Open source identity management   20121106 - apache con eu
Upcoming SlideShare
Loading in...5

Open source identity management 20121106 - apache con eu






Total Views
Views on SlideShare
Embed Views



10 Embeds 328 178
http://localhost 102 16 12 7 5 4 2 1 1



Upload Details

Uploaded via as OpenOffice

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • I am 35, Italian, married, one child (3 years old ) and another on his way. I have a tricky surname. My nickname at ASF is ilgrosso, meaning "the big one" because, yeah, I don't wear a size S since I was 10 ;-) At ASF: Member PMC member at Apache Cocoon PPMC member at Apache Syncope
  • Provisioning systems integrate many different identity stores. Provisioning systems communicate with each application: Connectors are pieces of code running on the side of a provisioning system; non-intrusive, do not requite any installation on the application side. Agents run on the application side; intrusive and require installation (and integration) on the application side; often more efficient
  • A provisioning system makes an identity out of a sparse set of accounts. So, what a provisioning system does is known as Identity Lifecycle Management. Provisioning systems are then accompanying every relevant change in identity's life (inner circle) and provide specific features (outer circle).

Open source identity management   20121106 - apache con eu Open source identity management 20121106 - apache con eu Presentation Transcript

  • Open Source Identity Management Francesco Chicchiriccò <>
  • Agenda● Identity and Access Management● Vendor Vs Open Source solutions● Apache Syncope
  • Whats IdM about?● Data records that contains a collection of data about a person – “Data record” → Account – “A person” → Identity● The joint effort of business process and IT to manage user data on systems and applications. View slide
  • IdM technologies● Identity Stores – Storage of user information● Provisioning – Synchronize account data across identity stores and a broad range of data formats, models, meanings and purposes● Access Management – Security mechanisms that take place when a user is accessing a specific system or functionality View slide
  • Identity Stores● Examples – LDAP / Active Directory – RDBMS – Meta and Virtual Directories● Accounts can be created and managed in one place only● Each application manages authentication separately – The user may use the same password for all the connected applications
  • Provisioning● Keeping the identity stores as synchronized as possible (and practical)● Need to be customizable and flexible● Priority: non-intrusive● Focused on application back-end● Communication: – Connectors – Agents
  • Identity Lifecycle
  • Access Management● Mediator to all access to all applications● Focused on application front-end● Aspects – Authentication ● Single SignOn – Authorization – Federation (SAML, Liberty, ...)● Mainly applicable to web applications● Difficult integration with pre-existing apps
  • Arent Identity Stores enough?● Heterogeneity of systems● Lack of a single source of information – HR for corporate id, Groupware for mail address, ...● Need for a local user database● Inconsistent policies● Lack of workflow management● Hidden infra management cost, growing with organization size
  • IdM in practice: before...
  • IdM in practice: ...after!
  • Vendor products● Oracle – with addition of ex-Sun suite● Novell● IBM (Tivoli)● Microsoft (Forefront)● Niche players – Ping – NetIQ – SailPoint – Quest (now Dell)
  • Open Source non-ASF productsIdentity Stores Provisioning Access Management
  • Open Source ASF projects● Identity Stores – Apache Directory● Provisioning – Apache Syncope● Access Management – Apache Shiro
  • Apache Syncope (incubating)● Inception by Tirasa in 2010● Entered ASF incubator in February 2012● 6 ASF releases made● Graduation as TLP currently under [VOTE]● Rising in popularity – New PPMC members joined – ~80 mailing list subscribers, noticeable traffic – Our mentor Colm Ó hÉigeartaigh is these days introducing Syncope at JAXCON 2012
  • Syncope: features● Workflow-based provisioning engine● Account / Password policies● Agentless connection with Identity Stores● Auditing & Reporting● Shining admin console● Customizable and extensible by design
  • Syncope: building blocks
  • Syncope: architecture Third-party Third-party applications applications RESTful controllers Administration Administration console console Users Roles Policies Workflow Business Scheduler Connectors Engine Intelligence Persistence (JPA)
  • Syncope: attribute mapping LDAP User uid: jblack givenName: John sn: jblack User Attributes mail: Username: jblack userpassword: ********** Nickname: jontheblack Firstname: John employeeNumber: 1432 Surname: Black cn: John Black Email: Database homeDirectory: /home/jblack Password: ********** Badge: 1432accountId: jblacksurname: jblack User Derived Attributes Fullname: John Blackfirstname: John User Virtual Attributespassword: ********* HomeDirectory: /home/jblack (stored only on external resource)employeeNumber: 1432fullname: Jock Black
  • Syncope: connectors● Based on ConnId, hosted at GoogleCode, new home of Suns Identity Connectors – Ready-to-use bundles: ● LDAP ● Active Directory Provisioning Engine ● DB Table ● CSV Directory API ● SOAP Common Code Objects & Utils SPI ● Google Apps ● UNIX – Write your own bundle Using Connectors
  • Syncope and the external world
  • Syncope: JEE deployment
  • Syncope: internal storage
  • Syncope: roadmap● Role provisioning● SOAP / SCIM interface via CXF● Access Management features via Shiro● Concurrent / Asynchronous communication with external resources● OpenICF support
  • Syncope: (some) success stories● iWelcome●● SURFnet● Ospedali Riuniti di Ancona● ARAG
  • Syncope: trying it out● Online● Virtual Machine image● Quickstart projects on Github● New project from Maven Archetype● Standalone distribution (soon available)
  • Questions? All text and image content in this document is licensed under the Creative Commons Attribution-Share Alike 3.0 License (unless otherwise specified). Apache, Syncope, Apache Syncope, the Apache feather logo, the Apache Syncope project logo and the Apache Syncope logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.