?

K
C
RO

E E?

RGC T M
FO P A

IM
S
I IT

T ES
A
H O

WO W

Paul Dunham
TriNet March 2014

FORGEROCK PROJECT GOALS

Passport users will see nothing different. This change

is 100% transparent to our users.

Replace current HRPassport security with a more

secure industry standard technology

Pave the way for easy

Identity management
integration of TriNet Brands
Single Sign-on (SSO)
Integration with other systems

WHAT IS FORGEROCK?
ForgeRock is a company that provides service and
support for the Open Identity Stack
http://forgerock.com
The Open Identity Stack is open source identity
management software supported by a large
community of software and security companies
Open Identity Stack is light weight, scalable and secure

WHAT IS IDENTITY MANAGEMENT?

Identity Management (IDM) is a set of tools used to
manage all the users and passwords in our system
Provides us with tools to manage:
Authentication (login)
Password (change, expire, disable, reset)
User Identity data encryption
Single Sign On (to other TriNet Brands and to other
Companies)
(We are not using IDM for Authorization at this time)

WHY DO WE NEED IT?

TriNet is growing. As we grow we need the ability to
integrate new companies and new products quickly and
securely using industry standards.
IDM gives us a mechanism for managing all user identities
One tool for all brands and products
Easy to implement
Secure
Scalable
Standards based
Cross platform

WHERE ARE WE STARTING?

The first phase of the ForgeRock implementation in TriNet is to
replace the login mechanism in HR Passport.
HR Passport uses Seeker to login, validate users and
passwords. All user and password information is stored in
the HP Oracle database
With the new IDM all login credential information will be
stored on the IDM LDAP servers.
No other systems, brands or data are being changed for phase
one.

Seeker/ASP
Apps
Seeker
Login Page

Seeker /
ASP

Sencha
Apps
TriNet
Gatewa
y

Mobile App

Mobile
Gatewa
y

Seeker Session
Management

Before ForgeRock IDM

Integration
Oracle HR
Database

Seeker performs all login

and session management

Seeker/ASP
Apps

Sencha
Apps

Mobile App

ForgeRock Policy Agent

Seeker /
ASP
Seeker Session
Management
Compatibility
Layer

TriNet
Gatewa
y

Mobile
Gatewa
y

TriNet
Auth

ForgeRock HR
Passport Login
Page

ForgeRock
IDM db

After ForgeRock IDM Integration

Oracle HR
Database

Policy Agent intercepts all requests

redirecting to login page as needed and

WHAT IS TRINET AUTH

TriNet Auth is a web service, developed by the TriNet Web Services Team, that
provides access to authentication, session management and identity
management.

Sign on

Sign off

Change password

Enable / Disable account

Validate Auth Token

Get user identity from Auth Token

E.g. mobilegateway now calls TriNet Auth to signon users instead of calling
Seeker.

E.g. Seeker calls TriNet Auth to change passwords, enable / disable

accounts.

3
TriNetAuthCookie
Seeker/ASP
1 Apps
3 TriNetAuthCookie

ForgeRock Policy Agent

3 TriNetAuthCookie

ForgeRock HR
Passport Login
Page

ook i e
C
h
t
u
ForgeRock
etA
5 TriN
IDM db
TriNet
D
I
L
Auth
6 EMP

kie
o
o
C
h
etAut
N
i
r
T
Seeker / 4
1. User navigates to
ASP
L ID
https://www.hrpassport.com
6 EMP
7
2. Policy agent 302s to Forge Rock login
page
ey Concept: User Identity (EMPLID)
3. Login page creates TriNetAuthCookie
derived from the
and 302s browser to HRPassport page
iNetAuthCookie, not passed by 4. Seeker uses TriNetAuthCookie to query
he Web Browser.
TriNetAuth.war for the EMPLID
5. TriNetAuth.war sends query to OpenAM

3
TriNetAuthCookie
Sencha & Mobile
Apps
1
3 TriNetAuthCookie

ForgeRock Policy Agent

3 TriNetAuthCookie
kie
o
o
C
h
WebLogic
etAut
N
i
r
T
Application 4

ForgeRock HR
Passport Login
Page

ook i e
C
h
t
u
ForgeRock
etA
5 TriN
IDM db
TriNet
D
I
L
Auth
6 EMP

1. User navigates to
L ID
https://www.hrpassport.com
6 EMP
7
2. Policy agent 302s to Forge Rock login
page
ey Concept: User Identity (EMPLID)
3. Login page creates TriNetAuthCookie
derived from the
and 302s browser to HRPassport page
iNetAuthCookie, not passed by 4. WebLogic uses TriNetAuthCookie to
he Web Browser.
query TriNetAuth.war for the EMPLID
5. TriNetAuth.war sends query to OpenAM

WILL THE ROLLOUT IMPACT MY PROJECT?

Rolling out the code for ForgeRock is no different than that

of any other project we move through the SDCL process.

There is only impact if both projects are modifying the same

code at the same time.

Conflicts are resolved using the normal priority and git

merge mechanisms.

WHERE IS FORGEROCK
ForgeRock is currently installed on:

Complete - Dev

Complete - StageS - Complete

Complete - CAB (QE) - Complete

Complete - StageR (UAT) - Complete

May 17th - Production

May 18th - LiteR, Demo, CAA, UTA, TLDev

May 19th - QEB, QEC, BIA, BIB, LiteS

May 20th - ITDev, ITQA

WHAT IS NEXT?
Subsequent phases will involve

Eliminating the TSESSIONID concept from our applications

Converting other brands to use TriNet Auth and ForgeRock

IDM

Switching SSO from Ping Federated SSO to ForgeRock SSO

Enabling deep linking into HRPassport.

Dates and phases are not yet defined.

HOW DO I INTEGRATE WITH FORGEROCK

Think of ForgeRock as a firewall. No HTTP(s) requests get by ForgeRock without a
TriNetAuthCookie. If there is no cookie, ForgeRock will display the login page,
verify the users credentials, create the TriNetAuthCookie and resubmit the
original HTTP(s) request with the cookie attached.
Once the request reaches your application you use the TriNet Auth web services
to get information about the logged in user from the TriNetAuthCookie. E.g.

GET
https://gateway.hrpassport.com/trinetAuth/services/v1.0/authentication/guid?
token=<TriNetAuthCookie Value>
Returns the GUID for the logged in user
GET https://gateway.hrpassport.com/trinetAuth/services/v1.0/authentication/user/<GUID>
Returns the information about the user: Emplid, customid, first, middle last names.
There is no need to validate the TriNetAuthCookie because the HTTP request will
not reach your application with out a valid TriNetAuthCookie.

THERE ARE DIFFERENT

TRINETAUTHCOOKIES
Each environment has its own TriNetAuthCookie name.

Dev TriNetAuthCookieDEV

StageS- TriNetAuthCookieSS

CAB- TriNetAuthCookieCAB

StageR- TriNetAuthCookieSR

CAA- TriNetAuthCookieCAA

Prod - TriNetAuthCookie

Be sure to make your use of the TriNetAuthCookie name a

configurable property in your application. The name is different
in different environments and the name may change in the future
as we integrate with other systems.

DOCUMENT REFERENCES

Turn Over documents

ForgeRock Page on Confluence
https://confluence.trinet-devops.com/display/FR/ForgeRock

This presentation
https://confluence.trinet-devops.com/display/security/What+is+Fo
rgeRock+-+Presentation
TriNet Auth API documentation
https://confluence.trinetdevops.com/display/FR/trinetAuth+API+Documentation

QUESTIONS?