midpoint Overview Radovan Semančík December 2015

Transcription

1 midpoint Overview Radovan Semančík December 2015

2 Agenda Identity Management Introduction midpoint Introduction midpoint Architecture Conclusion

3 Identity Management Introduction

4 Identity Management System Admin Requester Approver Users Application Application Provisioning System Identity Repository Application HR Application CRM Application A M

5 Identity Management: Provisioning Making sure that users have the correct access rights Automating the processes of access right management Hiring new employee: creating accounts Reorg: modifications of access privileges Layoffs: deleting/disabling accounts Visibility and security Audits, attestations, reporting

6 User Provisioning System HR Workflow Engine LDAP Domain SOAP Agent SQL ERP Legacy System Database Applications

7 About Evolveum

8 Evolveum Team History since approx various LDAP and IDM projects, various companies since 2004: nlight IDM Professional Services Sun Microsystems, Novell : Cooperation with ForgeRock Contributing to OpenIDM v1 2011: Evolveum Independent development of midpoint Cooperative business model

9 Evolveum Focused open source development company Almost all employees are engineers Development and research Minimalistic sales and marketing All team members have academic degree (including 2 PhDs) Indirect partner-based business Customer Partner Evolveum Cooperation is the key

10 Ecosystem Pure open source model No open-core or dual licencing Contributions are welcome Distributed development Code created by several development teams Coordinated and integrated by Evolveum Evolveum is a maintainer, not owner of the code Cooperation instead of domination Evolveum partners add value Cloud, integrated solutions, managed services, extensions, plugins, connectors,... Trade influence for control to get mutual benefits

11 Open Source Identity Ecosystem OSIAM (Access Management) Shibboleth (Federation) (GRC) Syncope (Identity Provisioning) (Access Management) midpoint (Identity Provisioning) ConnId (Identity Connectors) (Identity Repository) 389 Directory Server (Identity Repository) CAS (Single Sign-On) Fortress (IAM SDK) OpenLDAP (Directory Server)

12 midpoint Introduction

13 MidPoint at a Glance Open-source User Provisioning system 100% open-source, no licence cost, no usage restrictions Next-generation system Open architecture, extensible, standard-based, Java/XML/REST Deployment and maintenance efficiency 20% of effort to get 80% of result Based on a decade of IDM experience

14 MidPoint Big Picture Target Systems midpoint Source Systems Identity Connectors

15 midpoint Features Overview Identity Lifecycle Management Hiring people, firing people, changing assignments RBAC, workflows, processes, rules, policies Identity Integration Connectors for source and target systems ( resources ) Customizable and Extensible Extensible using expressions and plug-ins (open-closed principle) High-level standard languages (Groovy, JavaScript, XPath2, BPMN) 100% open source, maven, git

16 Inside midpoint Modern lightweight Java architecture Spring, Spring Security, Prism Objects, Wicket Extensible by scripting expressions Groovy, Python, JavaScript, XPath v2,... Connectors Polygon, ConnId, OpenICF External services REST, SOAP/WSDL Workflow Activiti BPM engine integration

17 Unique Features Completely open Open source, open development process, customize anything Works out-of-the-box Many IDM configurations already pre-implemented Advanced RBAC/ABAC Conditional roles, parametric roles, Relative Changes, Synchronization and Consistency Easy to maintain consistency, lock-free, self-healing system PrismObjects Dynamic schemas, customization, unifying XML and JSON

18 MidPoint in numbers At least 13 years of IDM experience At least 11 years of research (12 publications) More than 5 years of active development (13 releases) More than lines of code Estimated project cost: $ (COCOMO, openhub.net) Average 100 commits per month (total 9007 commits) More than 3300 automated tests More than 500 wiki pages containing documentation

19 The past, the present and the future

20 midpoint History 2004: nlight IDM specialist company Mostly Sun IDM (but also other technologies) 2009: Sun acquired by Oracle Death of Sun IDM.. end of business? Spring 2010: OpenIDMv1 nlight cooperating with ForgeRock on OpenIDM development Spring 2011: ForgeRock is changing course OpenIDMv2 plan: drop everything, reinvent everything May 2011: midpoint project start Evolveum established by nlight and others 2012 and on: independent development Technolgical leadership Cooperation with other open source companies: Identity Ecosystem

21 Current State (version 3.2) Rich provisioning functionality (mappings, scripting,...) Live synchronization, reconciliation, import Advanced RBAC, organizational structure Administration GUI Generic synchronization, entitlements Fine-grained authorizations, delegated administration Advanced features Time constraints, higher-order dependencies, consistency, Governance (technology preview)

22 Where is midpoint used

23 Roadmap MidPoint 3.0 (Newton) RELEASED New look and feel, usability improvements MidPoint 3.4 RELEASED Access certification (preview), MidPoint 3.3 (Lincoln) RELEASED Improved GUI, wizards, MidPoint 3.2 (Tycho) Delegated administration, generic sync, REST, MidPoint 3.1, (Sinan) RELEASED Access certification, synchronization GUI, Spring 2015

24 MidPoint 3.x Is Revolutionary It goes beyond Identity Management Generic Synchronization Synchronize everything with everything Entitlements Support for groups and privileges (PIM) REST (and JSON and YAML later) Delegated Administration Fine-grained authorizations + organizational structure New GUI Look and Feel - Customizable

25 Open and Dynamic Development Completely open development Public distributed source code management (git, planned soon) Public task tracking (Jira) Public communication and documentation (mailing lists, wiki) Public planning (roadmap, Jira) User (customer) participation (Paying) customers influence roadmap and take precedence MidPoint users can influence the development plan Contributions

26 midpoint Architecture

27 MidPoint Big Picture Target Systems midpoint Source Systems Identity Connectors

28 Internal Architecture midpoint Administrators Users User Interface User Interface Business Logic Resources IDM Model Provisioning Repository

29 Internal Architecture Custom User Interface Administrators Users Admin User Interface Business Logic (workflow) Processing the policies IDM Model RBAC, mappings, conditions,... Relational Database Provisioning Repository ConnId Identity Connector Framework Resources

30 Internal Architecture Administrators Users User Interface User Interface Customized Fixed ( off the shelf ) Business Logic IDM Model Resources Provisioning Repository

31 Internal Architecture User Interface Part Extensible User Interface Deployer/Customer may provide his own code, Administrators extend the interfaces, even replace some Users Business Logic components Customized Fixed ( off the shelf ) IDM Model Configurable Part Provisioning Deployer/Customer should only configure the components here. The structure and code Repository should not be changed. Resources

32 Technologies Platform: Lightweight Java Java, Spring, Spring Security, Backlog (SLF4J) Data Model: Prism Objects (generated from XML Schemas) Web GUI (AJAX): Wicket Business logic and customization Groovy, JavaScript or XPath v2 for mappings and expressions Activiti BPM Workflow Interfaces: Java API, SOAP and REST Java APIs most efficient (parts of midpoint are embeddable) Web services (SOAP/WSDL, full schema support) REST interface

33 Identity Connectors Common Identity Connector Framework Sun Identity Connector Framework ConnId Compatible connectors AD, DB Table, DB2, MySQL, Oracle, RACF, Solaris, SPML, VMS, FlatFile, XML, Solaris, SAP,... LDAP: OpenLDAP, 389ds, OpenDJ, edirectory, Active Directory CSV file, Office365, SAS, GitLab, Lotus, LifeRay

34 Concrete Architecture - Web Container (Application Server) J2EE Web Container midpoint GUI Web Service Provisioning Model Repository RDB

35 Architecture Documentation UML Model (astah*)

36 midpoint Deployment Example

37 Example midpoint Deployment Architecture Microsoft Applications Administrator AD Connector (remote) midpoint User Self-Service (Web GUI) Identity Management Policies (rules, processes) Web GUI Scheduled Exports ADSI Active Directory CSV File SQL IDM Logic FlatFile Connector Custom HR System midpoint Identity Repository (Relational DB) DB Table Connector Oracle Database Database Applications

38 User Details

39 Approval Work Items (Workflow)

40 Approval (Workflow)

41 Resource and System Diagnostics

42 Built-it XML Editor

43 Live Demo Documentation: search for Live demo in wiki.evolveum.com

44 Conclusion

45 (Much) More Information midpoint Wiki Architecture and Design (in Wiki) Wiki pages under [Architecture and Design] page Live architecture documentation Includes UML diagrams We try to keep it (reasonably) up to date midpoint Mailing List

46 Conclusion Identity Management Goal: Operational efficiency & security (audit) Easy to start, complex to maintain midpoint Commercial open source provisioning system Next generation system: new technologies and unique features Customer influence and participation

47 Questions and Answers

48 Thank You Radovan Semančík