This document discusses identity management (IDM) and its integration with Magnolia. It provides an overview of IDM, including the results of an IDM user study. IDM is used to manage business processes and the life cycles of user accounts and identities across different IT systems. The document describes how IDM can be integrated with Magnolia to enable centralized provisioning and management of user accounts and roles. It analyzes the pros and cons of classical IDM approaches and outlines IDM functional layers and components.

1. Magnolia Conference 2009 © deron GmbH September 200
Identity Management and Magnolia
Ralf Hirning

2. Magnolia Conference 2009 © deron GmbH September 200
Introduction
IDM User Study 2009
IDM – an Overview
IDM Magnolia Integration
Integration Module
Integration Module

3. Magnolia Conference 2009 © deron GmbH September 200
Introduction
IDM User Study 2009
IDM – an Overview
IDM Magnolia Integration
Integration Module
Integration Module

4. Magnolia Conference 2009 © deron GmbH September 200
Company
Spin Off from Fraunhofer Gesellschaft
Foundation in 2001
25 employees
Locations
Headoffice Stuttgart
Köln / Burscheid
Hamburg
Zürich

5. Magnolia Conference 2009 © deron GmbH September 200
Ralf Hirning
15 years IT consulting and project management
10 years CMS projects
Magnolia projects
Magnolia training
Now: Identity Management consulting

6. Magnolia Conference 2009 © deron GmbH September 200
Introduction
IDM User Study 2009
IDM – an Overview
IDM Magnolia Integration
Integration Module
Integration Module

7. Magnolia Conference 2009 © deron GmbH September 200
IDM: IT Business Process Management

8. Magnolia Conference 2009 © deron GmbH September 200
Identity Management Usage
Identity Manag ement E ins atz
23%
yes
34%
no Ja
In E inführung
7% introducing
In P lanung
Nein
© deron 36% planned

9. Magnolia Conference 2009 © deron GmbH September 200
Definition of Processes ...
D e fin itio n d e r IT -G e s c h ä fts p ro z e s s e
Interner Mitarbeiter [m it IdM] Interner Mitarbeiter [ohne IdM]
E x terner Mitarbeiter [m it IdM] E x terner Mitarbeiter [ohne IdM]
100%
90%
80%
70%
Häufig keit (in P roz ent)
60%
50%
40%
30%
20%
10%
0%
A nleg en A k tivieren D eak tivieren L ös c hen
create activate deactivate
IT -G e sc h ä ftsp ro z e sse
delete
© deron

10. Magnolia Conference 2009 © deron GmbH September 200
but ...
D e fin itio n d e r Ä n d e r u n g s p ro z e s s e
Interner Mita rbeiter [m it IdM] Interner Mita rbeiter [ohne IdM]
E x terner Mitarbeiter [m it IdM] E x terner Mitarbeiter [ohne IdM]
100%
90%
80%
70%
Häufig keit (in P roz ent)
60%
50%
40%
30%
20%
10%
0%
change
Na m ens änderung
change
P as s wortänderung
changewec hs el change tion
A bteilung s Mitarbeiterfunk project c haftresponsibility for
P rojek tm itg lieds V era ntwortung
tec hnis c he-/
© deron
name password organization e d e s Ä n d e rn s
IT -G e sc h ä fts p ro z e ss
function member technicalc ounts
funk tions ac
accounts

11. Magnolia Conference 2009 © deron GmbH September 200
Introduction
IDM User Study 2009
IDM – an Overview
IDM Magnolia Integration
Integration Module
Integration Module

12. Magnolia Conference 2009 © deron GmbH September 200
IDM functional layers
Approval process
Entry new
User information for new accounts
Business-Layer:
Personal information
Business role model
IT business process
HR Orga
IDM-Layer:
Central identity store
IDM
Middleware
Infrastructure:
Provisioning Microsoft
Active Directory
Help Desk SAP VPN
further
applications
Authorization management
...
synchronization ADS Help Desk SAP VPN
...
...

13. Magnolia Conference 2009 © deron GmbH September 200
Business Processes & IDM Components
Components of
Bausteine des
Identity & Access Management
Meta-Store für Accounts
Provisioning
Workflow-Management
User Self Servie
Benutzer Self Service
Role Based Access Control
Single Sign On
Federation
Audit
Public Key Infrastructure

14. Magnolia Conference 2009 © deron GmbH September 200
IDM: The classical approach
pros: HR
data synchronization > Regelbasierte
rule based processing
Verarbeitung der
simple initial user setup of HR data
Informationen aus HR
fast implementation
cons: IDM
> Regelbasierte
a complete base installation rule based
Weiterverarbeitung
provisioning
der Daten
is necessary
no workflow integration
overall benefits are low
ADS

15. Magnolia Conference 2009 © deron GmbH September 200
IDM: workflows and authorization management
pros:
workflow integration
extended user
administration
cons:
No auditing and reporting
tools
No role management

16. Magnolia Conference 2009 © deron GmbH September 200
IDM: business roles & compliance
User-Self-Service
> Personendaten > Access-Right Request
> Orga-Zugehörigkeit
pros: > ...
HR ORGA
User
> Passwort-Self-Service
> ....
audit and reporting in place
RBAC
extended user > mehrstufiges
Genehmigungsverfahren
administration Webfrontend für die
IDM-Administration
> Eskalationsszenario
(Vertreterregelungen,
etc...)
cons: Administration IDM
Manager A
Additional expenses Audit
Long term strategy
Manager B
Reporting
necessary > Regelbasierte
Weiterverarbeitung der Daten Manager C
> Anlage eines
Home-Directorys > Anlegen des Benutzers
und Zuordnung innerhalb
der Struktur
> Automatisierte Zuordnung
der Gruppenzugehörigkeit
ADS
X X

17. Magnolia Conference 2009 © deron GmbH September 200
Real Challenge: multiple different Life-Cycles
Mitarbeiter
Life-Cycle Anlegen
Anlegen
Anlegen
Löschen
Aktivieren /
Mail- Projekt-Life-Cycle
Reaktivieren Verteilerlisten
Life-Cycle Ändern
Löschen
Ändern
Deaktivieren Ändern
Prüfen
Anlegen
Sammeluser Life-Cycle
Löschen Ändern
Prüfen

18. Magnolia Conference 2009 © deron GmbH September 200
Real Challenge: multiple different change types
Mitarbeiter
Life-Cycle Anlegen
Löschen
Aktivieren /
Reaktivieren
Deaktivieren Ändern
name
function
organization
project member
deprovisioning
...

19. Magnolia Conference 2009 © deron GmbH September 200
Real Challenge: organizational change
t
OU ‘old’ OU ‘new’
Old Permissions
New Permissions
OU = organizational unit

20. Magnolia Conference 2009 © deron GmbH September 200
Introduction
IDM User Study 2009
IDM – an Overview
IDM Magnolia Integration
Integration Module
Integration Module

21. Magnolia Conference 2009 © deron GmbH September 200
Email Integration
IDM
Send email
Magnolia
Admin JCR

22. Magnolia Conference 2009 © deron GmbH September 200
LDAP Integration
IDM
Sync
LDAP
Magnolia
LDAP Connector
JCR

23. Magnolia Conference 2009 © deron GmbH September 200
Direct Integration
IDM
Create
Query Modify
Delete
Remote Module
Magnolia
JCR

24. Magnolia Conference 2009 © deron GmbH September 200
Introduction
IDM User Study 2009
IDM – an Overview
IDM Magnolia Integration
Integration Module
Integration Module

25. Magnolia Conference 2009 © deron GmbH September 200
Remote Module - Filter
Create filter to handle remote requests
Define a URL pattern for the filter to handle
/.remote/…

26. Magnolia Conference 2009 © deron GmbH September 200
Remote Module – XML Query
?xml version="1.0" encoding="UTF-8"?>
mgnl-command>
<query repository="users"
language="xpath"
statement="//*"
event-id="0815"/>
/mgnl-command>

27. Magnolia Conference 2009 © deron GmbH September 200
Remote Module – XML Create

28. Magnolia Conference 2009 © deron GmbH September 200
Remote Module – Config tag handler
Create tag handler for
delete
move
rename
…

29. Magnolia Conference 2009 © deron GmbH September 200
Ralf Hirning
deron GmbH
Schelmenwasenstr. 32
70567 Stuttgart
Germany