midpoint Overview Radovan Semančík December 2015
Agenda Identity Management Introduction midpoint Introduction midpoint Architecture Conclusion
Identity Management Introduction
Identity Management System Admin Requester Approver Users Application Application Provisioning System Identity Repository Application HR Application CRM Application A M
Identity Management: Provisioning Making sure that users have the correct access rights Automating the processes of access right management Hiring new employee: creating accounts Reorg: modifications of access privileges Layoffs: deleting/disabling accounts Visibility and security Audits, attestations, reporting
User Provisioning System HR Workflow Engine LDAP Domain SOAP Agent SQL ERP Legacy System Database Applications
About Evolveum
Evolveum Team History since approx. 2000 various LDAP and IDM projects, various companies since 2004: nlight IDM Professional Services Sun Microsystems, Novell 2010-2011: Cooperation with ForgeRock Contributing to OpenIDM v1 2011: Evolveum Independent development of midpoint Cooperative business model
Evolveum Focused open source development company Almost all employees are engineers Development and research Minimalistic sales and marketing All team members have academic degree (including 2 PhDs) Indirect partner-based business Customer Partner Evolveum Cooperation is the key
Ecosystem Pure open source model No open-core or dual licencing Contributions are welcome Distributed development Code created by several development teams Coordinated and integrated by Evolveum Evolveum is a maintainer, not owner of the code Cooperation instead of domination Evolveum partners add value Cloud, integrated solutions, managed services, extensions, plugins, connectors,... Trade influence for control to get mutual benefits
Open Source Identity Ecosystem OSIAM (Access Management) Shibboleth (Federation) (GRC) Syncope (Identity Provisioning) (Access Management) midpoint (Identity Provisioning) ConnId (Identity Connectors) (Identity Repository) 389 Directory Server (Identity Repository) CAS (Single Sign-On) Fortress (IAM SDK) OpenLDAP (Directory Server)
midpoint Introduction
MidPoint at a Glance Open-source User Provisioning system 100% open-source, no licence cost, no usage restrictions Next-generation system Open architecture, extensible, standard-based, Java/XML/REST Deployment and maintenance efficiency 20% of effort to get 80% of result Based on a decade of IDM experience
MidPoint Big Picture Target Systems midpoint Source Systems Identity Connectors
midpoint Features Overview Identity Lifecycle Management Hiring people, firing people, changing assignments RBAC, workflows, processes, rules, policies Identity Integration Connectors for source and target systems ( resources ) Customizable and Extensible Extensible using expressions and plug-ins (open-closed principle) High-level standard languages (Groovy, JavaScript, XPath2, BPMN) 100% open source, maven, git
Inside midpoint Modern lightweight Java architecture Spring, Spring Security, Prism Objects, Wicket Extensible by scripting expressions Groovy, Python, JavaScript, XPath v2,... Connectors Polygon, ConnId, OpenICF External services REST, SOAP/WSDL Workflow Activiti BPM engine integration
Unique Features Completely open Open source, open development process, customize anything Works out-of-the-box Many IDM configurations already pre-implemented Advanced RBAC/ABAC Conditional roles, parametric roles, Relative Changes, Synchronization and Consistency Easy to maintain consistency, lock-free, self-healing system PrismObjects Dynamic schemas, customization, unifying XML and JSON
MidPoint in numbers At least 13 years of IDM experience At least 11 years of research (12 publications) More than 5 years of active development (13 releases) More than 460 000 lines of code Estimated project cost: $10 315 309 (COCOMO, openhub.net) Average 100 commits per month (total 9007 commits) More than 3300 automated tests More than 500 wiki pages containing documentation
The past, the present and the future
midpoint History 2004: nlight IDM specialist company Mostly Sun IDM (but also other technologies) 2009: Sun acquired by Oracle Death of Sun IDM.. end of business? Spring 2010: OpenIDMv1 nlight cooperating with ForgeRock on OpenIDM development Spring 2011: ForgeRock is changing course OpenIDMv2 plan: drop everything, reinvent everything May 2011: midpoint project start Evolveum established by nlight and others 2012 and on: independent development Technolgical leadership Cooperation with other open source companies: Identity Ecosystem
Current State (version 3.2) Rich provisioning functionality (mappings, scripting,...) Live synchronization, reconciliation, import Advanced RBAC, organizational structure Administration GUI Generic synchronization, entitlements Fine-grained authorizations, delegated administration Advanced features Time constraints, higher-order dependencies, consistency, Governance (technology preview)
Where is midpoint used
Roadmap MidPoint 3.0 (Newton) RELEASED New look and feel, usability improvements MidPoint 3.4 RELEASED Access certification (preview), MidPoint 3.3 (Lincoln) RELEASED Improved GUI, wizards, MidPoint 3.2 (Tycho) Delegated administration, generic sync, REST, MidPoint 3.1, 3.1.1 (Sinan) RELEASED Access certification, synchronization GUI, Spring 2015
MidPoint 3.x Is Revolutionary It goes beyond Identity Management Generic Synchronization Synchronize everything with everything Entitlements Support for groups and privileges (PIM) REST (and JSON and YAML later) Delegated Administration Fine-grained authorizations + organizational structure New GUI Look and Feel - Customizable
Open and Dynamic Development Completely open development Public distributed source code management (git, planned soon) Public task tracking (Jira) Public communication and documentation (mailing lists, wiki) Public planning (roadmap, Jira) User (customer) participation (Paying) customers influence roadmap and take precedence MidPoint users can influence the development plan Contributions
midpoint Architecture
MidPoint Big Picture Target Systems midpoint Source Systems Identity Connectors
Internal Architecture midpoint Administrators Users User Interface User Interface Business Logic Resources IDM Model Provisioning Repository
Internal Architecture Custom User Interface Administrators Users Admin User Interface Business Logic (workflow) Processing the policies IDM Model RBAC, mappings, conditions,... Relational Database Provisioning Repository ConnId Identity Connector Framework Resources
Internal Architecture Administrators Users User Interface User Interface Customized Fixed ( off the shelf ) Business Logic IDM Model Resources Provisioning Repository
Internal Architecture User Interface Part Extensible User Interface Deployer/Customer may provide his own code, Administrators extend the interfaces, even replace some Users Business Logic components Customized Fixed ( off the shelf ) IDM Model Configurable Part Provisioning Deployer/Customer should only configure the components here. The structure and code Repository should not be changed. Resources
Technologies Platform: Lightweight Java Java, Spring, Spring Security, Backlog (SLF4J) Data Model: Prism Objects (generated from XML Schemas) Web GUI (AJAX): Wicket Business logic and customization Groovy, JavaScript or XPath v2 for mappings and expressions Activiti BPM Workflow Interfaces: Java API, SOAP and REST Java APIs most efficient (parts of midpoint are embeddable) Web services (SOAP/WSDL, full schema support) REST interface
Identity Connectors Common Identity Connector Framework Sun Identity Connector Framework ConnId Compatible connectors AD, DB Table, DB2, MySQL, Oracle, RACF, Solaris, SPML, VMS, FlatFile, XML, Solaris, SAP,... LDAP: OpenLDAP, 389ds, OpenDJ, edirectory, Active Directory CSV file, Office365, SAS, GitLab, Lotus, LifeRay
Concrete Architecture - Web Container (Application Server) J2EE Web Container midpoint GUI Web Service Provisioning Model Repository RDB
Architecture Documentation UML Model (astah*) https://svn.evolveum.com/midpoint/design
midpoint Deployment Example
Example midpoint Deployment Architecture Microsoft Applications Administrator AD Connector (remote) midpoint User Self-Service (Web GUI) Identity Management Policies (rules, processes) Web GUI Scheduled Exports ADSI Active Directory CSV File SQL IDM Logic FlatFile Connector Custom HR System midpoint Identity Repository (Relational DB) DB Table Connector Oracle Database Database Applications
User Details
Approval Work Items (Workflow)
Approval (Workflow)
Resource and System Diagnostics
Built-it XML Editor
Live Demo http://demo.evolveum.com/ Documentation: search for Live demo in wiki.evolveum.com
Conclusion
(Much) More Information midpoint Wiki https://wiki.evolveum.com/display/midpoint/home Architecture and Design (in Wiki) Wiki pages under [Architecture and Design] page Live architecture documentation Includes UML diagrams We try to keep it (reasonably) up to date midpoint Mailing List
Conclusion Identity Management Goal: Operational efficiency & security (audit) Easy to start, complex to maintain midpoint Commercial open source provisioning system Next generation system: new technologies and unique features Customer influence and participation
Questions and Answers
Thank You Radovan Semančík www.evolveum.com