progress software
DESCRIPTION
Progress Software. Identity Management 101. Sarah Marshall OpenEdge QA Architect May 2012. What is Identity Management?. About protecting your data. About verifying and controlling who accessing your data. About minimizing where and when you verify who is accessing your data . - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/1.jpg)
Progress Software
Identity Management 101
Sarah MarshallOpenEdge QA Architect
May 2012
![Page 2: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/2.jpg)
© 2011 Progress Software Corporation. All rights reserved.2
What is Identity Management?
About protecting your data
About verifying and controlling who accessing your data
About minimizing where and when you verify who is accessing your data
And what happens if your not authorized!
![Page 3: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/3.jpg)
© 2011 Progress Software Corporation. All rights reserved.3
Edna Mode
![Page 4: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/4.jpg)
© 2011 Progress Software Corporation. All rights reserved.4
Building blocks to IdM
![Page 5: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/5.jpg)
© 2011 Progress Software Corporation. All rights reserved.5
Building blocks to IdM
Authentication systemsSystems you will use (or are using) to maintain your list of users
![Page 6: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/6.jpg)
© 2011 Progress Software Corporation. All rights reserved.6
Building blocks to IdM
Domain configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
![Page 7: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/7.jpg)
© 2011 Progress Software Corporation. All rights reserved.7
Building blocks to IdM
Domain configuration
Authorization configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
Configurations for individual users defining their access privileges
![Page 8: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/8.jpg)
© 2011 Progress Software Corporation. All rights reserved.8
Building blocks to IdM
Domain configuration
Architecture to support IdM
Authorization configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
Configurations for individual users defining their access privileges
Single point of identity management for all systems
![Page 9: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/9.jpg)
© 2011 Progress Software Corporation. All rights reserved.9
The CLIENT-PRINCIPAL
Built in ABL security token
Set current identity in any session db connection
Created by the AVM if not created explicitly
Manage a user’s login session
CREATE CLIENT-PRINCIPAL hCPhCP:INITIALIZE(…)
SECURITY-POLICY:SET-CLIENT(hCP)SET-DB-CLIENT(<dbname>, hCP)
SETUSERID(<userid>, <psswd>, <dbname>)cmd> $PROEXE –U <userid> -P <psswd>
rCP = hCP:EXPORT-PRINCIPALhCP:LOGOUT()
![Page 10: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/10.jpg)
© 2011 Progress Software Corporation. All rights reserved.10
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 11: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/11.jpg)
© 2011 Progress Software Corporation. All rights reserved.11
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 12: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/12.jpg)
© 2011 Progress Software Corporation. All rights reserved.12
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 13: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/13.jpg)
© 2011 Progress Software Corporation. All rights reserved.13
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 14: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/14.jpg)
© 2011 Progress Software Corporation. All rights reserved.14
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 15: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/15.jpg)
© 2011 Progress Software Corporation. All rights reserved.15
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 16: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/16.jpg)
© 2011 Progress Software Corporation. All rights reserved.16
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 17: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/17.jpg)
© 2011 Progress Software Corporation. All rights reserved.17
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 18: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/18.jpg)
© 2011 Progress Software Corporation. All rights reserved.18
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 19: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/19.jpg)
© 2011 Progress Software Corporation. All rights reserved.19
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
Authentication systems
![Page 20: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/20.jpg)
© 2011 Progress Software Corporation. All rights reserved.20
LDAP
The Game Board
Login
START
Create C-P
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
Authentication systems
KerberosLDAP
LDAPLDAP
![Page 21: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/21.jpg)
© 2011 Progress Software Corporation. All rights reserved.21
LDAP
The Game Board
Login
START
Create C-P
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
Authentication systems
LDAPKerberos
LDAPLDAP
![Page 22: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/22.jpg)
© 2011 Progress Software Corporation. All rights reserved.22
LDAP
The Game Board
Login
START
Create C-P
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
Authentication systems
KerberosLDAP
OpenID
LDAPLDAP
![Page 23: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/23.jpg)
© 2011 Progress Software Corporation. All rights reserved.23
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
Authentication systems
_Domain-type: _oeusertable_oslocal_extssoUser Defined
_sec-authentication-system
![Page 24: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/24.jpg)
© 2011 Progress Software Corporation. All rights reserved.24
What are domains? Domain configuration
![Page 25: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/25.jpg)
© 2011 Progress Software Corporation. All rights reserved.25
Defining domains
• Have roles and responsibilities in common
• Have level of security in common
• Have data access privileges in common
_Domain-name_Domain-type_Domain-description_Domain-access-code_Domain-runtime-options_Tenant-name
_sec-authentication-domain
Domain configuration
![Page 26: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/26.jpg)
© 2011 Progress Software Corporation. All rights reserved.26
Using domains
OEDB1
Domain configuration
OEDB2
OEDB3
OEDB4
The client uses the domains defined in a database
Client
SECURITY-POLICY:LOAD-DOMAINS(DB1)
1. Each database can use it’s own domain registry2. Each database can share the session’s registry
![Page 27: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/27.jpg)
© 2011 Progress Software Corporation. All rights reserved.27
User permissions Authorization configuration
• Authorization for individuals
• Table and field level permissions: CAN-* fields
• Runtime persmission: CAN-DO()function
CAN-DO(“*.Admin”)
![Page 28: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/28.jpg)
© 2011 Progress Software Corporation. All rights reserved.28
The Game Board
Login
START
Create C-PLDAP
OEDB
Expired!
Client
User Account System
Logged in
Logout
Game over
Authentication
FINISH
ASDB
ASCDB
LDAPLDAP
![Page 29: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/29.jpg)
© 2011 Progress Software Corporation. All rights reserved.29
Security Token Service
Security Token ServiceUser Credentials
• take login information
• runs authentication plug-in
• seals CLIENT-PRINCIPAL
• makes it available to the application
Create C-P
User Account System
Authentication
LDAPLDAPLDAPAS
CDB
Architecture to support IdM
![Page 30: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/30.jpg)
© 2011 Progress Software Corporation. All rights reserved.30
Security Token Service
Login
START
Expired!
Logout
Game overFINISH
OEDB
Client
Logged in
ASDB
ASCDB
Security Token Service
Architecture to support IdM
![Page 31: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/31.jpg)
© 2011 Progress Software Corporation. All rights reserved.31
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
Credentials
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
![Page 32: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/32.jpg)
© 2011 Progress Software Corporation. All rights reserved.32
ASAS
AS
DBDB
DB
DB
Domains
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCIDCCID = Client Context Identifier
Architecture to support IdM
![Page 33: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/33.jpg)
© 2011 Progress Software Corporation. All rights reserved.33
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
![Page 34: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/34.jpg)
© 2011 Progress Software Corporation. All rights reserved.34
Anatomy of an STS
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
ABLClients
OpenClients
AdapterClients
![Page 35: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/35.jpg)
© 2011 Progress Software Corporation. All rights reserved.35
Anatomy of an STS
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
CCID
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
ABLClients
OpenClients
AdapterClients
![Page 36: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/36.jpg)
© 2011 Progress Software Corporation. All rights reserved.36
ASAS
AS
DBDB
DB
DB
Domains
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
Architecture to support IdM
![Page 37: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/37.jpg)
© 2011 Progress Software Corporation. All rights reserved.37
ASAS
AS
DBDB
DB
DB
Domains
Anatomy of an STS
ABLClients
OpenClients
AdapterClients
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
Architecture to support IdM
![Page 38: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/38.jpg)
© 2011 Progress Software Corporation. All rights reserved.38
Anatomy of an STS
LDAP _User OpenID OEDB TBD…
ABL STS AppServer
OpenEdge Session DomainsAuditTrail
Login
ASAS
AS
DBDB
DB
DB
Domains
Architecture to support IdM
ABLClients
OpenClients
AdapterClients
![Page 39: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/39.jpg)
© 2011 Progress Software Corporation. All rights reserved.39
Building blocks to IdM
Domain configuration
Architecture to support IdM
Authorization configuration
Authentication systemsSystems you will use (or are using) to maintain your list of users
Categories of users that have in common the data they can access
Configurations for individual users defining their access privileges
Single point of identity management for all systems
![Page 40: Progress Software](https://reader037.vdocument.in/reader037/viewer/2022103008/56816921550346895de0512f/html5/thumbnails/40.jpg)