Your SlideShare is downloading. ×
Managing OpenAFS users with OpenIDM
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Managing OpenAFS users with OpenIDM

1,099
views

Published on

Managing OpenAFS users with OpenIDM

Managing OpenAFS users with OpenIDM

Published in: Technology

1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
1,099
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
40
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IdentityManagement October 2011
  • 2. Agendaq Problemq Identity Managementq OpenIdMq AFS Integration 2
  • 3. IdentitiesMany Accounts and Identities:afs: manfred.admin@zeropiu.comKrb5: manfred/admin@zeropiu.comKrb5:manfred@freemail.chAD : fabriziomUnix:manfred… 3
  • 4. System Identities 4
  • 5. Identities User Remember password and AccountSystem administrationAccount distributionPermissionAudi 5
  • 6. Identity ManagementWikipedia“Identity management (or ID management, or simply IdM) isa broad administrative area that deals with identifyingindividuals in a system (such as a country, a network, or anorganization) and controlling access to the resources in thatsystem by placing restrictions on the established identities ofthe individuals…” 6
  • 7. IDMIdM covers many areasq Identity management system (identification, permission, .. )q Legal – Deals with legislation data protectionq Police – Deals with identity theftq Social and humanity – Deals with issues such as privacyq Security – Manages elements such as access controlq Organizations – Hierarchies and divisions of access 7
  • 8. IDMIdM is not a Software, it is a Project 8
  • 9. Overview 9
  • 10. OpenIDMOpenIDM is an identity management solutionbased on open standards“In addition to being open source, OpenIDMoffers high flexibility in business processhandling and compliance. A flexible userinterface combined with a robust workflowengine make OpenIDM ready for any identitymanagement project…” 10
  • 11. Architecture 11
  • 12. ArchitectureCore ServicesObject ModelArtifacts handled by OpenIDM are Java object representations of the JavaScript object modelas defined by JSON.Managed ObjectsA managed object is an object that represents the identity-related data managed by OpenIDM.System ObjectsSystem objects are a pluggable representation of objects on external systems. There is adefault implementation for the OpenICF framework which allows any connector object to berepresented as a system object.MappingsThe mappings define the policies between source and target objects and their attributes duringsynchronization and reconciliation. Mappings may also define triggers for validation,customization filtering, and transformation of the source and target objects.Synchronization and ReconciliationReconciliation provides for on-demand, or scheduled comparison of resources between theOpenIDM managed object repository and source or target systems. 12
  • 13. ArchitectureInfrastructure ModulesSchedulerThe scheduler is a cron like scheduling component implemented using the to schedule regularsynchronizations and reconciliationsScript EngineThe script engine is a pluggable module that provides the triggers and plugin points forOpenIDM.Audit LoggingAuditing logs all relevant system activity to the configured log stores. This includes the datafrom reconciliation as a basis for reporting, as well as detailed activity logs to captureoperations on the internal (managed) and external (system) objects.RepositoryThe repository provides a common abstraction for a pluggable persistence layer. Plugged inrepositories could be NoSQL, relational databases, LDAP, or even flat files. The repositoryAPI operates with a JSON-based object model with RESTful principles consistent with theother OpenIDM services. 13
  • 14. Architecture 14
  • 15. OpenIDM Trigger Scheduler System SystemSource Obj Mapper Obj Target Internal db 15
  • 16. OpenIDMMapper Object Rest{ "name": string, POST /openidm/system/xml/account/jsmith?action=sync "source": string, … "target": string, "validSource": script object, "validTarget": script object, "correlationQuery": script object, "properties": [ property object, … ], "policies": [ policy object, … ], "onCreate": script object, "onUpdate": script object} 16
  • 17. OpenIDM {{ "name" : "systemADAccounts_managedUser”, "name" : "managedUser_systemPtsAccounts”, "source" : "system/ad/account”, "source" : "managed/user”, "target" : "managed/user”, "target" : "system/pts/account”, "properties" : "properties" : [ [ { "source" : "name", "target" : "name" }, { { "source" : "_id", "target" : ”aid" }, "source" : "sAMAccountName”, ], "target" : "name” "policies" : [ }, { "situation" : "CONFIRMED", "action" : "UPDATE" }, { { "situation" : "FOUND", "action" : "UPDATE" }, "source" : "sn”, { "situation" : "ABSENT", "action" : "CREATE" }, "target" : "lastname” { "situation" : "AMBIGUOUS", "action" : "EXCEPTION" }, }, { "situation" : "MISSING", "action" : "UNLINK" }, { { "situation" : "UNQUALIFIED", "action" : "DELETE" }, "source" : "givenName”, { "situation" : "UNASSIGNED", "action" : "DELETE" } "target" : "firstname” ] } } ] }, 17
  • 18. OpenIDM{ "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "name" : { "type" : "string", "nativeName" : "__NAME__", "nativeType" : "JAVA_TYPE_PRIMITIVE_LONG", "flags" : [ "NOT_CREATABLE", "NOT_UPDATEABLE", "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ] }, ... 18
  • 19. IntegrationPTS integrationOperationq  User operationq  Group OperationConnectionq  OpenICF custom connectorq  Command Lineq  Sync/reconciliation from file 19
  • 20. Integration 1APPS OpenAM AD LDAP PTS Internal Protocol/ Internal db OpenIDM Application Protocol Rest Interface $ curl -X PUT -d {"name":"joe","firstname":"joe","lastname":"smith","email":"joe@abc.com"} http://localhost:8080/openidm/managed/user/joe 20
  • 21. Integration 2 APPS LDAP PTSnternal Protocol/Application Protocol OpenIDM Rest Interface Internal db Internal Protocol/ Application Protocol AD 21
  • 22. IntegrationIDM is not IAM !!!IAM main components:q Authenticationq Authorization,q User Managementq Central User Repository 22
  • 23. IDMq Know who everyone is in the organisationq Accurate and consistent people data in all systemsq Single source of data input/storageq Lower maintenance costs in each applicationq Consistency of data across many applicationsq People only get access to those systems they needq Audit 23
  • 24. ConclusionAdvantages Disadvantages•  Open •  Still beta•  Flexible •  Documentation•  Support/Community 24
  • 25. IntegrationOpenIDM Summit November 8th 2011,Darmstadt Germany 25
  • 26. Zeropiu•  www.zeropiu.com•  manfred@zeropiu.com 26