Complete open source IAM solution
-
Upload
radovan-semancik -
Category
Technology
-
view
784 -
download
0
Transcript of Complete open source IAM solution
![Page 1: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/1.jpg)
Complete open source IAM solution
Radovan SemančíkLDAPcon, November 2015
![Page 2: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/2.jpg)
Radovan Semančík
Current:
Software Architect at Evolveum
Architect of Evolveum midPoint
Contributor to ConnId and Apache Directory API
Past:
Sun LDAP and IDM deployments (early 2000s)
OpenIDM v1, OpenICF
Many software architecture and security projects
![Page 3: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/3.jpg)
Complete solution? Why?Is LDAP not enough?
![Page 4: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/4.jpg)
Yes, theoretically ...
LDAP
Application
Application
Application
Application
Users
Good architecture:Don't repeat yourself (DRY)
![Page 5: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/5.jpg)
Practice: Application-Local DB
LDAP
Application
Application
Application
Application
Users
join?
uid: js123cn: Jack Sparrow
uid: js123loot: 20000
Name | loot-------------+-------Jack Sparrow | 20000
![Page 6: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/6.jpg)
Practice: Data Sources
LDAP
Application
Application
Application
Application
Users
HR
CRM
Custom scripts?
Data conflicts?Reliability?Maintenance?
![Page 7: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/7.jpg)
Practice: Legacy
LDAP
Application
Application
Application
Application
Users
uid: js123
uid: jack3
uid: jsparrow
uid: x665342
uid: jsp007
![Page 8: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/8.jpg)
Practice: Authentication
LDAP
Application
Application
Application
Application
UsersPassword
SAML+X.509
2-factor
OAuth
SASL will get you only so far ...
![Page 9: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/9.jpg)
But … these areapplication problems!
Let's fix the appliations and standardize. We'll be fine.
![Page 10: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/10.jpg)
Standardization? Really?dn: cn=foo,ou=groups,o=exampleobjectclass: groupOfNamesmember: uid=bar1,ou=people,o=examplemember: uid=bar2,ou=people,o=example
dn: cn=foo,ou=groups,o=exampleobjectclass: groupOfUniqueNamesuniqueMember: uid=bar1,ou=people,o=exampleuniqueMember: uid=bar2,ou=people,o=example
RFC2256 (1997)mandatory(!!!)
(Examples are simplified)
![Page 11: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/11.jpg)
Standardization? Really?dn: cn=foo,ou=groups,o=exampleobjectclass: groupOfNamesmember: uid=bar1,ou=people,o=examplemember: uid=bar2,ou=people,o=example
dn: cn=foo,ou=groups,o=exampleobjectclass: groupOfUniqueNamesuniqueMember: uid=bar1,ou=people,o=exampleuniqueMember: uid=bar2,ou=people,o=example
RFC2256 (1997)
dn: cn=foo,ou=groups,o=exampleobjectclass: posixGroupmemberUid: bar1memberUid: bar2
RFC2307 (1998)
(Examples are simplified)
![Page 12: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/12.jpg)
Practice: more problems● Password reset
● Adaptive authentication
● SSO
● Session management
● ACLs
● Account activation
(enabled/disabled status)
● “memberOf”
● Roles / RBAC
● Password policies
● Access policies (autz)
● Paging (SPR vs VLV)
● Audit
● Reporting
● Data consistency
● Management tools
● User experience
● Schema consistency issues
● Standard violations
● Common sense violations
● Too many data types
● … most of them unsupported
● DN case sensitivity
● Synchronization
![Page 13: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/13.jpg)
Practice: really messy
LDAP 1
Application
Application
Application
Application
Users
copy
LDAP 2
Manualsync
HR
CRM
export
transformscript
ESB
SSO
LDAP 3
*)
*) nobody really knows how this part works because the guy that did it left 3 years ago
script
Pull on demand
Home-brew LDAP editor
![Page 14: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/14.jpg)
LDAP-only solutions work only in simple cases.
![Page 15: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/15.jpg)
IAM needs more components
IdentityRepository
HR
Application
Application
Application
Application
AM
IdentityProvisioning
Users
CRM
SystemAdmin
RequesterApprover
Application
![Page 16: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/16.jpg)
Basic IAM Components
● Access Management• Authentication, single sign-on
• Basic authorization
● Identity Repository• Storage of identity data
● Identity Provisioning• Management (data, policies, workflows)
• Synchronization
AccessManagement
IdentityRepository
IdentityProvisioning
EndUsers
Admins
![Page 17: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/17.jpg)
Interoperability
● The components should work together
as one system
● Easy product integration
● Smooth user experience• The user should not see component boundaries
![Page 18: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/18.jpg)
Technology stacks
“Stack” is the obvious answer to interoperability problem.
… or … is it? AccessManagement
IdentityProvisioning
IdentityRepository
![Page 19: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/19.jpg)
What's wrong with stacks?
● Usually single-vendor stacks
● Still quite heterogeneous due to acquisitions
● Vendor lock-in• You can check out any time you like, but you can never leave
● Limited integration options• Just one option for each component
• Proprietary interfaces
![Page 20: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/20.jpg)
Is there any better way?
The Ecosystem
![Page 21: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/21.jpg)
Open Source Identity Ecosystem
midPoint(Identity Provisioning)
OpenLDAP(Directory Server)
Fortress(IAM SDK)
OSIAM(Access Management)
(Identity Repository)
CAS(Single Sign-On)
(GRC) (Access Management)
Syncope(Identity Provisioning)
Shibboleth(Federation)
ConnId(Identity Connectors)
389 Directory Server(Identity Repository)
![Page 22: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/22.jpg)
Open Source Identity Ecosystem● Pure open source model
• Any engineer can have complete understanding of the
technology
• Technological excellence and efficiency
● Standardized or open source interfaces• Unlimited integration options
• Replaceable components → no vendor lock-in
● Cooperation instead of domination• Trade influence for control to get substantial benefits
![Page 23: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/23.jpg)
Ecosystem Deployment Examples
OpenLDAP(Directory Server)
midPoint(Identity Provisioning)
CAS(Single Sign-On)
389ds(Directory Server)
Apache Syncope(Identity Provisioning)
Shibboleth(Federation)
OpenLDAP(Directory Server)
Fortress(IAM SDK)
Custom application
![Page 24: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/24.jpg)
Ecosystem Deployment Examples
midPoint(Identity Provisioning)
ConnId(Identity Connector Framework)
ConnIdUnix
Connector
CustomSAP
Connector
Apache Syncope(Identity Provisioning)
ConnId(Identity Connector Framework)
midPointLDAP
Connector
ConnIdUnix
Connector
CustomSAP
Connector
OpenLDAP(Directory Server)
midPointLDAP
Connector
389ds(Directory Server)
![Page 25: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/25.jpg)
We know that it works, because ...
● we have tested the technology• test suites, pilots, real projects
● we share the same goal
● there are business agreements in place
![Page 26: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/26.jpg)
Join the Ecosystem now!
![Page 27: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/27.jpg)
Questions and Answers
![Page 28: Complete open source IAM solution](https://reader031.fdocuments.us/reader031/viewer/2022021922/5880ad011a28abf32c8b5973/html5/thumbnails/28.jpg)
Radovan Semančík
www.evolveum.com
Thank You