Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Complete open
source IAM solution
Radovan Semančík
LDAPcon, November 2015
Radovan Semančík
Current:
Software Architect at Evolveum
Architect of Evolveum midPoint
Contributor to ConnId and Apache D...
Complete solution? Why?
Is LDAP not enough?
Yes, theoretically ...
LDAP
Application
Application
Application
Application
Users
Good architecture:
Don't repeat yourself...
Practice: Application-Local DB
LDAP
Application
Application
Application
Application
Users
join?
uid: js123
cn: Jack Sparro...
Practice: Data Sources
LDAP
Application
Application
Application
Application
Users
HR
CRM
Custom scripts?
Data conflicts?
R...
Practice: Legacy
LDAP
Application
Application
Application
Application
Users
uid: js123
uid: jack3
uid: jsparrow
uid: x6653...
Practice: Authentication
LDAP
Application
Application
Application
Application
Users
Password
SAML+X.509
2-factor
OAuth
SAS...
But … these are
application problems!
Let's fix the appliations and
standardize. We'll be fine.
Standardization? Really?
dn: cn=foo,ou=groups,o=example
objectclass: groupOfNames
member: uid=bar1,ou=people,o=example
mem...
Standardization? Really?
dn: cn=foo,ou=groups,o=example
objectclass: groupOfNames
member: uid=bar1,ou=people,o=example
mem...
Practice: more problems
● Password reset
● Adaptive authentication
● SSO
● Session management
● ACLs
● Account activation
...
Practice: really messy
LDAP 1
Application
Application
Application
Application
Users
copy
LDAP 2
Manual
sync
HR
CRM
export
...
LDAP-only solutions work
only in simple cases.
IAM needs more components
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Provisioning...
Basic IAM Components
● Access Management
• Authentication, single sign-on
• Basic authorization
● Identity Repository
• St...
Interoperability
● The components should work together
as one system
● Easy product integration
● Smooth user experience
•...
Technology stacks
“Stack” is the obvious answer to
interoperability problem.
… or … is it? Access
Management
Identity
Prov...
What's wrong with stacks?
● Usually single-vendor stacks
● Still quite heterogeneous due to acquisitions
● Vendor lock-in
...
Is there any better way?
The Ecosystem
Open Source Identity Ecosystem
midPoint
(Identity Provisioning)
OpenLDAP
(Directory Server)
Fortress
(IAM SDK)
OSIAM
(Acce...
Open Source Identity Ecosystem
● Pure open source model
• Any engineer can have complete understanding of the
technology
•...
Ecosystem Deployment Examples
OpenLDAP
(Directory Server)
midPoint
(Identity Provisioning)
CAS
(Single Sign-On)
389ds
(Dir...
Ecosystem Deployment Examples
midPoint
(Identity Provisioning)
ConnId
(Identity Connector Framework)
ConnId
Unix
Connector...
We know that it works, because ...
● we have tested the technology
• test suites, pilots, real projects
● we share the sam...
Join the Ecosystem now!
Questions and Answers
Radovan Semančík
www.evolveum.com
Thank You
Upcoming SlideShare
Loading in …5
×

Complete open source IAM solution

2,701 views

Published on

Talk about a complete open source IAM solution that includes LDAP directory server, Access Management and especially the enterprise-scale Identity Management system. The presentation also includes motivation why LDAP server alone is not enough.
Thanks to Katka Valalikova for delivering a OpenLDAP + Evolveum midPoint demo during the talk.
LDAPcon 2015, Edinburgh.

Published in: Technology

Complete open source IAM solution

  1. 1. Complete open source IAM solution Radovan Semančík LDAPcon, November 2015
  2. 2. Radovan Semančík Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects
  3. 3. Complete solution? Why? Is LDAP not enough?
  4. 4. Yes, theoretically ... LDAP Application Application Application Application Users Good architecture: Don't repeat yourself (DRY)
  5. 5. Practice: Application-Local DB LDAP Application Application Application Application Users join? uid: js123 cn: Jack Sparrow uid: js123 loot: 20000 Name | loot -------------+------- Jack Sparrow | 20000
  6. 6. Practice: Data Sources LDAP Application Application Application Application Users HR CRM Custom scripts? Data conflicts? Reliability? Maintenance?
  7. 7. Practice: Legacy LDAP Application Application Application Application Users uid: js123 uid: jack3 uid: jsparrow uid: x665342 uid: jsp007
  8. 8. Practice: Authentication LDAP Application Application Application Application Users Password SAML+X.509 2-factor OAuth SASL will get you only so far ...
  9. 9. But … these are application problems! Let's fix the appliations and standardize. We'll be fine.
  10. 10. Standardization? Really? dn: cn=foo,ou=groups,o=example objectclass: groupOfNames member: uid=bar1,ou=people,o=example member: uid=bar2,ou=people,o=example dn: cn=foo,ou=groups,o=example objectclass: groupOfUniqueNames uniqueMember: uid=bar1,ou=people,o=example uniqueMember: uid=bar2,ou=people,o=example RFC2256 (1997) mandatory(!!!) (Examples are simplified)
  11. 11. Standardization? Really? dn: cn=foo,ou=groups,o=example objectclass: groupOfNames member: uid=bar1,ou=people,o=example member: uid=bar2,ou=people,o=example dn: cn=foo,ou=groups,o=example objectclass: groupOfUniqueNames uniqueMember: uid=bar1,ou=people,o=example uniqueMember: uid=bar2,ou=people,o=example RFC2256 (1997) dn: cn=foo,ou=groups,o=example objectclass: posixGroup memberUid: bar1 memberUid: bar2 RFC2307 (1998) (Examples are simplified)
  12. 12. Practice: more problems ● Password reset ● Adaptive authentication ● SSO ● Session management ● ACLs ● Account activation (enabled/disabled status) ● “memberOf” ● Roles / RBAC ● Password policies ● Access policies (autz) ● Paging (SPR vs VLV) ● Audit ● Reporting ● Data consistency ● Management tools ● User experience ● Schema consistency issues ● Standard violations ● Common sense violations ● Too many data types ● … most of them unsupported ● DN case sensitivity ● Synchronization
  13. 13. Practice: really messy LDAP 1 Application Application Application Application Users copy LDAP 2 Manual sync HR CRM export transform script ESB S S O LDAP 3 *) *) nobody really knows how this part works because the guy that did it left 3 years ago script Pull on demand Home-brew LDAP editor
  14. 14. LDAP-only solutions work only in simple cases.
  15. 15. IAM needs more components Identity Repository HR Application Application Application Application A M Identity Provisioning Users CRM System Admin Requester Approver Application
  16. 16. Basic IAM Components ● Access Management • Authentication, single sign-on • Basic authorization ● Identity Repository • Storage of identity data ● Identity Provisioning • Management (data, policies, workflows) • Synchronization Access Management Identity Repository Identity Provisioning End Users Admins
  17. 17. Interoperability ● The components should work together as one system ● Easy product integration ● Smooth user experience • The user should not see component boundaries
  18. 18. Technology stacks “Stack” is the obvious answer to interoperability problem. … or … is it? Access Management Identity Provisioning Identity Repository
  19. 19. What's wrong with stacks? ● Usually single-vendor stacks ● Still quite heterogeneous due to acquisitions ● Vendor lock-in • You can check out any time you like, but you can never leave ● Limited integration options • Just one option for each component • Proprietary interfaces
  20. 20. Is there any better way? The Ecosystem
  21. 21. Open Source Identity Ecosystem midPoint (Identity Provisioning) OpenLDAP (Directory Server) Fortress (IAM SDK) OSIAM (Access Management) (Identity Repository) CAS (Single Sign-On) (GRC) (Access Management) Syncope (Identity Provisioning) Shibboleth (Federation) ConnId (Identity Connectors) 389 Directory Server (Identity Repository)
  22. 22. Open Source Identity Ecosystem ● Pure open source model • Any engineer can have complete understanding of the technology • Technological excellence and efficiency ● Standardized or open source interfaces • Unlimited integration options • Replaceable components → no vendor lock-in ● Cooperation instead of domination • Trade influence for control to get substantial benefits
  23. 23. Ecosystem Deployment Examples OpenLDAP (Directory Server) midPoint (Identity Provisioning) CAS (Single Sign-On) 389ds (Directory Server) Apache Syncope (Identity Provisioning) Shibboleth (Federation) OpenLDAP (Directory Server) Fortress (IAM SDK) Custom application
  24. 24. Ecosystem Deployment Examples midPoint (Identity Provisioning) ConnId (Identity Connector Framework) ConnId Unix Connector Custom SAP Connector Apache Syncope (Identity Provisioning) ConnId (Identity Connector Framework) midPoint LDAP Connector ConnId Unix Connector Custom SAP Connector OpenLDAP (Directory Server) midPoint LDAP Connector 389ds (Directory Server)
  25. 25. We know that it works, because ... ● we have tested the technology • test suites, pilots, real projects ● we share the same goal ● there are business agreements in place
  26. 26. Join the Ecosystem now!
  27. 27. Questions and Answers
  28. 28. Radovan Semančík www.evolveum.com Thank You

×