: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/17.jpg)
Our challenges
● AWS needs to contact our DCs● Legacy services have no OAuth support● Modifying them is too cumbersome (and nobody
wants to do it)
![Page 18: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/18.jpg)
OpenIG
![Page 19: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/19.jpg)
A bit about OpenIG:● ForgeRock’s reverse proxy server● Provides OAuth 2.0 authentication● No need to modify code on legacy services
![Page 20: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/20.jpg)
Public Internet
*.foo.zalan.do *.bar.zalan.do
Team “Foo” Team “Bar”ELB ELB
EC2Instance
EC2InstanceEC2
InstanceEC2Instance
EC2InstanceEC2
InstanceDatacenter LB
EC2InstanceEC2
InstanceLegacyInstance
THE PATH TO AWS (improved)
OpenIG
OpenIG
![Page 21: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/21.jpg)
So… how to deploy it?
EASY!
![Page 22: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/22.jpg)
Step One: 05-heartbeat.json
![Page 23: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/23.jpg)
Step Two: 06-wsdl.json
my_example
![Page 24: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/24.jpg)
Step C: 99-default.json
my_example
![Page 25: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/25.jpg)
Step Δ: config.json
80
![Page 26: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/26.jpg)
Step 5(bIV-Δ): server.xml
/usr/share/logs/123
openig_123
80
/usr/share/local/123
![Page 27: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/27.jpg)
Final Step!
![Page 28: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/28.jpg)
Or...
Automation to the rescue!
![Page 29: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/29.jpg)
DeployCtl
● Our good old deployment tool● Poor… but sexy!● Exclusively for DC deployments● Most teams know how to use it
![Page 30: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/30.jpg)
DeployCtl + OpenIG
● Minor modifications to accept OpenIG deployments● Simplified configuration steps● Specific developments in OpenIG, to handle SOAP
WS calls
![Page 31: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/31.jpg)
Usage of DeployCtl
● OpenIG is deployed just like any other instance● A single OpenIG deployment for each service
instance - one-to-one mapping● Teams can deploy OpenIG for their services on
demand with minimal effort
![Page 32: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/32.jpg)
DeployCtl - Project Scan
![Page 33: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/33.jpg)
DeployCtl - OpenIG Configuration
![Page 34: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/34.jpg)
DeployCtl - Select Service I
![Page 35: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/35.jpg)
DeployCtl - Select Service II
![Page 36: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/36.jpg)
DeployCtl - Build & Distribute
![Page 37: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/37.jpg)
DeployCtl - Switch
![Page 38: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/38.jpg)
DeployCtl - Deployed Instances
![Page 39: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/39.jpg)
Wrapping it up
● Some automation and scripting helped speed up deployment
● By using familiar processes and tools we minimized the deployment learning curve
● OpenIG made it possible to make most of our legacy services readily available for AWS instances
![Page 41: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/41.jpg)
Where to Find Us:Tech Blog: tech.zalando.com
GitHub: github.com/zalando
Twitter: @ZalandoTech
Instagram: zalandotech
Jobs: http://tech.zalando.com/jobs
![Page 42: Identity Summit UK: KEEP TALKING: LESSONS LEARNED DURING OUR MIGRATION FROM LEGACY IAM TO FORGEROCK](https://reader031.vdocument.in/reader031/viewer/2022030220/58851bd81a28abd05e8b784f/html5/thumbnails/42.jpg)
THANK YOU!
Do we still have time for questions?