IRM Summit 2014

OpenIDM

Matthias Tristl

2IRM Summit 2014

Upon completion of this presentation, you should be able to:

■ Describe where OpenIDM fits into the OIS

■ Describe the Business Needs for OpenIDM

■ Describe IDM Use Cases Addressed by OpenIDM

■ Describe OpenIDM Features

Objectives

3IRM Summit 2014

Pillars of IAM

4IRM Summit 2014

Classic scenario IUser wants to use an application...

User

Application

which does not require any of ForgeRock's products, but ...

5IRM Summit 2014

Classic scenario IICentralization of Authentication

User

Application… and ...

6IRM Summit 2014

Classic scenario IIICentral Authorization

User

Application

7IRM Summit 2014

Classic scenario VIdentity Management

User

Application

HR DB

8IRM Summit 2014

Common Use Cases

• Provisioning

• De-Provisioning■ Compliance and auditing

• Password management

9IRM Summit 2014

Provisioning• Depending on a user's business role and predefined rules a

new user will:• Get accounts on backend systems on create• Get default group/role membership

• Therefore a central instance is needed which• Connects to all relevant systems• Is able to sync user attributes and memberships• Can automatically apply rules

• Manager, approving persons and end-user need well defined access to the user's data

10IRM Summit 2014

HR DB

User

Central Provisioning

ICF

11IRM Summit 2014

Passwords• Passwords can be changed at a central place and distributed

to external systems based on flexible rules and password policies

• The provisioning engine needs to detect password changes from an external resource

• User administrators and end user need well defined access to the user's passwords

• A password reset mechanism is in place

• Passwords which have been reset can be sent to the end user in a secure way

12IRM Summit 2014

Password Distribution

User

Changes Password

13IRM Summit 2014

OpenIDM Components Java → min 1.6 update 24 on Win: Java 7

OSGi → implementation: Felix

Servlet container → implementation: Jetty

Repository → OrientDB, MySQL and others

JSON → structure for configurations

OpenICF → local or remote connector server

Connectors to external systems → i.e. AD, LDAP, file...

Activiti → workflow engine

14IRM Summit 2014

OpenIDM Architecture

Ext

ern

al R

eso

urc

es

OSGI

Persistence (OrientDB)

ForgeRock UI Framework

ForgeRock REST Router

Business Logic (Javascript, Groovy, Java)

Authentication Filter (JASPI)

Jetty Web Server

ConfigurationManaged

Users Sync/ReconSystem

(Connectors)

Scheduler WorkflowAudit/Logs

Policy Audit

15IRM Summit 2014

The REST Interface Representational State Transfer (REST)

Conforming to the REST constraints is generally referred to as being "RESTful"

REST utilizes HTTP methods: GET PUT POST DELETE HEAD PATCH

16IRM Summit 2014

Native Protocols

Repo DB

DB

JDBCJNDI

SSHADSI

ICF

17IRM Summit 2014

Connector Architecture

18IRM Summit 2014

Activiti Introduction A light-weight workflow and Business Process

Management Software

BPMN 2 compliant

A process engine for Java applications

It's open-source and distributed under the Apache license

Workflows are deployed as business archives (.bar)

Workflow definitions are in XML format

19IRM Summit 2014

Apply for Contractor IWorkflow outline

20IRM Summit 2014

Apply for Contractor IIStartup Form: (Screen shot)

21IRM Summit 2014

Activiti Modeler

22IRM Summit 2014

Connector Configuration"principal" : "cn=Directory Manager","ssl" : false,"baseContexts" : ["ou=People,dc=example,dc=com"],"groupMemberAttribute" : "uniqueMember","passwordAttribute" : "userPassword","accountSearchFilter" : null,"accountObjectClasses" : ["top",...],"maintainLdapGroupMembership" : false,"blockSize" : 100,"baseContextsToSynchronize" :

["ou=People,dc=example,dc=com"],"attributesToSynchronize" : [ "uid",...],... {"account" :

{"nativeType" : "__ACCOUNT__", "properties" : {"uid" : {"type" : "string", "nativeName" : ”userName", "nativeType" : "STRING", "flags" : ["NOT_CREATABLE”…

23IRM Summit 2014

■ OpenIDM 3.0 will have– predefined role objects– effective role assignments

■ static role assignment

■ dynamic role assignment, i.e. based on a rule, attribute …

– static entitlement assignment– dynamic entitlement assignment

OpenIDM roles

24IRM Summit 2014

■ Role attributes– abstract System Association A (1to1 role system but changeable)

■ entitlementA1

■ entitlementA2

■ …

– abstract System Association B (1to1 role system but changeable)■ entitlementB1

■ entitlementB1

■ …

– …

OpenIDM role structure

25IRM Summit 2014

■ A) when the user is created?

■ B) when the user is updated?

■ C) when the user is de-provisioned?

■ D) when the ROLE is created?

■ E) when the ROLE is updated?

■ F) …

Role Challenges

26IRM Summit 2014

Other Features Task Scheduling

Cluster OpenIDM for High availability Horizontal scalability

OpenIDM command line

Data validation through policies

Managing Passwords

Send emails

27IRM Summit 2014

■ openidm/samples/sample1…

■ openidm/samples/provisioners/…

■ openidm/samples/workflow

■ openidm/samples/usecases/…

OpenIDM by Example

28IRM Summit 2014

Forgerock University