Download as PDF, PPTX
![(Much) More Information
● midPoint Wiki
• https://wiki.evolveum.com/display/midPoint/Home
● Architecture and Design (in Wiki)
• Wiki pages under [Architecture and Design] page
• “Live” architecture documentation
• Includes UML diagrams
• We try to keep it (reasonably) up to date
● midPoint Mailing List](https://image.slidesharecdn.com/openalt-semancik-open-source-idm-151108195559-lva1-app6892/75/Open-Source-Identity-Management-48-2048.jpg)
Uploaded byRadovan Semancik
Open Source Identity Management
The document discusses the complexities and challenges of identity management (IDM) particularly in the context of growing organizations, using a fictional company as an example. It highlights the importance of transitioning from simple solutions to comprehensive IDM systems, emphasizing the necessity for effective management of identities and access controls. It also compares commercial IDM solutions with open-source alternatives, particularly focusing on Evolveum's Midpoint project and its features.
More Related Content
Similar to Open Source Identity Management
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
Open Source Identity Management
- 1. Open Source Identity Management OpenAlt2015 Radovan Semančík November 2015
- 2. Ing. Radovan Semančík,PhD. Software architect Co-owner of Evolveum (open source company) Architect of midPoint project Apache committer (Directory API)
- 3. What is thisIdentity Management?
- 4. Let's start witha story ... ● Pirate Brethren, Inc. ● Fictional company ● Starts small ● Lean, efficient ● Grows quickly ● Focus on profit
- 5. Simple and easystart Keeping access rights matrix in spreadsheet Some manual work but still quite OK
- 6. It gets quitecomplex very soon ...
- 7. Login Nightmares Shippin' DeLuxev99.02 Login: mjones Password: NaviGATE+ Username: p0054358 Password: Forgot password? CrashSoft Woknous Login: jones3 Password: Realm: PIRACY Login: marry Password:
- 8. # LDAPv3 # base<dc=example,dc=com> with scope subtree # filter: (entryUUID=48b2295e-c131-4300-835a-fa85c863233e) # requesting: ALL # # jack, people, example.com dn: uid=jack,ou=people,dc=example,dc=com mail: jack2@blackpearl.com givenName: Jack objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top uid: jack cn: cpt. Jack Sparrow sn: Sparrow no feedback manual synchronization (unreliable, slow, costly) untracked changes Policy Reality
- 9. # LDAPv3 # base<dc=example,dc=com> with scope subtree # filter: (entryUUID=48b2295e-c131-4300-835a-fa85c863233e) # requesting: ALL # # jack, people, example.com dn: uid=jack,ou=people,dc=example,dc=com mail: jack2@blackpearl.com givenName: Jack objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top uid: jack cn: cpt. Jack Sparrow sn: Sparrow AUDIT $ $ $ $ VERY COSTLY … and it has to be repeated ...
- 10. Call Center GoesCrazy Password reset Password reset Password resetPassword reset Password reset Password reset Password reset Access request Access request
- 11. Let's do thisIAM* thing. Everybody is doing that. *) Identity and Access Management
- 12.
- 13. High Level Architect'sView Application Application Application Application S S O Users Application LDAP Implementation Details HR Implementation Details Implementation Details Implementation Details
- 14. Reality Application Application Application Application S S O Users Application LDAP HR Unsupported No standard (ugly scriptneeded) Unsupported !Custom schema Incompatible schema Relational database Extremely expensive !Expensive Home directory Local copy Incompatible identifiers
- 15. “Single directory” approach isnot going to work … and this has been known since 2006 (at least)
- 16. What are wegoing to do now?
- 17. DO NOT PANIC! SSOis what you think you want IDM is what you really need
- 18. What is this IdentityManagement (IDM) thing, again?
- 19. Identity and AccessManagement Identity Repository HR Application Application Application Application A M Identity Management Users CRM System Admin Requester Approver Application
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29. What Identity Managementdoes? ● Provisioning ● Synchronization ● Self-service ● Password management ● Credentials distribution (SSH, X.509) ● RBAC ● Organizational structure ● Entitlement management ● Identifier management ● Data mapping ● Segregation of duties ● Workflow ● Notifications ● Auditing ● Reporting ● Governance ● ...
- 30. Who needs IdentityManagement? ● < 100 identities: you are fine with manual work ● 100 – 1K identities: you might need it ● 1K - 10K identities: you need it ● > 10K identities: you desperately need it! IDM Rule of the Thumb:
- 31. This IDM lookslike the best thing since the sliced bread. What's the catch?
- 32. This IDM lookslike the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive.
- 33. This IDM lookslike the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive. Very, very expensive.
- 34. Open Source tothe Rescue There was no practical FOSS solution until 2010 (Sun Identity Manager was the king) 2010-2011: Syncope, OpenIDM, midPoint, ... (that was the time when Oracle acquired Sun) Now there are two leading open source* IDMs: ● Apache Syncope ● Evolveum midPoint *) by “open source” I mean both license and practice
- 35.
- 36.
- 37. The midPoint Story ●Started 2010-2011 (5 years, 14 releases) ● Github, Apache 2.0 License ● ~500K lines of code (Java) ● State-of-the-art IDM features Provisioning Synchronization RBAC Governance Consistency Workflow Audit Authorization Management Self-service Delegated administration Data mapping REST Policy Entitlements Segregation of duties HA Identifiers Notifications Connectors Localization Parametric roles Password reset Organizational structure Web UI Expressions SchemaConditions Extensibility Scripting Bulk actions
- 38.
- 39.
- 40.
- 41. Identity and AccessManagement Identity Repository HR Application Application Application Application A M Identity Management Users CRM System Admin Requester Approver Application
- 42. IAM Letter Soup Identity Repository HR Application Application Application Application A M Provisioning System Users CRM System Admin Requester Approver Application IDMAM LDAP AD Provisioning RBAC Administration Sync Workflow Connector LDAP SSO Federation SAML OAuth Authentication Two-factor OpenID Connect UMA Integration Policy
- 43. Access Management ● Authentication ● SingleSign-On (SSO) ● Quite expensive ● Provisioning ● RBAC ● Synchronization ● Password management ● Self-service ● … and much more ● Cost reduction Identity Management What people want What people need
- 44. Access Management ● Authentication ● SingleSign-On (SSO) ● Quite expensive ● Provisioning ● RBAC ● Synchronization ● Password management ● Self-service ● … and much more ● Cost reduction Identity Management What people want What people need START HERE
- 45. Questions and Answers Provisioning Synchronization RBAC Governance ConsistencyWorkflow Audit Authorization Management Self-service Delegated administration Data mapping REST Policy Entitlements Segregation of duties HA Identifiers Notifications Connectors Localization Parametric roles Password reset Organizational structure Web UI Expressions SchemaConditions Extensibility Scripting Bulk actions
- 46.
- 47.
- 48. (Much) More Information ●midPoint Wiki • https://wiki.evolveum.com/display/midPoint/Home ● Architecture and Design (in Wiki) • Wiki pages under [Architecture and Design] page • “Live” architecture documentation • Includes UML diagrams • We try to keep it (reasonably) up to date ● midPoint Mailing List
- 49. Example midPoint DeploymentArchitecture midPoint midPoint Identity Repository (Relational DB) Custom HR System CSV File Scheduled Exports FlatFile Connector Active Directory ADSI AD Connector (remote) SQL DB Table Connector Oracle Database Database Applications Microsoft Applications Administrator User Self-Service (Web GUI) Identity Management Policies (rules, processes) Web GUI IDM Logic
- 50. Identity Connectors ● CommonIdentity Connector Framework • Sun Identity Connector Framework → ConnId ● Compatible connectors • AD, DB Table, DB2, MySQL, Oracle, RACF, Solaris, SPML, VMS, FlatFile, XML, Solaris, SAP, ... • LDAP: OpenLDAP, 389ds, OpenDJ, eDirectory, Active Directory • CSV file, Office365, SAS, GitLab, Lotus, LifeRay
- 51. Live Demo http://demo.evolveum.com/ Documentation: searchfor “Live demo” in wiki.evolveum.com