eSCIMo - User Provisioning over Web
Upcoming SlideShare
Loading in...5
×
 

eSCIMo - User Provisioning over Web

on

  • 564 views

 

Statistics

Views

Total Views
564
Views on SlideShare
418
Embed Views
146

Actions

Likes
1
Downloads
11
Comments
0

2 Embeds 146

http://lanyrd.com 144
https://twitter.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

eSCIMo - User Provisioning over Web eSCIMo - User Provisioning over Web Presentation Transcript

  • User Provisioning Over Web Kiran Ayyagari
  • Kiran Ayyagari PMC ApacheDS project Consulting & Support on ApacheDS Started project eSCIMo kayyagari@keydap.com, kayyagari@apache.org 2
  • What Is SCIM   System for Cross-domain Identity Management A standard for provisioning 3
  • SCIM Schema A collection of attribute definitions e.g. { } "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... 4
  • SCIM Schema...  Simple Attribute e.g. userName – a user's name  Complex Attribute e.g. name – a collection of firstName, lastName etc.  Multi-valued Attribute e.g. emails – a collection of all emails  Sub-attribute e.g. familyName – a user's family name 5
  • SCIM Schema...  Platform neutral  JSON format  URN as a ID 6
  • SCIM Data Model User Name : Naveen S UID : naveens Last Name : Sivashankar First Name : Naveen { } "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"naveens@example.com"},{"ns@mymail.com"}], … 7
  • SCIM Data Model... e.g. Extended user User Enterprise User Name : Naveen S UID : naveens Employee No : 11011 Cost Center : 007 { "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … } }
  • SCIM Data Model... Group Name : Administrators Members : naveens { "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875", "display": "naveens" } ] } 9
  • SCIM API  Uses REST  Supports  CRUD operations  Bulk modification  Paged search
  • What Is eSCIMo  An implementation of SCIM v2.0  Supports LDAP as a backend by default  Can work with any LDAP server  Embeddable in ApacheDS 11
  • Running eSCIMo Scenario 1 App Server/ Container eSCIMo eSCIMo LDAP Server 12
  • Running eSCIMo... Scenario 2 ApacheDS Jetty eSCIMo eSCIMo 13
  • Architecture of eSCIMo Security Filter REST API Resource Provider Interface  LDAP Resource Provider  RDBMS Resource Provider  ???? Resource Provider Implemented  Not Implemented LDAP RDBMS 14 ???
  • How Does It Work? Attribute mapping Mapping a simple attribute - e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875" "userName": "naveens" <attribute name="id" mappedTo="entryUUID" /> <attribute name="userName" mappedTo="uid" /> 15
  • How Does It Work... Attribute mapping contd... Mapping a complex attribute e.g. "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" } <complex-attribute name="name"> <at-group> <attribute name="familyName" mappedTo="sn" /> <attribute name="givenName" mappedTo="cn" /> </at-group> </complex-attribute> 16
  • How Does It Work... Attribute mapping contd... Mapping a multi-valued attribute e.g. "emails" : [{"naveens@example.com"},{"ns@mymail.com"}] <multival-attribute name="emails"> <at-group> <attribute name="value" mappedTo="mail" /> </at-group> </multival-attribute> 17
  • How Does It Work... Attribute mapping contd... e.x "groups": [ { "id": "484fbc39-ae09-427b-896f-d469d28895ad", "$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad", "display": "Administrators" }] "id" - How can we fetch the ID of the member entry? "$ref" - How do we build a URL dynamically? 18
  • How Does It Work... Attribute Handlers Handler Implementation public class GroupsAttributeHandler extends LdapAttributeHandler { public void read(); public void write(); public void patch(); } Handler definition <handler name="groupsHandler" class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" /> Handler mapping <multival-attribute name="groups" baseDn="ou=system" filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" /> 19
  • eSCIMo Json2Java  Is a Maven plugin  Generates Java classes from SCIM schemas 20
  • eSCIMo Client  Works with the generated model classes e.x. Adding a User resource User user = new User(); user.setUserName( "naveens" ); user.setDisplayName( "Naveen Sivashankar" ); user.setPassword( "secret" ); Name name = new Name(); name.setFamilyName( "Sivashankar" ); name.setGivenName( "Naveen" ); user.setName( name ); EscimoResult result = client.addUser( user ); 21
  • Demo 22
  • Questions ? 23
  • Thank you!