Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Project midPoint
or
how a handful of fools
fought the Giants
Radovan Semančík
Open Source Weekend, April 2016
Radovan Semančík
Current:
Software Architect at Evolveum
Architect of Evolveum midPoint
Contributor to ConnId and Apache D...
Project midPoint
● Advanced Identity Management Product
● Started 2010-2011 (5+ years, 16 releases)
● more than 500K lines...
midPoint is used all around the world
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Management
Users
CRM
Application
midPo...
There is no security without
identity management
If you have no IDM, how can you
be sure that ...
● illegal accounts are disabled/deleted?
● temporary accounts are deleted...
The solution is trivial
Let's put everything in LDAP!
Expectation
Application
Application
Application
Application
S
S
O
Users
Application
LDAP
HR
Reality
Application
Application
Application
Application
S
S
O
Users
Application
LDAP
HR
Unsupported
No standard
(ugly scri...
“Single directory” approach
is not going to work
… and this has been known for 10 years (at least)
*) yet, it might work w...
Identity and Access Management
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Managem...
How IDM works?
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Management
Automatic user provisioning
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Management...
Business As Usual
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Management
Password reset (self-service)
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Manageme...
Employee Leaves Company
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Management
Automatic user deprovisioning
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Manageme...
Business As Usual
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Management
Bidirectional Synchronization
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Manageme...
Policy enforcement
Identity
Repository
HR
Application
Application
Application
Application
A
M
Identity
Management
Policies...
What Identity Management does?
● Provisioning
● Synchronization
● Self-service
● Password management
● Credentials distrib...
This IDM looks like the best thing
since the sliced bread.
What's the catch?
This IDM looks like the best thing
since the sliced bread.
What's the catch?
The commercial IDM products are
expensive.
This IDM looks like the best thing
since the sliced bread.
What's the catch?
The commercial IDM products are
expensive.
Ve...
Open Source to the Rescue
But … there was no practical FOSS solution
The market was taken by
Sun, Oracle, IBM, CA, Microso...
Open Source to the Rescue
one developer, two developers, three developers, …
bumpy start (details in the blog)
by mid-2011...
Good architecture, code base, skills
No real business plan
No customers
Big, rich, established competitors
2011
foolishly
...
2011-2014
hard work
no money
2015-2016
success
and beyond
No big investor, only FFF (Friends, Family, Fools)
Key employees receive shares from profit
Early income: anything (really...
Small team (5 developers + 2 engineers)
Efficiency: Java, formal data model, generated code
Cooperation: ConnId, Apache Di...
Great Technology in MidPoint
● Java, Spring, Apache Wicket (nothing special here)
● Good architecture from day one
● Inter...
Prism Objects
Schema
complexType: UserType
  element: givenName
  element: fullName
  …
Code
class UserType {
  String giv...
Classic RBAC → Role explosion
Assistant LondonAssistant Bratislava
Location Bratislava Location LondonAssistant
Employee
A...
Assistant LondonAssistant Bratislava
Location Bratislava Location LondonAssistant
Employee
Assistant Section X Assistant S...
MidPoint Advanced Hybrid RBAC
Location Bratislava Location London
Assistant
Employee
Section X Section Y Section Z
Divisio...
Most comprehensive open source IDM system
Great engineering team, great technology
Recognized by analysts (Gartner, Kuppin...
Lessons learned
● Forget about Slovakia. World is your market!
● Efficiency: Small team, big impact
● Burn money slowly. W...
Questions and Answers
Provisioning
Synchronization
RBAC
Governance
Consistency Workflow
Audit Authorization
Management
Sel...
Radovan Semančík
www.evolveum.com
Thank You
This presentation is (c) 2016 Evolveum
It may be distributed under the terms o...
Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the Giants
Upcoming SlideShare
Loading in …5
×

Project midPoint or how a handful of fools fought the Giants

1,136 views

Published on

The story of project midPoint, how it was started, how it works now and how it competes with technology giants

Published in: Technology

Project midPoint or how a handful of fools fought the Giants

  1. 1. Project midPoint or how a handful of fools fought the Giants Radovan Semančík Open Source Weekend, April 2016
  2. 2. Radovan Semančík Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects
  3. 3. Project midPoint ● Advanced Identity Management Product ● Started 2010-2011 (5+ years, 16 releases) ● more than 500K lines of code (Java) ● World-wide recognition Provisioning Synchronization RBAC Governance Consistency Workflow Audit Authorization Management Self-service Delegated administration Data mapping REST Policy Entitlements Segregation of duties HA Identifiers Notifications Connectors Localization Parametric roles Password reset Organizational structure Web UI Expressions SchemaConditions Extensibility Scripting Bulk actions
  4. 4. midPoint is used all around the world
  5. 5. Identity Repository HR Application Application Application Application A M Identity Management Users CRM Application midPoint
  6. 6. There is no security without identity management
  7. 7. If you have no IDM, how can you be sure that ... ● illegal accounts are disabled/deleted? ● temporary accounts are deleted? ● users have only the least privileges? ● the privileges are not accumulated? ● no secondary authentication is possible? ● the data are up to date? (title, affiliation, …) ● notifications and tasks are suspended?
  8. 8. The solution is trivial Let's put everything in LDAP!
  9. 9. Expectation Application Application Application Application S S O Users Application LDAP HR
  10. 10. Reality Application Application Application Application S S O Users Application LDAP HR Unsupported No standard (ugly script needed) Unsupported !Custom schema Incompatible schema Relational database Extremely expensive !Expensive Home directory Local copy Incompatible identifiers
  11. 11. “Single directory” approach is not going to work … and this has been known for 10 years (at least) *) yet, it might work well for simple and quite homogeneous environments
  12. 12. Identity and Access Management Identity Repository HR Application Application Application Application A M Identity Management Users CRM System Admin Requester Approver Application
  13. 13. How IDM works? Identity Repository HR Application Application Application Application A M Identity Management
  14. 14. Automatic user provisioning Identity Repository HR Application Application Application Application A M Identity Management Policies RBAC Rules
  15. 15. Business As Usual Identity Repository HR Application Application Application Application A M Identity Management
  16. 16. Password reset (self-service) Identity Repository HR Application Application Application Application A M Identity Management
  17. 17. Employee Leaves Company Identity Repository HR Application Application Application Application A M Identity Management
  18. 18. Automatic user deprovisioning Identity Repository HR Application Application Application Application A M Identity Management Policies RBAC Rules
  19. 19. Business As Usual Identity Repository HR Application Application Application Application A M Identity Management
  20. 20. Bidirectional Synchronization Identity Repository HR Application Application Application Application A M Identity Management
  21. 21. Policy enforcement Identity Repository HR Application Application Application Application A M Identity Management Policies RBAC Rules
  22. 22. What Identity Management does? ● Provisioning ● Synchronization ● Self-service ● Password management ● Credentials distribution (SSH, X.509) ● RBAC ● Organizational structure ● Entitlement management ● Identifier management ● Data mapping ● Segregation of duties ● Workflow ● Notifications ● Auditing ● Reporting ● Governance ● ...
  23. 23. This IDM looks like the best thing since the sliced bread. What's the catch?
  24. 24. This IDM looks like the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive.
  25. 25. This IDM looks like the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive. Very, very expensive.
  26. 26. Open Source to the Rescue But … there was no practical FOSS solution The market was taken by Sun, Oracle, IBM, CA, Microsoft, SAP, ... (money, money, money)
  27. 27. Open Source to the Rescue one developer, two developers, three developers, … bumpy start (details in the blog) by mid-2011 fully operational 2010-2011 We have started
  28. 28. Good architecture, code base, skills No real business plan No customers Big, rich, established competitors 2011 foolishly naïve lunacy
  29. 29. 2011-2014 hard work no money
  30. 30. 2015-2016 success and beyond
  31. 31. No big investor, only FFF (Friends, Family, Fools) Key employees receive shares from profit Early income: anything (really) Current income: subscriptions and professional services 2015: (small) profit money
  32. 32. Small team (5 developers + 2 engineers) Efficiency: Java, formal data model, generated code Cooperation: ConnId, Apache Directory API Developer freedom: no bosses, pet projects, ... Experiments: LDAP, GUI, OpenStack, ... technology
  33. 33. Great Technology in MidPoint ● Java, Spring, Apache Wicket (nothing special here) ● Good architecture from day one ● Internal scripting: Groovy, JavaScript, Python ● Self-healing system ● Prism Objects ● Advanced Hybrid RBAC ● ...
  34. 34. Prism Objects Schema complexType: UserType   element: givenName   element: fullName   … Code class UserType {   String givenName;   String fullName;   … } SOAP <wsdl>...</wsdl> REST GUI User details Given name: Full name: SaveCancel XML, JSON, YAML
  35. 35. Classic RBAC → Role explosion Assistant LondonAssistant Bratislava Location Bratislava Location LondonAssistant Employee Assistant Section X Assistant Section Y Assistant Section Z Section X Section Y Section Z Section of Division A Assistant, Section Z, London Assistant, Section Y, London Assistant, Section X, London Assistant, Section Z, Bratislava Assistant, Section Y, Bratislava Assistant, Section X, Bratislava
  36. 36. Assistant LondonAssistant Bratislava Location Bratislava Location LondonAssistant Employee Assistant Section X Assistant Section Y Assistant Section Z Section X Section Y Section Z Section of Division A Assistant, Section Z, London Assistant, Section Y, London Assistant, Section X, London Assistant, Section Z, Bratislava Assistant, Section Y, Bratislava Assistant, Section X, Bratislava More roles than employees Hard problem of identity management is transformed to much harder problem of role management Classic RBAC → Role explosion
  37. 37. MidPoint Advanced Hybrid RBAC Location Bratislava Location London Assistant Employee Section X Section Y Section Z Division A parameter parameter Org. struct Locations
  38. 38. Most comprehensive open source IDM system Great engineering team, great technology Recognized by analysts (Gartner, KuppingerCole) World-wide adoption Successfully competing with Oracle, IBM, Microsoft, … success
  39. 39. Lessons learned ● Forget about Slovakia. World is your market! ● Efficiency: Small team, big impact ● Burn money slowly. Wait for the right moment. ● Do no look for customers, let customers look for you. ● Technology matters. A lot. Really. ● Good platform and architecture is crucial ● Newest technology is not always coolest
  40. 40. Questions and Answers Provisioning Synchronization RBAC Governance Consistency Workflow Audit Authorization Management Self-service Delegated administration Data mapping REST Policy Entitlements Segregation of duties HA Identifiers Notifications Connectors Localization Parametric roles Password reset Organizational structure Web UI Expressions SchemaConditions Extensibility Scripting Bulk actions
  41. 41. Radovan Semančík www.evolveum.com Thank You This presentation is (c) 2016 Evolveum It may be distributed under the terms of Creative Commons CC-BY-ND

×