1 / 38

HP's Identity Management Transformation through SOA Implementation

Learn how HP overcame challenges in its IT identity management system by adopting a robust SOA architecture, yielding significant benefits and lessons learned. Explore best practices, benefits, and key components of the SOA-based solution.

sholder
Download Presentation

HP's Identity Management Transformation through SOA Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SOA Implementation: HP IDM Case Study May 24th, 2005 Ranil Dassanayaka, Client/Solutions Principal, HP Anjali Anagol-Subbarao, Chief Architect, IDM, ebusiness, HP

  2. Agenda • Challenges for HP IT’s Identity Management System • Solution/Benefits through SOA • SOA Architecture • Lessons Learned

  3. Challenges

  4. Challenges for HP’s IT IDM system • HP-IT's identity management system hosts 21 million users and is growing at a rate of 700K users a month. • Many ways to do registration which increased cost of implementation • Non-standard protocols • Tight coupling between client and server • Only web access management • Access through different web sites which caused security issues

  5. EXTERNAL FIREWALL Web Registration API DMZ services Web site Site Site HP Passport Plugin - auth Plugin auth Plugin - auth - Components REGISTRATION SERVER INTERNAL FIREWALL Web Services Validator DATABASE App Server Cluster Custom pipes to provide IDM functionality End-User Web Browser

  6. SOA Solution

  7. How did we resolve the challenges • To address the HP identity and access management challenges • HP-IT is implementing identity services through an SOA model. • Implemented registration, authentication, authorization and federation services • The identity services were hosted centrally and all external facing web sites could consume these common services • Loosely coupled • Interoperable across many OS/app/web servers • Uses standard protocols

  8. SOA-based Architecture - End User ( Web Browser ) Enterprise Customers Device Rich Client Web Service EXTERNAL FIREWALL DMZ Registration Authentication / Federation Authorization Web Services Services - 2 Services - 1 HP Passport Components REGISTRATION SERVER INTERNAL FIREWALL Web Validator Services DATABASE App Server Cluster

  9. Benefits • Enabled new business opportunities • Cross selling, up selling between SMB and enterprise storefronts • Enabled extended enterprise • Identity services helped bring these partners/outsourcers to have a more seamless access to HP • Extended functionality beyond web access management • Achieved a Cost Reduction of 50% • Leverage Idm to reduce business costs through identity services • Used standard protocols and loose coupling • Risk Mitigation • Security Breaches avoided as one registration, authentication service used throughout company • Federation helped in maintaining regulatory compliance

  10. SOA Architecture

  11. HP-IT Reference SOA

  12. Identity Access Layer provides abstraction in SOA – Burton Group Consumers of Identity Operations Federated domains Applications Applications Identity and policy administration Applications Services Federation Authentication & Authorization Query & Update Personalization & Visualization Security Underlying Identity Components

  13. HP- IT Identity Services Over Layed Consumers of Identity Operations Federated domains Applications Applications Identity and policy administration Applications Services Federation Authentication & Authorization Query & Update Personalization & Visualization Security Login Validate Federation Web services EditProfile UpdateCredentials getUser Password Management Underlying Identity Components

  14. Lessons Learned

  15. HP Best Practices Established for SOA • Designing for interoperability • Follow standards – soap, wsdl • Follow WS-I basic profile –to ensure interoperability between J2EE and .Net. • Avoid <wsdl:arrayType> in WSDL • Using one messages mapped to one operation • Using one parts in a message

  16. HP Best Practices Established for SOA • Publishing enduring Web services contracts • Design the contract or WSDL first as it is the contract between you and the customer- like all other contracts • Version your contracts – once you have a contract, to add functionality or conformance to new specification – you need to have the ability to version these contracts • Loosely couple the web services producer to the web service consumer

  17. Web Services Lifecycle Management Security Management Dynamic Rerouting and transformations Business Logic Enterprise Systems HP Best Practices Established for SOA Establish the Infrastructure to support SOA ecosystem to provide Scalability, Security, Manageability Business Process Management

  18. Use Frameworks to support SOA • Dealing with complexity • Standards do not specify how to deal with the complexities of designing and implementing modular, reliable, scalable and high performance services • Frameworks • “Productize” best practices and provide a foundation to developers for creating services • Repeatability and consistency • E-Biz SSA framework for designing and implementing services • E-Biz WPA framework for UIs that consume services

  19. Call to action • Look at http://openview.hp.com for the OpenView Products • Access DRC portal at http://devresource.hp.com for Web services, SOA, life cycle development tips • Look at http://www.oasis-open.org/home/index.php for OASIS sp • Refer to J2EE Web Services on BEA Web Logic by Anjali Anagol-Subbarao at http://www.amazon.com

  20. For More Info… J2EE Web Services on BEA WebLogic, by Anjali Anagol-Subbarao

  21. Backup Slides

  22. Interoperability

  23. Problem Statement for Interoperability • Needs to be integrated with applications accessible to customers • Integrate with disparate applications based on J2EE,.NET and Visual Basic, Siebel, BEA WebLogic, Axis SOAP Engine, etc. • Issues with interoperability • Using <wsdl:arrayType> in WSDL • Using many messages mapped to one operation • Using many parts in a message

  24. WS-I Basic Profile considerations • Avoid <wsdl:arrayType> in WSDL • Instead use min and max occurs • Need to specify order of parts • When there are many parts in a message an optional parameterOrder element cannot be null – this results in warning in WS-I <complexType name="eProfileHeader"> <sequence> <element maxOccurs="1" minOccurs="1" name="ApplicationID" type="xsd:string"/> <element maxOccurs="1" minOccurs="0" name="LanguageCode" type="xsd:string"/> <element maxOccurs="1" minOccurs="0" name="HPPID" type="xsd:string"/> <element maxOccurs="1" minOccurs="0" name="SiteMinderSID" type="xsd:string"/> <element maxOccurs="1" minOccurs="1" name="TemplateID" type="xsd:string"/> </sequence> </complexType>

  25. WS-I Basic Profile considerations (2) • Keep one-to-one relation between message and operations • Many messages going to one operation results in warning in WS-I basic profile • Avoid xsd:anytype as it causes interoperability issues • <operation name="createProfile"> • <documentation> • Creates the user profile based on the user profile attributes • received in the request. • </documentation> • <input • message="eprofile:createProfileRequestMessage" • name="createProfileRequestMessage"/> • <output • message="eprofile:createProfileResponseMessage" • name="createProfileResponseMessage"/> • </operation>

  26. Easier and quicker integration with applications • Interoperable with Siebel PRM with no run time issues, after certifying Web service with WS-I tool • Testing decreased with new applications because trouble shooting issues was easier • Decreased time to integrate and improved confidence in applications being integrated • Configuration testing was eliminated. As WSDL was WS-I compliant did not have to test with clients like .Net, VB, J2EE - BEA WebLogic, Siebel, Axis. • Eliminated the development time for creating these clients

  27. Designing WSDL

  28. First design the interface • Use WSDL editors (XMLSpy) to create WSDL (for the validateConfig service) • Three abstract definitions - types, messages and port type • Two concrete definitions - binding and service

  29. Versioning

  30. Design considerations for Versioning • Leverage XML Schemas • Patterns to facilitate Versioning • Naming Convention • Deployment Strategy

  31. Details of versioning • Using date stamp as part of the target namespace of your XML Schema. <SOAP-ENV:Body> <m:inValidateConfigv1_2 xmlns:m="http://production.psg.hp.com/types/2004/02/04"> ….. </SOAP-ENV:Body> • Use different end points in WSDL • Use different operations

  32. Versioning Lifecycle • Build transition plan • Make Changes to Service. • Test new Service version • Implement new Service version. • Add/publish new Service version to WSDL descriptions, UDDI registries, etc. • Notify known Consumers of new Service version and transition plan • Run Service versions in Parallel • Set Date for Retirement of older Service version • Notify known Consumers of retirement • Remove old Service version from descriptions, registries etc. to stop new consumers discovering and using. • Remove functional behavior of old Service. Only return appropriate error message • Retire old Service. Physically remove old Service version.

  33. Security

  34. Key Security Elements • Secured the Web services using Transport Level Security – 2 way SSL • Creates performance issues • Now Web services can be secured using message level security - WS-Security

  35. Performance/Security and Web services • Performance numbers without SSL • Performance numbers with SSL-- degradation of approx 30%

  36. Performance

  37. Enhancing the performance • Making XML more efficient • Use sTAX parser • XML Beans for XML to Java Binding (now part of Apache open source) • XML accelerators from HP • Making SOAP more efficient • SOAP parsers • BEA SOAP engine measurements showed 72% faster than Apache Axis • SOAP with attachments

More Related