Your SlideShare is downloading. ×
0
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Fortress Open Source IAM on LDAPv3

1,663

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,663
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Fortress Open Source IAM on LDAPv3 Shawn McKinney November 18, 2013
  • 2. Agenda l  Product Overview l  Technical Introduction l  RBAC SoD Demo l  Commander l  En Masse l  Multitenancy l  Next Steps l  Wrap-up 2
  • 3. Product Overview 1 2 3 Fortress Core ANSI RBAC SDK Sentry RBAC Policy Enforcer EnMasse RBAC Policy Server October 2011 October 2011 October 2012 4 5 6 Commander Web Administration Perimeter Web Access Mgmt Patroller Audit Monitoring October 2013 April 2014 October 2014 ROADMAP 3
  • 4. Fortress Introduction l  ANSI INCITS 359-2004 compliant IAM system l  Policy Decision Points l  l  l  Java APIs (Fortress Core) REST services (En Masse) Policy Administration Points l  Java APIs (Fortress Core) REST services (EnMasse) l  RBAC Web Management (Commander) l  l  Privileged Identity Management 4
  • 5. Fortress Introduction (continued) l  Policy Enforcement Points l  l  l  Sentry Java EE Platform Security Sentry Other Platforms (in development) Audit Trail l  l  l  Authentication – tracks who is accessing the system Authorization – tracks who did what, when and where Administration – tracks historical changes to the data 5
  • 6. Fortress System Architecture RBAC Accelerator Apache DS LDAPv3 OR LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAPv3 Extended Ops HTTP/S Legend Fortress Fortress RBAC Enforcement APIs will also call accelerator LDAP HTTP Applications 6 Fortress Core APIs Java App #2 HTTP/S Java VM Other App LDAPv3 Any Platform RBAC policy enforcement on any platform use accelerator RBAC policy administration and interrogation use Standard LDAPv3 protocols
  • 7. ANSI RBAC INCITS 359 1.  2.  3.  4.  RBAC0: Users, Roles, Perms, Sessions RBAC1: Hierarchical Roles RBAC2: Static Separation of Duties RBAC3: Dynamic Separation of Duties Demo this capability 7
  • 8. Dynamic Separation of Duties Demo 1 2 3 One and only one may be active Role 1 Assignment Role 2 Assignment Role 3 Assignment
  • 9. Dynamic Separation of Duties Demo Fine AuthZ Granularity Users: •  User1 is assigned to ROLE_TEST1, ROLE_TEST2, and ROLE_TEST3 •  User2 is assigned to ROLE_TEST2 •  User3 is assigned to ROLE_TEST3 Permissions: •  Page1.Button1 is granted to ROLE_TEST1 •  Page1.Button2 is granted to ROLE_TEST1 •  Page1.Button3 is granted to ROLE_TEST1 •  Page2.Button1 is granted to ROLE_TEST2 •  Page2.Button2 is granted to ROLE_TES2 •  Page2.Button3 is granted to ROLE_TEST2 •  Page3.Button1 is granted to ROLE_TEST3 •  Page3.Button2 is granted to ROLE_TEST3 •  Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: •  Set of roles is [ROLE_TEST1, ROLE_TEST2, ROLE_TEST3] •  DSD Set Cardinality is 1 •  Only one Role can be active in Session Wicket Buttons Wicket Links Fortress RBAC PEP Wicket Pages Apache Wicket Spring Page-level Security Coarse Java EE Coarse-grained Security Fortress RBAC Proxy Tomcat Java Virtual Machine Fortress RBAC PDP
  • 10. Where to get RBAC Demo l  Source l  l  https://github.com/shawnmckinney/fortressdemo1 Tutorial & other ANSI RBAC write-ups l  l  l  http://symas.com/ansi-rbac-intro/ http://symas.com/rbac-security-enforcementinside-wicket/ https://github.com/shawnmckinney/ fortressdemo1/blob/master/README.txt 10
  • 11. Commander Introduction l  RBAC Web Administration l  Uses the Fortress Core APIs l  Communicate via HTTP or LDAPv3 protocols l  Secured by Fortress, Java EE and Spring l  Full audit trail l  Extensible – add new pages quickly l  Uses Apache Wicket UI framework 11
  • 12. Commander System Architecture Apache DS OR LDAPv3 LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAP HTTP Commander can use either HTTP or LDAPv3 protocol LDAPv3 O R HTTP/S Commander HTTP/S 12 Java VM Fortress Core APIs Fortress Core APIs EnMasse HTTP/S HTTP protocol aids in firewall traversals Java VM Legend Fortress LDAPv3
  • 13. Commander Demo l  View RBAC demo audit trail l  View RBAC management capabilities l  Enable REST communication with En Masse l  Run Commander Selenium automated test l  View wireshark trace 13
  • 14. Where to get Commander l  Source l  l  Quickstart l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortresscommander.git;a=summary http://iamfortress.org/download Maven l  http://search.maven.org/#search%7Cga %7C1%7Ccommander 14
  • 15. En Masse Introduction l  RBAC Policy Server l  Firewall Friendly l  120+ RESTful services l  Multitenant process and services l  Secured using Fortress RBAC enforcement l  Binds directly to Fortress entity model l  Uses Fortress Core to communicate LDAPv3 l  Uses Apache CXF for RESTful processing 15
  • 16. En Masse System Architecture LDAPv3 Java VM Apache DS OpenLDAP OR LDAPv3 Either LDAP Server works LDAPv3 Apps may use any REST lib or Fortress APIs to connect with En Masse Fortress Core APIs EnMasse HTTP/S HTTP/S HTTP/S Legend Fortress Fortress Core APIs Java App HTTP/S 16 Java VM Other App Any Platform REST HTTP/S LDAP HTTP Applications Java VM HTTP protocol less efficient than LDAP but aids in firewall traversals
  • 17. Where to get En Masse l  Source l  l  Quickstart l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-enmasse.git;a=summary http://iamfortress.org/download Maven l  http://search.maven.org/#search%7Cga %7C1%7Ca%3A%22enmasse%22 17
  • 18. Introduction 18
  • 19. Multitenant LDAP Data Structure l  l  l  Leverage LDAP's natural affinity to partition data by client organization. Each tenant has its own complete copy of DIT segregated by organizational unit Reduced cost due to fewer servers to maintain 19
  • 20. Multitenant Programming Model l  l  Client’s id is passed to Fortress in factory initialization Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l  AnyMgr: l  createInstance(tenantId); // Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” ); 20
  • 21. Multitenant Demo l  Load demo users Client 1, 2 & 3 l  Run test-full Client 1, 2 & 3 21
  • 22. Where to get Fortress Multitenancy l  Source l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-core.git;a=summary Binaries <dependency> <groupId>us.joshuatreesoftware</groupId> <artifactId>fortress</artifactId> <version>RC-1.0-33</version> </dependency> 22
  • 23. Next Steps l  RBAC Accelerator l  OpenLDAP overlay l  RBAC Policy Decision Point l  Web Access Management/SSO l  RBAC Policy-Enhance Standard (RPE) l  l  l  INCITS 494-2011 Support for dynamic attributes Attribute-based Access Control (ABAC) l  Maybe 23
  • 24. Thanks!

×