Complete open source IAM solution

710 views

Published on

Talk about a complete open source IAM solution that includes LDAP directory server, Access Management and especially the enterprise-scale Identity Management system. The presentation also includes motivation why LDAP server alone is not enough.
Thanks to Katka Valalikova for delivering a OpenLDAP + Evolveum midPoint demo during the talk.
LDAPcon 2015, Edinburgh.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
710
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
17
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Complete open source IAM solution

  1. 1. Complete open source IAM solution Radovan Semančík LDAPcon, November 2015
  2. 2. Radovan Semančík Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects
  3. 3. Complete solution? Why? Is LDAP not enough?
  4. 4. Yes, theoretically ... LDAP Application Application Application Application Users Good architecture: Don't repeat yourself (DRY)
  5. 5. Practice: Application-Local DB LDAP Application Application Application Application Users join? uid: js123 cn: Jack Sparrow uid: js123 loot: 20000 Name | loot -------------+------- Jack Sparrow | 20000
  6. 6. Practice: Data Sources LDAP Application Application Application Application Users HR CRM Custom scripts? Data conflicts? Reliability? Maintenance?
  7. 7. Practice: Legacy LDAP Application Application Application Application Users uid: js123 uid: jack3 uid: jsparrow uid: x665342 uid: jsp007
  8. 8. Practice: Authentication LDAP Application Application Application Application Users Password SAML+X.509 2-factor OAuth SASL will get you only so far ...
  9. 9. But … these are application problems! Let's fix the appliations and standardize. We'll be fine.
  10. 10. Standardization? Really? dn: cn=foo,ou=groups,o=example objectclass: groupOfNames member: uid=bar1,ou=people,o=example member: uid=bar2,ou=people,o=example dn: cn=foo,ou=groups,o=example objectclass: groupOfUniqueNames uniqueMember: uid=bar1,ou=people,o=example uniqueMember: uid=bar2,ou=people,o=example RFC2256 (1997) mandatory(!!!) (Examples are simplified)
  11. 11. Standardization? Really? dn: cn=foo,ou=groups,o=example objectclass: groupOfNames member: uid=bar1,ou=people,o=example member: uid=bar2,ou=people,o=example dn: cn=foo,ou=groups,o=example objectclass: groupOfUniqueNames uniqueMember: uid=bar1,ou=people,o=example uniqueMember: uid=bar2,ou=people,o=example RFC2256 (1997) dn: cn=foo,ou=groups,o=example objectclass: posixGroup memberUid: bar1 memberUid: bar2 RFC2307 (1998) (Examples are simplified)
  12. 12. Practice: more problems ● Password reset ● Adaptive authentication ● SSO ● Session management ● ACLs ● Account activation (enabled/disabled status) ● “memberOf” ● Roles / RBAC ● Password policies ● Access policies (autz) ● Paging (SPR vs VLV) ● Audit ● Reporting ● Data consistency ● Management tools ● User experience ● Schema consistency issues ● Standard violations ● Common sense violations ● Too many data types ● … most of them unsupported ● DN case sensitivity ● Synchronization
  13. 13. Practice: really messy LDAP 1 Application Application Application Application Users copy LDAP 2 Manual sync HR CRM export transform script ESB S S O LDAP 3 *) *) nobody really knows how this part works because the guy that did it left 3 years ago script Pull on demand Home-brew LDAP editor
  14. 14. LDAP-only solutions work only in simple cases.
  15. 15. IAM needs more components Identity Repository HR Application Application Application Application A M Identity Provisioning Users CRM System Admin Requester Approver Application
  16. 16. Basic IAM Components ● Access Management • Authentication, single sign-on • Basic authorization ● Identity Repository • Storage of identity data ● Identity Provisioning • Management (data, policies, workflows) • Synchronization Access Management Identity Repository Identity Provisioning End Users Admins
  17. 17. Interoperability ● The components should work together as one system ● Easy product integration ● Smooth user experience • The user should not see component boundaries
  18. 18. Technology stacks “Stack” is the obvious answer to interoperability problem. … or … is it? Access Management Identity Provisioning Identity Repository
  19. 19. What's wrong with stacks? ● Usually single-vendor stacks ● Still quite heterogeneous due to acquisitions ● Vendor lock-in • You can check out any time you like, but you can never leave ● Limited integration options • Just one option for each component • Proprietary interfaces
  20. 20. Is there any better way? The Ecosystem
  21. 21. Open Source Identity Ecosystem midPoint (Identity Provisioning) OpenLDAP (Directory Server) Fortress (IAM SDK) OSIAM (Access Management) (Identity Repository) CAS (Single Sign-On) (GRC) (Access Management) Syncope (Identity Provisioning) Shibboleth (Federation) ConnId (Identity Connectors) 389 Directory Server (Identity Repository)
  22. 22. Open Source Identity Ecosystem ● Pure open source model • Any engineer can have complete understanding of the technology • Technological excellence and efficiency ● Standardized or open source interfaces • Unlimited integration options • Replaceable components → no vendor lock-in ● Cooperation instead of domination • Trade influence for control to get substantial benefits
  23. 23. Ecosystem Deployment Examples OpenLDAP (Directory Server) midPoint (Identity Provisioning) CAS (Single Sign-On) 389ds (Directory Server) Apache Syncope (Identity Provisioning) Shibboleth (Federation) OpenLDAP (Directory Server) Fortress (IAM SDK) Custom application
  24. 24. Ecosystem Deployment Examples midPoint (Identity Provisioning) ConnId (Identity Connector Framework) ConnId Unix Connector Custom SAP Connector Apache Syncope (Identity Provisioning) ConnId (Identity Connector Framework) midPoint LDAP Connector ConnId Unix Connector Custom SAP Connector OpenLDAP (Directory Server) midPoint LDAP Connector 389ds (Directory Server)
  25. 25. We know that it works, because ... ● we have tested the technology • test suites, pilots, real projects ● we share the same goal ● there are business agreements in place
  26. 26. Join the Ecosystem now!
  27. 27. Questions and Answers
  28. 28. Radovan Semančík www.evolveum.com Thank You

×