Integrating Apache Camel with Apache Syncope

Dr. Colm Ó hÉigeartaigh, Talend.

Speaker Introduction

Introducing Apache Syncope

● Apache Syncope is an Open Source system for managing digital identities in enterprise environments.

● Top Level Project @ Apache since 11/2012.

● Currently 20 committers and 11 PMC members.

● Latest release: 2.0.1 “Jazz”.

Apache Syncope basics

Architecture

Deployment Options

Persistence

Connectors

● Maven archetype

● Standalone● .deb files ● UI installer

Installation Options

● Apache Syncope features a rich REST API based on Apache CXF, e.g– List users (JSON):

/syncope/rest/users– Get authenticated user:

/syncope/rest/users/self– List groups (JSON):

/syncope/rest/groups

REST API

● The REST API supports search via FIQL, e.g.– Get the user called “verdi”:

syncope/rest/users?fiql=username==verdi

– See which users were created since January 01 2016: syncope/rest/users?fiql=creationDate=ge=2016-01-01

REST API search

● A powerful Java client library is also available.

Java Client Library

● Apache Syncope leverages Apache CXF to generate both WADL and SWAGGER documents

● WADL is accessible via the URI "/syncope/rest/?_wadl".

● Swagger documentation is also available via Swagger UI: “/syncope/swagger/”

REST API documentation

● Multi-tenancy support via “Domains”.

● New Console Layout● Support for “Internet of Things”● Support for “Realms”.● End-user UI.● Improved documentation.● Apache Camel provisioning engine

New Features in Syncope 2.0.0

The new Apache Camel Provisioning Engine

● What if you want to perform some action when something changes in Apache Syncope?

● One option is to poll the REST API of Apache Syncope.

● Let’s look at an example using the Java DSL of Apache Camel to get the “total count” of users in Syncope.

Polling the REST API

Polling the REST API

● However, there are obvious disadvantages to this approach.– Excessive resource consumption

– Impossible to perform an action immediately on a change in Syncope

– Impossible to make a provisioning change in Syncope dependent on the action that you are performing.

● We need a better approach!

Polling the REST API

● A new provisioning manager is available in Apache Syncope 2.0.0 based on Apache Camel.

● Contributed by Giacomo Lamonaco from Tirasa.

● USP of Apache Syncope: We can easily integrate routing rules to any kind of endpoint with identity management!

Camel Provisioning Manager

● Natural fit: Open-source integration framework at Apache

● XML (Spring) DSL available● Flexible and easy to use

routing/mediation rules● Supports a huge range of messaging

components● Easy to create custom Camel

components.

Why Apache Camel?

● A set of Camel routes are available by default which are invoked when the User, Groups and Any Objects in question are changed in some way.

● This allows the administrator to plug in custom logic on any of these state changes.

● The routes can be viewed and edited in the Admin Console.

Camel Provisioning Manager

Create User Route

Camel Provisioning Manager

● A new "propagate" Camel component is available in Syncope 2.0.0.

● Example: <to uri="propagate:<propagateType>?anyTypeKind=<anyTypeKind>&options"/>

● PropagateType: create, update, delete, provision, deprovision, status, suspend, confirmPasswordReset.

● AnyTypeKind: USER, GROUP, ANY.

Examples

Example 1

● Use Case: Send an email to an administrator when a User is created, with some details about the created User in the email.

● We’ll use mailtrap.io as a test email server.

● Extra Jars needed in Syncope: javax.mail, camel-mail

New “createUser” route

Example 2

● Use Case: Audit when a user changes a password.

● Apache Syncope stores users in internal storage in a table called "SyncopeUser".

● Previous passwords associated with the User are stored in another table (note no Timestamp):

Example 2

● The administrator wants a stronger audit trail…

● We’ll edit the Camel route to store the password + Timestamp to a file associated with that user.

● For simplicity we won’t salt + hash the password :-)

● No additional jars required

New “updateUser” route

Example 3

● Use Case: Gather information about new users and process it dynamically

● Example: Age + location of new users.● Decouple applications from Syncope by

using a message solution (Apache ActiveMQ).

● When new users are created, we will modify the default Camel route to send a message to two queues corresponding to the age and location of the user.

Example 3

● We need to copy some jars from Apache ActiveMQ into Syncope.

● Also, add the following to the Tomcat lib directory (called "camelRoutesContext.xml"):

New “createUser” route

Thank you!

Questions?