Applying Novell Identity Manager to Your Everyday Problems

Identity Web ServicesApplying Novell® Identity Manager to Everyday Problems

Jerry CombsPrincipal ArchitectNovell Inc.

© Novell, Inc. All rights reserved.2

Agenda

• Introduction to Novell® Identity Manager web services– Identity Manager core architecture– Available identity web services– Enabling the test page functionality

• Implementing custom identity services with workflows– Provisioning identities from a custom interface

• Demonstration– Provisioning Service– Password Management Service


Novell® Identity ManagerCore Architecture


Novell® Identity Manager is an event based system!

Nothing happens without an event


Event Sources

• Connected Systems

• Direct changes to the Identity Directory

– Identity and Provisioning Application Server

– LDAP/LDIF/NDAP

• Job Service

– “cron” like function to periodically generate events based on query parameters

– Jobs are defined and processed on a per connector basis


Two Active Processing Components

• Identity Event Rule Engine– Processes data events based on rules (Policies)– No User Interface– “System” Level Integration

• Application Server (User Application)– Workflow Engine– User Interface– Web services– “Service” Level Integration

All processing by the App Server results in a data event that is processed by the Rule Engine

>


Rule Engine Connectors

• Historically called “Drivers”• All processing is XML based• A connector is a collection of rules, communication

APIs, and any API/Code required to translate events to XML

• All rule processing is done by connectors!• Special Connectors

– A “Loop Back” connector is used to implement processes that need to act on identity data events within the Rule Engine

– User Application Connector– Role and Resource Connector


Identity Directory

• Pure object database– Highly scalable– Very extensible

• Multi-master replication– High Availability and horizontal scalability– Patented replication process provides an event system

• Event system is used by connectors to subscribe to data events

• This event mechanism is NOT available in any other directory or database


Identity Web Services

• Provisioning management• Role management• Resource management• Password management

– Password Change, Challenge/Response reset• Virtual Directory / Data Abstraction

– Access to Identity data• Metrics

– Data on system usage and performance• Notification

– Enables the sending of emails based on stored templates


Provisioning Service

• Functions to initiate, monitor, and interact with workflows

– Start a Workflow (Provisioning Request)– Get Workflow Status– Approve/Deny a request– Get requests for a user– Get requests by a user– Get available requests

• URLhttp://<server>:<port>/IDM/provisioning/service/


Role Management Service

• Complete roll API

– Request a role assignment

– Check SOD policy

– Get role catalog

– Remove a role assignment

• URL

http://<server>:<port>/IDM/role/service/


Password Management Service

• Get password policy for a user– Complexity requirements

• Check password synchronization status• Change password• Reset password using challenge/response

– Available only as a SOAP endpoint

• URLhttp://<server>:<port>/IDM/pwdmgt/service/


Virtual Directory / Data Abstraction Service• Access to identity data through the Directory

Abstraction layer

– Ad-hoc queries

– Get Attribute(s)

– Pre-defined queries (Global Queries)

– Update Attribute

• URL

http://<server>:<port>/IDM/vdx/service/


Resource Management Service

• Key services– requestResourceGrant

– requestResourceRevoke

– getResourceAssignmentsForUser

• New end points in RBPM 3.7 patch B– Create, update, and delete Resources

• URLhttp://<server>:<port>/IDM/resource/service/


Metrics Service

• Provisioning usage and processing statistics

• Used for reporting

• Not exposed in the RBPM 3.7 Interface

• URL

http://<server>:<port>/IDM/metrics/service/


Notification Service

• Used to send email notifications

– sendNotification is the only end point

• Utilizes templates stored in the Identity Vault

– Supplied parameters used to populate template

• URL

http://<server>:<port>/IDM/notification/service/


Enabling the Test Services

• Extract the WAR file using the jar utility from the proper JDK

• Modify web.xml <servlet-name>Provisioning</servlet-name>

<servlet-class>com.novell.soa.af.impl.soap.ProvisioningImpl</servlet-class>

<init-param>

<param-name>com.novell.soa.ws.test.disable</param-name>

<param-value>false</param-value>

• Rebuild the WAR file using the jar utility– Do NOT use any other zip application

• Deploy the new WAR file• Access the test pages

http://<server>:<port>/IDM/provisioning/service?test


Custom Identity Services

• Three simple steps– Build a workflow that implements the function you need– Deploy the workflow– Use the provisioning web service to start the workflow

• Benefits– Allows external applications and systems to perform identity

functions in a standardized, controlled, and secure way– No need for direct access to Identity Vault

• Limitations– Asynchronous only, you must check process status if you

need to know that the request succeeded.


WebService

Interface

A Real World Example

Provisioning Workflow Engine

***PRD

Disable external user PRD

Create “special” external user PRD

Create std external user PRD

Modify role assignment PRD

Identity Rule Engine

SAP ConnectorCreate user in SAP rule

LDAP ConnectorCreate user in LDAP ruleCommon

ExternalAccountinterface

Identity Database

SAP

LDAP

Event System

A.A Provisioning Request Definition (PRD)- Defines the workflow for a provisioningaction. There may be many PRDs thatcan define any required process.

B.The provisioning requestworkflows can be initiatedvia web services.

C.Access to a specificPRD can be controlledat a very granular level.Two applications / userscan have different flowsfor the same end function.

D.Once the flow is complete and allrequirements have been met theflow creates the new user accountand adds the appropriate entitlements.

E.The eDirectory event system sendsthe event to each subscribing driver.

F.The rules are evaluatedand the account is createdin the appropriate systems.

Demonstration

Questions?

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Applying Novell Identity Manager to Your Everyday Problems

Documents

Transcript of Applying Novell Identity Manager to Your Everyday Problems