Open Source Identity Management

Similar documents
Identity Management with midpoint. Radovan Semančík FOSDEM, January 2016

Introduction to Identity and Access Management for the engineers. Radovan Semančík April 2014

midpoint Overview Radovan Semančík December 2015

Securing your business

Apache Syncope OpenSource IdM

Single Sign On. SSO & ID Management for Web and Mobile Applications

G Cloud 6 CDG Service Definition for Forgerock Software Services

Access Management Analysis of some available solutions

Centralized Oracle Database Authentication and Authorization in a Directory

SAP Identity Management Overview

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2

LDAPCON Sébastien Bahloul

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

IETF 84 SCIM System for Cross-domain Identity Management. Kelly Grizzle

Password Management Guide

Configuring idrac6 for Directory Services

To integrate Oracle Application Server with Active Directory follow these steps.

Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack

UNIL Administration. > Many databases and applications:

Gabriel Magariño. Software Engineer. Overview Revisited

Government of Canada Directory Services Architecture. Presentation to the Architecture Framework Advisory Committee November 4, 2013

Authentication: Password Madness

The Unique Alternative to the Big Four. Identity and Access Management

Security As A Service Leveraged by Apache Projects. Oliver Wulff, Talend

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

The School Board of Palm Beach

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0

Securing SAS Web Applications with SiteMinder

Authentication Integration

OracleAS Identity Management Solving Real World Problems

Oracle Identity Manager, Oracle Internet Directory

User Management Resource Administrator. Managing LDAP directory services with UMRA

CA SiteMinder. Implementation Guide. r12.0 SP2

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Server-based Password Synchronization: Managing Multiple Passwords

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

Novell Identity Manager

Oracle Identity Manager (OIM) as Enterprise Security Platform - A Real World Implementation Approach for Success

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Microsoft Active Directory Authentication with SonicOS 3.0 Enhanced and SonicOS SC 1.0 (CSM 2100CF)

Course 50382A: Implementing Forefront Identity Manager 2010 OVERVIEW

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

Egnyte Single Sign-On (SSO) Installation for OneLogin

SAM Enterprise Identity Manager

Identity Governance Evolution

Configuration Guide. BES12 Cloud

Identity and Access Management

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Bala Vellaiappan Shan Balasubramanian Suchitra Subbakrishna DTS-ESOD

Identity Management in Quercus. CampusIT_QUERCUS

Building an identity repository is at the heart of identity and access management.

Integrated Identity and Access Management Architectural Patterns

ActiveRoles Server v 6.7

From centralized to single sign on

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

LDAP and Active Directory Guide

Manage Your Shop with Policy Based Management & Central Management Server

Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group PAGE 1

Trust but Verify: Best Practices for Monitoring Privileged Users

How To Get A Single Sign On (Sso)

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database

Interoperable Provisioning in a Distributed World

Migrating application users and passwords with Password Manager

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

CA Performance Center

Oracle Platform Security Services & Authorization Policy Manager. Vinay Shukla July 2010

: IBM Tivoli Identity Manager V4.5 Implenentation

WHITEPAPER OpenIDM. Identity lifecycle management for users, devices, & things

Provisioning and Deprovisioning 1 Provisioning/De-provisiong replacement 1

Profile synchronization guide for Microsoft SharePoint Server 2010

SAP Identity Management Overview

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

Populating Your Domino Directory (Or ANY Domino Database) With Tivoli Directory Integrator. Marie Scott Thomas Duffbert Duff

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Cloudwork Dashboard User Manual

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

NCSU SSO. Case Study

Contextual Authentication: A Multi-factor Approach

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Oracle Identity Analytics Architecture. An Oracle White Paper July 2010

Integrating OID/SSO with E- Business Suite and Third-Party SSO Solutions. Presented by Paul Jackson (Norman Leach)

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Biometric SSO Authentication Using Java Enterprise System

RSA Authentication Manager 7.1 Administrator s Guide

IBM Tivoli Identity Manager

ESET Secure Authentication Java SDK

NetIQ Identity Manager Setup Guide

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

Transcription:

Open Source Management OpenAlt 2015 Radovan Semančík November 2015

Ing. Radovan Semančík, PhD. Software architect Co-owner of Evolveum (open source company) Architect of midpoint project Apache committer (Directory API)

What is this Management?

Let's start with a story... Pirate Brethren, Inc. Fictional company Starts small Lean, efficient Grows quickly Focus on profit

Simple and easy start Keeping access rights matrix in spreadsheet Some manual work but still quite OK

It gets quite complex very soon...

Login Nightmares Shippin' DeLuxe v99.02 Login: mjones Password: NaviGATE+ Username: p0054358 Password: Forgot password? Login: marry Password: CrashSoft Woknous Realm: PIRACY Login: jones3 Password:

Policy manual synchronization (unreliable, slow, costly) # # # # # no feedback Reality untracked changes LDAPv3 base <dc=example,dc=com> with scope subtree filter: (entryuuid=48b2295e-c131-4300-835a-fa85c863233e) requesting: ALL # jack, people, example.com dn: uid=jack,ou=people,dc=example,dc=com mail: jack2@blackpearl.com givenname: Jack objectclass: person objectclass: inetorgperson objectclass: organizationalperson objectclass: top uid: jack cn: cpt. Jack Sparrow sn: Sparrow

$ $ AUDIT VERY COSTLY $ and it has to be repeated... $ # # # # # LDAPv3 base <dc=example,dc=com> with scope subtree filter: (entryuuid=48b2295e-c131-4300-835a-fa85c863233e) requesting: ALL # jack, people, example.com dn: uid=jack,ou=people,dc=example,dc=com mail: jack2@blackpearl.com givenname: Jack objectclass: person objectclass: inetorgperson objectclass: organizationalperson objectclass: top uid: jack cn: cpt. Jack Sparrow sn: Sparrow

Call Center Goes Crazy Access request Password reset Password reset Password reset Password reset Password reset Access request Password reset Password reset

* Let's do this IAM thing. Everybody is doing that. *) and Access Management

Manager's View Users S S O Implementation Details

High Level Architect's View HR Users Implementation Details Implementation Details S S O LDAP Implementation Details Implementation Details

Reality Relational database Unsupported Users HR Unsupported Incompatible identifiers Local copy No standard LDAP (ugly script needed)! Custom schema Incompatible schema! Expensive Home directory Extremely expensive S S O

Single directory approach is not going to work and this has been known since 2006 (at least)

What are we going to do now?

DO NOT PANIC! SSO is what you think you want IDM is what you really need

What is this Management (IDM) thing, again?

and Access Management System Admin Requester Approver Users Management Repository HR CRM A M

How IDM works? Management A M Repository HR

Automatic user provisioning Policies RBAC Rules Management A M Repository HR

Business As Usual Management A M Repository HR

Password reset (self-service) Management A M Repository HR

Employee Leaves Company Management A M Repository HR

Automatic user deprovisioning Policies RBAC Rules Management A M Repository HR

Business As Usual Management A M Repository HR

Bidirectional Synchronization Management A M Repository HR

Policy enforcement Policies RBAC Rules Management A M Repository HR

What Management does? Provisioning Identifier management Synchronization Data mapping Self-service Segregation of duties Password management Workflow Credentials distribution Notifications Auditing (SSH, X.509) RBAC Reporting Organizational structure Governance Entitlement management...

Who needs Management? IDM Rule of the Thumb: < 100 identities: you are fine with manual work 100 1K identities: you might need it 1K - 10K identities: you need it > 10K identities: you desperately need it!

This IDM looks like the best thing since the sliced bread. What's the catch?

This IDM looks like the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive.

This IDM looks like the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive. Very, very expensive.

Open Source to the Rescue There was no practical FOSS solution until 2010 (Sun Manager was the king) 2010-2011: Syncope, OpenIDM, midpoint,... (that was the time when Oracle acquired Sun) * Now there are two leading open source IDMs: Apache Syncope Evolveum midpoint *) by open source I mean both license and practice

Evolveum midpoint?

midpoint Users Management Repository HR CRM A M

The midpoint Story Started 2010-2011 (5 years, 14 releases) Github, Apache 2.0 License ~500K lines of code (Java) State-of-the-art IDM features Conditions Expressions Provisioning Management Schema Scripting Password reset Organizational structure Segregation of duties Synchronization Policy Consistency Workflow Entitlements Connectors HA Governance Authorization Localization Notifications RBAC Web UI Extensibility Self-service Audit Parametric roles Delegated Bulk actions Data mapping REST administration Identifiers

MidPoint Big Picture Target Systems midpoint Source Systems Connectors

Complete Open Source Solution midpoint Users CAS Management HR CRM Repository OpenLDAP A M

Conclusion

and Access Management System Admin Requester Approver Users Management Repository HR CRM A M

IAM Letter Soup System Admin Requester Approver Connector Administration Provisioning Workflow System Policy RBAC IDM HR Provisioning Sync LDAP Integration Two-factor AM OAuth LDAP AD Authentication SSO Repository CRM Users A M OpenID Connect Federation SAML UMA

Access Management Management Authentication Provisioning Single Sign-On (SSO) RBAC Synchronization Password management Self-service and much more Cost reduction Quite expensive What people want What people need

Access Management Management Authentication Provisioning Single Sign-On (SSO) RBAC Synchronization Password management Self-service and much more Cost reduction Quite expensive What people want START HERE What people need

Questions and Answers Conditions Expressions Provisioning Management Schema Scripting Password reset Organizational structure Segregation of duties Synchronization Policy Consistency Workflow Entitlements Connectors HA Governance Authorization Localization Notifications RBAC Web UI Extensibility Self-service Audit Parametric roles Delegated Bulk actions Data mapping REST administration Identifiers

Thank You Radovan Semančík www.evolveum.com

Extra Slides

(Much) More Information midpoint Wiki https://wiki.evolveum.com/display/midpoint/home Architecture and Design (in Wiki) Wiki pages under [Architecture and Design] page Live architecture documentation Includes UML diagrams We try to keep it (reasonably) up to date midpoint Mailing List

Example midpoint Deployment Architecture Microsoft s Administrator AD Connector (remote) midpoint User Self-Service (Web GUI) Management Policies (rules, processes) Web GUI Scheduled Exports ADSI Active Directory CSV File SQL IDM Logic FlatFile Connector Custom HR System midpoint Repository (Relational DB) DB Table Connector Oracle Database Database s

Connectors Common Connector Framework Sun Connector Framework ConnId Compatible connectors AD, DB Table, DB2, MySQL, Oracle, RACF, Solaris, SPML, VMS, FlatFile, XML, Solaris, SAP,... LDAP: OpenLDAP, 389ds, OpenDJ, edirectory, Active Directory CSV file, Office365, SAS, GitLab, Lotus, LifeRay

Live Demo http://demo.evolveum.com/ Documentation: search for Live demo in wiki.evolveum.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information