Download as PDF, PPTX
Uploaded byRadovan Semancik
Project midPoint or how a handful of fools fought the Giants
The document discusses the development and features of Midpoint, an open-source identity management product created over five years, which has gained global recognition for its capabilities in provisioning, synchronization, and governance. It highlights the challenges faced by the team in competing against established commercial IDM products and emphasizes the importance of technology, efficiency, and a good architectural foundation for success. Key lessons learned include focusing on a global market and allowing customers to find the product rather than actively seeking them out.
More Related Content
Similar to Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the Giants
- 1. Project midPoint or how ahandful of fools fought the Giants Radovan Semančík Open Source Weekend, April 2016
- 2. Radovan Semančík Current: Software Architectat Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects
- 3. Project midPoint ● AdvancedIdentity Management Product ● Started 2010-2011 (5+ years, 16 releases) ● more than 500K lines of code (Java) ● World-wide recognition Provisioning Synchronization RBAC Governance Consistency Workflow Audit Authorization Management Self-service Delegated administration Data mapping REST Policy Entitlements Segregation of duties HA Identifiers Notifications Connectors Localization Parametric roles Password reset Organizational structure Web UI Expressions SchemaConditions Extensibility Scripting Bulk actions
- 4. midPoint is usedall around the world
- 5.
- 6. There is nosecurity without identity management
- 7. If you haveno IDM, how can you be sure that ... ● illegal accounts are disabled/deleted? ● temporary accounts are deleted? ● users have only the least privileges? ● the privileges are not accumulated? ● no secondary authentication is possible? ● the data are up to date? (title, affiliation, …) ● notifications and tasks are suspended?
- 8. The solution istrivial Let's put everything in LDAP!
- 9.
- 10. Reality Application Application Application Application S S O Users Application LDAP HR Unsupported No standard (ugly scriptneeded) Unsupported !Custom schema Incompatible schema Relational database Extremely expensive !Expensive Home directory Local copy Incompatible identifiers
- 11. “Single directory” approach isnot going to work … and this has been known for 10 years (at least) *) yet, it might work well for simple and quite homogeneous environments
- 12. Identity and AccessManagement Identity Repository HR Application Application Application Application A M Identity Management Users CRM System Admin Requester Approver Application
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22. What Identity Managementdoes? ● Provisioning ● Synchronization ● Self-service ● Password management ● Credentials distribution (SSH, X.509) ● RBAC ● Organizational structure ● Entitlement management ● Identifier management ● Data mapping ● Segregation of duties ● Workflow ● Notifications ● Auditing ● Reporting ● Governance ● ...
- 25. This IDM lookslike the best thing since the sliced bread. What's the catch?
- 26. This IDM lookslike the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive.
- 27. This IDM lookslike the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive. Very, very expensive.
- 28. Open Source tothe Rescue But … there was no practical FOSS solution The market was taken by Sun, Oracle, IBM, CA, Microsoft, SAP, ... (money, money, money)
- 29. Open Source tothe Rescue one developer, two developers, three developers, … bumpy start (details in the blog) by mid-2011 fully operational 2010-2011 We have started
- 30. Good architecture, codebase, skills No real business plan No customers Big, rich, established competitors 2011 foolishly naïve lunacy
- 31.
- 32.
- 33. No big investor,only FFF (Friends, Family, Fools) Key employees receive shares from profit Early income: anything (really) Current income: subscriptions and professional services 2015: (small) profit money
- 34. Small team (5developers + 2 engineers) Efficiency: Java, formal data model, generated code Cooperation: ConnId, Apache Directory API Developer freedom: no bosses, pet projects, ... Experiments: LDAP, GUI, OpenStack, ... technology
- 35. Great Technology inMidPoint ● Java, Spring, Apache Wicket (nothing special here) ● Good architecture from day one ● Internal scripting: Groovy, JavaScript, Python ● Self-healing system ● Prism Objects ● Advanced Hybrid RBAC ● ...
- 36.
- 38. Classic RBAC →Role explosion Assistant LondonAssistant Bratislava Location Bratislava Location LondonAssistant Employee Assistant Section X Assistant Section Y Assistant Section Z Section X Section Y Section Z Section of Division A Assistant, Section Z, London Assistant, Section Y, London Assistant, Section X, London Assistant, Section Z, Bratislava Assistant, Section Y, Bratislava Assistant, Section X, Bratislava
- 39. Assistant LondonAssistant Bratislava LocationBratislava Location LondonAssistant Employee Assistant Section X Assistant Section Y Assistant Section Z Section X Section Y Section Z Section of Division A Assistant, Section Z, London Assistant, Section Y, London Assistant, Section X, London Assistant, Section Z, Bratislava Assistant, Section Y, Bratislava Assistant, Section X, Bratislava More roles than employees Hard problem of identity management is transformed to much harder problem of role management Classic RBAC → Role explosion
- 40. MidPoint Advanced HybridRBAC Location Bratislava Location London Assistant Employee Section X Section Y Section Z Division A parameter parameter Org. struct Locations
- 41. Most comprehensive opensource IDM system Great engineering team, great technology Recognized by analysts (Gartner, KuppingerCole) World-wide adoption Successfully competing with Oracle, IBM, Microsoft, … success
- 42. Lessons learned ● Forgetabout Slovakia. World is your market! ● Efficiency: Small team, big impact ● Burn money slowly. Wait for the right moment. ● Do no look for customers, let customers look for you. ● Technology matters. A lot. Really. ● Good platform and architecture is crucial ● Newest technology is not always coolest
- 43. Questions and Answers Provisioning Synchronization RBAC Governance ConsistencyWorkflow Audit Authorization Management Self-service Delegated administration Data mapping REST Policy Entitlements Segregation of duties HA Identifiers Notifications Connectors Localization Parametric roles Password reset Organizational structure Web UI Expressions SchemaConditions Extensibility Scripting Bulk actions
- 44. Radovan Semančík www.evolveum.com Thank You Thispresentation is (c) 2016 Evolveum It may be distributed under the terms of Creative Commons CC-BY-ND