OpenAM Agentless Architecture options

Question

Most of the documentation around designing an Authentication solution using OpenAM recommends the usage of either Web Server Policy Agent or Java EE Policy Agent.

I am looking for alternatives where I don’t need to use a policy agent. This would help me to avoid the maintenance e.g. upgrades etc related to policy agents that would be installed in hundreds of my web servers in the farm.

One obvious solution is to implement similar functionality of ‘session evaluation’ as part of my application code.

Are there any other alternatives available where in OpenAM can be used in agentless mode.

PS: By Session Evaluation I mean the feature that validates if a session is in progress and accordingly allows the access to protected resource or initiates the authentication process by redirecting to OpenAM.

Thanks and Regards

Answer 1

You are effectively proposing writing your own agent, and embedding it into your project. There is nothing wrong with this, just be aware of what you are doing.

I would start by taking apart one of the other OpenAM agents and decide how much you can leverage. If you can't leverage what's there, take a look at the REST API, where they have some decent examples.

Answer 2

You can use JWT tokens (configure OpenAM as an OpenID Connect provider). Your applications will need to use a library to introspect the JWT tokens

You could use something like a Spring Security SAML filter.

Both of the above do not provide policy enforcement - they are AuthN only. If your apps want policy enforcement with this approach they would have to call the REST APIs.

You could install agents on smaller web tier (Apache, or something like OpenIG), and reverse proxy those requests to your applications. Maintaining a smaller web tier will make upgrades easier.