Identity Management requires powerful extensibility for handling lifecycle management use cases specific to each business. Legacy identity management solutions handled this poorly, using proprietary scripting languages that were painful and required specialized knowledge. ForgeRock designed OpenIDM with rapid extensibility in mind.
In this webinar, we will provide an overview of OpenIDM, explain the power of OpenIDM's javascript / groovy scripting mechanism and demonstrate how it can be used to generate a privilege user management script with less than 60 lines of javascript code. The sample code will also be made available post webinar for developers that want to play.
2. 2
Your Guides
■ Tim Sedlack, Product Manager for OpenIDM
■ Anders Askåsen, Senior Technical Product Manager
■ Rob MacDonald, Director of Product Marketing
3. 3
A Quick Agenda
■ Overview of OpenIDM
■ Demo on the power of OpenIDM's extensibility
– Sample code will be made available
■ Q&A
4. 4
House Keeping
■ This webcast will be on the technical side (after the
marketing guy talks)
– We promise he will be short
■ Previous knowledge helpful
– JavaScript, JSON, Groovy, HTML/CSS
5. The Evolution of Identity Management
Employees
Consumers
Employees &
Partners
Things
Perimeter
Perimeter
Federation
Perimeter-less
Federation
Cloud / SaaS
Perimeter-less
Federation
Cloud
SaaS
Mobility
6. ForgeRock
Fastest-growing Identity Security Software company in the world
■ Founded 2010 with high double digit growth every year since inception
■ HQ in United States; Offices in United Kingdom, France, Germany, Norway, and Singapore
■ 50% of customers in North America and 50% International
■ Collaborative commercial open source model
■ Single identity platform for agile development & rapid time-to-value
■ Significantly lower cost alternative to legacy vendors
Award winning platform driving innovation worldwide
■ Gold winner of the CEO World awards 2014
■ Silver Winner in the 6th Annual Golden Bridge Award 2014
■ Silver winner for the Fastest-Growing Company of the Year in Best in Biz Awards 2014
Investors: Our Origins:
ForgeRock | Confidential
7. COMMONSERVICESForgeRock Identity Platform
The platform is what makes us unique!
Benefits:
■ Common repeatable
platform for rolling out
identity services quickly
■ Unified platform optimized
for massive scale
■ Strategic approach for
long-term identity needs
rather than one-off projects
8. 8
Flexible Provisioning Platform
AD, Sun, Oracle
User self service
Dashboard/Reports
Directories
Databases
Applications
SQL, SAP
Cloud, OnPrem
Workflow
Workflow
9. 9
Competitive Differentiator by
Accelerating time to deployment
• Identity done your way - faster than
you ever thought possible
• Connect Users, Devices and Things
with an infinitely scalable architecture
• A highly scalable and responsive web
based UI
• Footprint
• Open-Source, Java-based architecture
built on the OSGi framework.
Old World New World
11. 11
OpenIDM Architecture
Getting Started
■ UI
■ Data
■ Extension
■ Export/Reporting
■ Workflow
Two Scripting Languages
■ JavaScript and Groovy
JSON based configuration files
■ Services to consume these files
(and configure OpenIDM on the fly)
12. 12
Flexible UI
■ Customizing and Extending
– Branding/Skinning
■ Logos, color schemes, etc
– Adding/removing/adjusting fields
■ Base UI is intended to be extended
■ Match your use cases
– Develop from scratch
■ Rest based API for CREST and IDM
REST
13. 13
How?
■ Customizing the existing UI – theming
– Simple approach: Edit ../openidm/conf/ui-themeconfig.json
– Colors, background images, other commons styling options are all
under your control
■ Creating your own theme:
– 2 approaches
■ Per project based theme – on-the-fly UI reconfig/skinning
■ All encompassing
■ ../openidm/ui/extension – but be careful!
14. 14
Custom End Points
• The power of a fully operational provisioning
system…PLUS!
• Extend OpenIDM to do just about
anything…securely and with the benefit of a
complete IDM system
• JavaScript or Groovy
15. 15
DEMO
■ Password Check Out
– Allows you restrict access to privileged account passwords by limiting
the users of the service and allowing them to checkout a generated
(policy compliant) password for a specific length of time
– Exemplifies OpenIDM extensibility
■ Custom endpoint (Password Checkout)
■ New Role: passwordCheckOutService – limits access to authorized accounts only
■ Background scheduler – for password expiration
■ Follows Password Policy you set in OpenIDM
16. 16
Building a Custom Endpoint
■ Configured and established in conf/endpoint-name.json
– Endpoint-pcs.json
■ Script in /script directory (.js for javascript, .groovy for
Groovy)
– Added to access.js to restrict access
– PCS directory with 4 scripts:
■ Paswordcheckoutservice.js
■ Passwordcheckoutservicebackgroundscanner.js
■ Passwordcheckoutservicelogmanager.js
■ passwordcheckoutserviceUtils.js
{
"pattern" : "endpoint/passwordCheckoutServ
"roles" : "managed/role/passwordCheckout
"methods" : "read",
"actions" : "*"
},
17. 17
The Password Checkout Service
Alice and Bob BOTH want to
use the Administrator account
1. Alice performs a GET on PCS to
checkout the password for the admin
account
2. PCS checks to see that Alice is a
member of the PasswordCheckout
Role
3. PCS checks PCS_ValidAccounts to see
if Administrator is on the White list
PasswordCheckout
Service
CSV/
SQL Down
stream
System4. PCS checks PCS_Requests to see if
Administrator is already checked out to
another user
5. PCS creates a new complex password that
passes policy validation for a set period of time
6. Complex password for Administrators is passed to
the downstream system
7. PCS background scanner runs to see when to
reset the password issued to Alice
8. Bob’s attempts to check the password
fail until Alice’s has expired
9. When Alice’s time has reached it’s limit,
the password is reset to an unknown,
complex password and marked as ready
for checkout (forBob)
10. All requests stored in the PCS
Request Store for analysis
18. 18
Where could this go?
■ Add request system in the UI
– Workflow for approval
– Extend to limit access times and dates
– Notification on access
– Possibilities are end-less
– All with modification to a simple set of JS
– http://identityrelationshipmanagement.blogspot.co.uk/2015/03/build
ing-password-checkout-service-in.html
19. 19
Normalizing Data
■ Customizing Data
– Why would you customize data?
■ Policy compliance
■ Format matching
■ Simplification
– How is this accomplished?
■ Transformation scripts
■ Correlation scripts
■ Situational scripts
20. 20
Transforming Data Examples
■ CamelCase a user name
– Source: tim sedlack
– Target: Tim Sedlack
– source.userName.replace(/s+(w)/g, function (v) { return v.toUpperCase().replace(' ', ''); })
■ Transform an email by removing the period from an name
– Source: tim.sedlack@forgerock.com
– Target: timsedlack@forgerock.com
– source.email.replace(“.”,””)
– (or) source.email.split("@").map(function (val, idx) {return idx === 0 ? val.replace(/./g, '') : val;
}).join("@")
21. Reporting
■ Consuming log data
– Access Log, Activity Log, Reconciliation Log
■ Configuration of logs
– Exposed over REST @ ../openidm/config/audit
– Logtype: csv, repository or router (send to remote systems)
■ Data your way
– Scriptable event types – only log what you want/need!
22. 22
Demo - Workflow
■ OpenIDM provides a workflow engine that is based
on Activiti
– An open source project initiated by Alfresco
– ForgeRock is an active community member of Activiti
– Workflow engine uses the industry standard BPMNv2.0
– Easy to leverage third party modelling tools and IDEs
■ Demonstration Workflow - Alter newUserCreate to
tweet welcome message to new User
23. 23
Preparations
■ Download and install Eclipse (Eclipse for Java developers -
Download)
■ Start eclipse and install the Activiti Designer plugin - Help -> Install
new software
– Name:*Activiti BPMN 2.0 designer
– Location:*http://activiti.org/designer/update/
■ Set up and follow the $OPENIDM/sample/usecase storyline to
usecase 2.
■ Add Task to samples/usecases/usecase2/newUserCreate.bar to
tweet!
26. 26
Further Reading
■ Using external (REST based) resources
– Using openidm.action(“external/rest”, “call”, params)
■ Policy – scriptable & configurable
– Manageable over REST
– Setup a password policy
– Require area codes or country codes in telephone numbers
– Simple to turn on and off (for OpenIDM Administrators)
■ Logging (Audit and Configuration)