Upload
forgerock
View
121
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
IRM Summit 2014
OpenIDM
Matthias Tristl
2IRM Summit 2014
Upon completion of this presentation, you should be able to:
■ Describe where OpenIDM fits into the OIS
■ Describe the Business Needs for OpenIDM
■ Describe IDM Use Cases Addressed by OpenIDM
■ Describe OpenIDM Features
Objectives
3IRM Summit 2014
Pillars of IAM
4IRM Summit 2014
Classic scenario IUser wants to use an application...
User
Application
which does not require any of ForgeRock's products, but ...
5IRM Summit 2014
Classic scenario IICentralization of Authentication
User
Application… and ...
6IRM Summit 2014
Classic scenario IIICentral Authorization
User
Application
7IRM Summit 2014
Classic scenario VIdentity Management
User
Application
HR DB
8IRM Summit 2014
Common Use Cases
• Provisioning
• De-Provisioning■ Compliance and auditing
• Password management
9IRM Summit 2014
Provisioning• Depending on a user's business role and predefined rules a
new user will:• Get accounts on backend systems on create• Get default group/role membership
• Therefore a central instance is needed which• Connects to all relevant systems• Is able to sync user attributes and memberships• Can automatically apply rules
• Manager, approving persons and end-user need well defined access to the user's data
10IRM Summit 2014
HR DB
User
Central Provisioning
ICF
11IRM Summit 2014
Passwords• Passwords can be changed at a central place and distributed
to external systems based on flexible rules and password policies
• The provisioning engine needs to detect password changes from an external resource
• User administrators and end user need well defined access to the user's passwords
• A password reset mechanism is in place
• Passwords which have been reset can be sent to the end user in a secure way
12IRM Summit 2014
Password Distribution
User
Changes Password
13IRM Summit 2014
OpenIDM Components Java → min 1.6 update 24 on Win: Java 7
OSGi → implementation: Felix
Servlet container → implementation: Jetty
Repository → OrientDB, MySQL and others
JSON → structure for configurations
OpenICF → local or remote connector server
Connectors to external systems → i.e. AD, LDAP, file...
Activiti → workflow engine
14IRM Summit 2014
OpenIDM Architecture
Ext
ern
al R
eso
urc
es
OSGI
Persistence (OrientDB)
ForgeRock UI Framework
ForgeRock REST Router
Business Logic (Javascript, Groovy, Java)
Authentication Filter (JASPI)
Jetty Web Server
ConfigurationManaged
Users Sync/ReconSystem
(Connectors)
Scheduler WorkflowAudit/Logs
Policy Audit
15IRM Summit 2014
The REST Interface Representational State Transfer (REST)
Conforming to the REST constraints is generally referred to as being "RESTful"
REST utilizes HTTP methods: GET PUT POST DELETE HEAD PATCH
16IRM Summit 2014
Native Protocols
Repo DB
DB
JDBCJNDI
SSHADSI
ICF
17IRM Summit 2014
Connector Architecture
18IRM Summit 2014
Activiti Introduction A light-weight workflow and Business Process
Management Software
BPMN 2 compliant
A process engine for Java applications
It's open-source and distributed under the Apache license
Workflows are deployed as business archives (.bar)
Workflow definitions are in XML format
19IRM Summit 2014
Apply for Contractor IWorkflow outline
20IRM Summit 2014
Apply for Contractor IIStartup Form: (Screen shot)
21IRM Summit 2014
Activiti Modeler
22IRM Summit 2014
Connector Configuration"principal" : "cn=Directory Manager","ssl" : false,"baseContexts" : ["ou=People,dc=example,dc=com"],"groupMemberAttribute" : "uniqueMember","passwordAttribute" : "userPassword","accountSearchFilter" : null,"accountObjectClasses" : ["top",...],"maintainLdapGroupMembership" : false,"blockSize" : 100,"baseContextsToSynchronize" :
["ou=People,dc=example,dc=com"],"attributesToSynchronize" : [ "uid",...],... {"account" :
{"nativeType" : "__ACCOUNT__", "properties" : {"uid" : {"type" : "string", "nativeName" : ”userName", "nativeType" : "STRING", "flags" : ["NOT_CREATABLE”…
23IRM Summit 2014
■ OpenIDM 3.0 will have– predefined role objects– effective role assignments
■ static role assignment
■ dynamic role assignment, i.e. based on a rule, attribute …
– static entitlement assignment– dynamic entitlement assignment
OpenIDM roles
24IRM Summit 2014
■ Role attributes– abstract System Association A (1to1 role system but changeable)
■ entitlementA1
■ entitlementA2
■ …
– abstract System Association B (1to1 role system but changeable)■ entitlementB1
■ entitlementB1
■ …
– …
OpenIDM role structure
25IRM Summit 2014
■ A) when the user is created?
■ B) when the user is updated?
■ C) when the user is de-provisioned?
■ D) when the ROLE is created?
■ E) when the ROLE is updated?
■ F) …
Role Challenges
26IRM Summit 2014
Other Features Task Scheduling
Cluster OpenIDM for High availability Horizontal scalability
OpenIDM command line
Data validation through policies
Managing Passwords
Send emails
27IRM Summit 2014
■ openidm/samples/sample1…
■ openidm/samples/provisioners/…
■ openidm/samples/workflow
■ openidm/samples/usecases/…
OpenIDM by Example
28IRM Summit 2014
Forgerock University