This document summarizes a presentation about OpenIDM. It describes where OpenIDM fits into Open Identity Stack (OIS), common identity management use cases like provisioning and password management that OpenIDM addresses, and OpenIDM features like its REST interface, connectors to external systems, and use of workflows. The architecture of OpenIDM is also summarized, including its components like OSGi, persistence layer, and connectors. Configuration of connectors and potential role management challenges are also briefly outlined.

1. IRM Summit 2014
OpenIDM
Matthias Tristl

2. 2IRM Summit 2014
Upon completion of this presentation, you should be
able to:
■ Describe where OpenIDM fits into the OIS
■ Describe the Business Needs for OpenIDM
■ Describe IDM Use Cases Addressed by OpenIDM
■ Describe OpenIDM Features
Objectives

3. 3IRM Summit 2014
Pillars of IAM

4. 4IRM Summit 2014
Classic scenario I
User wants to use an application...
User
Application
which does not require any of ForgeRock's
products, but ...

5. 5IRM Summit 2014
Classic scenario II
Centralization of Authentication
User
Application
… and ...

6. 6IRM Summit 2014
Classic scenario III
Central Authorization
User
Application

7. 7IRM Summit 2014
Classic scenario V
Identity Management
User
Application
HR DB

8. 8IRM Summit 2014
Common Use Cases
• Provisioning
• De-Provisioning
■ Compliance and auditing
• Password management

9. 9IRM Summit 2014
Provisioning
• Depending on a user's business role and predefined rules a
new user will:
• Get accounts on backend systems on create
• Get default group/role membership
• Therefore a central instance is needed which
• Connects to all relevant systems
• Is able to sync user attributes and memberships
• Can automatically apply rules
• Manager, approving persons and end-user need well defined
access to the user's data

10. 10IRM Summit 2014
HR DB
User
Central Provisioning
ICF

11. 11IRM Summit 2014
Passwords
• Passwords can be changed at a central place and distributed to
external systems based on flexible rules and password policies
• The provisioning engine needs to detect password changes
from an external resource
• User administrators and end user need well defined access to
the user's passwords
• A password reset mechanism is in place
• Passwords which have been reset can be sent to the end user
in a secure way

12. 12IRM Summit 2014
Password Distribution
User
Changes
Password

13. 13IRM Summit 2014
OpenIDM Components
 Java → min 1.6 update 24 on Win: Java 7
 OSGi → implementation: Felix
 Servlet container → implementation: Jetty
 Repository → OrientDB, MySQL and others
 JSON → structure for configurations
 OpenICF → local or remote connector server
 Connectors to external systems → i.e. AD, LDAP, file...
 Activiti → workflow engine

14. 14IRM Summit 2014
OpenIDM Architecture
ExternalResources
OSGI
Persistence
(OrientDB)
ForgeRock UI Framework
ForgeRock REST Router
Business Logic (Javascript, Groovy, Java)
Authentication Filter (JASPI)
Jetty Web Server
Configuration
Managed
Users
Sync/Recon
System
(Connectors)
Scheduler WorkflowAudit/Logs
Policy Audit

15. 15IRM Summit 2014
The REST Interface
 Representational State Transfer (REST)
 Conforming to the REST constraints is generally
referred to as being "RESTful"
 REST utilizes HTTP methods:
 GET
 PUT
 POST
 DELETE
 HEAD
 PATCH

16. 16IRM Summit 2014
Native Protocols
Repo DB
DB
JDBC
JNDI
SSH
ADSI
ICF

17. 17IRM Summit 2014
Connector Architecture

18. 18IRM Summit 2014
Activiti Introduction
 A light-weight workflow and Business Process
Management Software
 BPMN 2 compliant
 A process engine for Java applications
 It's open-source and distributed under the
Apache license
 Workflows are deployed as business archives
(.bar)
 Workflow definitions are in XML format

19. 19IRM Summit 2014
Apply for Contractor I
Workflow outline

20. 20IRM Summit 2014
Apply for Contractor II
Startup Form:
(Screen shot)

21. 21IRM Summit 2014
Activiti Modeler

22. 22IRM Summit 2014
Connector Configuration
"principal" : "cn=Directory Manager",
"ssl" : false,
"baseContexts" : ["ou=People,dc=example,dc=com"],
"groupMemberAttribute" : "uniqueMember",
"passwordAttribute" : "userPassword",
"accountSearchFilter" : null,
"accountObjectClasses" : ["top",...],
"maintainLdapGroupMembership" : false,
"blockSize" : 100,
"baseContextsToSynchronize" :
["ou=People,dc=example,dc=com"],
"attributesToSynchronize" : [ "uid",...],
... {"account" :
{"nativeType" : "__ACCOUNT__",
"properties" :
{"uid" :
{"type" : "string",
"nativeName" : ”userName",
"nativeType" : "STRING",
"flags" :
["NOT_CREATABLE”…

23. 23IRM Summit 2014
■ OpenIDM 3.0 will have
– predefined role objects
– effective role assignments
■ static role assignment
■ dynamic role assignment, i.e. based on a rule, attribute …
– static entitlement assignment
– dynamic entitlement assignment
OpenIDM roles

24. 24IRM Summit 2014
■ Role attributes
– abstract System Association A (1to1 role system but changeable)
■ entitlementA1
■ entitlementA2
■ …
– abstract System Association B (1to1 role system but changeable)
■ entitlementB1
■ entitlementB1
■ …
– …
OpenIDM role structure

25. 25IRM Summit 2014
■ A) when the user is created?
■ B) when the user is updated?
■ C) when the user is de-provisioned?
■ D) when the ROLE is created?
■ E) when the ROLE is updated?
■ F) …
Role Challenges

26. 26IRM Summit 2014
Other Features
 Task Scheduling
 Cluster OpenIDM for
 High availability
 Horizontal scalability
 OpenIDM command line
 Data validation through policies
 Managing Passwords
 Send emails

27. 27IRM Summit 2014
■ openidm/samples/sample1…
■ openidm/samples/provisioners/…
■ openidm/samples/workflow
■ openidm/samples/usecases/…
OpenIDM by Example

28. 28IRM Summit 2014
Forgerock University