SlideShare a Scribd company logo
1 of 19
Univention IAM and Portal for
Kubernetes
Ingo Steuwer, Univention GmbH
Why containers?
» Kubernetes becomes de-facto standard in larger datacenters
» Deutsche Verwaltungscloud-Strategie (DVS)
» Includes: Kubernetes is a must
» Includes: BSI „base security“ („BSI IT Grundschutz“) –
Containers will allow a higher degree of fullfillment / higher
security levels than UCS
» Good technical reasons: automation, scalability, separation of
concern, ...
Image sources:
https://en.m.wikipedia.org/wiki/File:Kubernetes_logo_without_workmark.svg
https://www.it-planungsrat.de/
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/IT_Grundschutz_Kompendium_Edition2023.html
Univention objectives
» Bring „core Univention functionality“ to Kubernetes
» Identity and Access Management
» Manage identities, rights and related information (UDM, LDAP)
» Single Sign-On (Keycloak)
» Integrations: Provisioning-Backend, Connectors, Integrations
» Portal & Self Service
» Easy access to IT Services and own data for end users
» Share as much as possible with Univention Corporate Server (UCS)
» One codebase, two alternative deployments
» Allow migrations from UCS and combinations with UCS instances
» OSI compliant Open Source Software
Approach: „separation of concerns“ - „divide and conquer“
1) Identify the needed functionality
2) Separation of concerns: group functionality in „blocks“
3) Divide and conquer: individual development of each functional block
midterm objective:
each functional block becomes a dedicated software project: own lifecycle, fixed APIs, ...
Functional blocks
Identity Store and Directory Service
(OpenLDAP)
Identity Provider
(Keycloak)
Directory Manager
(UDM)
Management UI
(UMC)
Interconnect Service
(Authentication Reverse Proxy)
Provisioning Service
(Event Queue)
Authorization Service
(Open Policy Agent)
End User Self Service
(Univention Self Service)
End User Portal
(Univention Portal)
Envision a product – Univention Nubus
Univention Nubus is the enterprise grade open source
software solution for integrated identity and access
management to connect and combine applications to an
end user friendly offering.
http://nubus.io/
Are you „Nubus“ or „UCS“ ?
» Kubernetes deployment
» Demand for scalability and automation
» Mix of standard and individual IAM
integrations & configuration
» DevSecOps teams with deep insight to
deployment, configuration and software
architecture
» Virtual Machine or Hardware deployment
» Demand for preconfiguration or interactive
deployments
» Standard integrations with easy installation
from Univention App Center
» Administration teams with broad expertise
which need to cover all day to day tasks
Nubus & UCS - same codebase
Image Source: https://icon-icons.com/icon/source-repository/135163
Feature Development Product Releases
3rd
Party
Integrations
Functional Blocks
Provisioning backend – the only rewrite
» Objective of the provsioning backend:
Queue „events“ (i.e. „user has been created“) to give
integrations the opportunity to react on them.
» Example: Inform a connected service if a user object has been modified.
» In UCS, Event-Handling ist done by OpenLDAP Notifier Listener
→ →
» Analysis: Notifier/Listener concepts are bound to a virtual machine, the needed changes for a move
into containers would result in a rewrite.
Decision: re-build from scratch based on http://www.nats.io
Concept new provisioning backend
Directory Manager
(UDM)
Provisioning Service
(Event Queue)
Authorization Service
(Open Policy Agent)
Involved services
Identity Provider
(Keycloak)
UDM REST API
Notification
REST API
Other Services MOM
processing
MOM
Backend
nats.io
Consumer
REST API
Registration
REST API
Prefill
Service
Open-Xchange
Consumer
Portal
Consumer
Send
Events
Send
Events
Register
consumer
...
Other
Consumer
Consumers register
themselves on
deployment
Backend holds one queue for
each consumer
Prefill allows new
consumers to catch up
with events
Access to provisioning APIs needs
authentication (with Keycloak as IDP) and
authorization (based on OPA)
Dovecot
Consumer
Event-sources Event-handling Event-consumer
Each Consumer is a dedicated
Kubernetes Pod (Container /
Service)
What happend in 2023
» Iterative approach – try to keep a functioning stack
» I. phase: Detachment of a first „functional block“ (finished in Q1/23)
» PoC: Portal – splitted in several containers, deployment together with a full UCS instance
» II. phase: Dev-Env without virtual machine (finished mid of 2023)
» All functional blocks run in one or several containers
» III. phase: Kubernetes deployment & functional completeness for „openDesk“ (finished Q4/2023)
» All functionality and integrations needed for openDesk are available
https://gitlab.opencode.de/bmi/opendesk
» All containers are deployed on Kubernetes as part
of an automated openDesk HELM deployment
» Disclaimer: Restrictions / workarounds still in place,
not for productive use
Current status – what’s included?
» All functional blocks available
» Separation into containers, communication moved into APIs
» Full functionality including integrations needed for OpenDesk
» Shared code, containers and binaries with UCS
» For example Keycloak container in UCS has seen improvements based on nubus implementations
» Review based on BSI Base Security („Grundschutz“) with high level of fullfillment
» Example: Standardized and reduced container images (based on „Debian Slim“ image builds)
» Core of new Provisioning backend is implemented (but not yet in use)
» Provisioning Workaround based on Listener/Notifier in place
» New Authorization Framework provided as part of the „Rights and Roles“ project (but not yet in use)
» „Guardian“, based on OPA https://www.openpolicyagent.org/
Features of Nubus, which are not (yet) in UCS
» New provisioning backend
» Not yet decided if/how to be integrated in UCS
» „Brute force detection“ for Keycloak
» Objectives:
» Inform end users about logins from new devices
» (Temporary) block devices or accounts with suspicous activities (too many failed logins)
» Companion containers for a Keycloak deployment, will be ported to UCS
» Notification API of the Portal
» Objective: process information from Services and inform end users in the portal
» Currently no integration finished, port to UCS after initial integrations available
Current status – what’s needed for a first release?
» Finish new provisioning backend & integrations
» Full „maintainability“ – close gaps in test coverage and the release process
» Provide standard deployments (independent from openDesk)
» Address last findings from BSI base security review
» Documentation
Next steps – expected in 2024
» Finish open tasks for first production usage
» First stable releases will be focused on individual projects
» Continue work in openDesk
» First releases focused on integration partners,
first partner: Dataport / Phoenix
» Availability as enterprise product
» Will offer more flexible integration modules and APIs
» Migration from existing UCS deployments to Univention Nubus
Outlook: Migration & Integration with UCS
» Migration from existing UCS instances
» Tooling to migrate data and configuration from UCS to Univention Nubus
» Expectation: Nubus will replace Primary and Backup UCS Nodes in one downtime
» Co-Existance
» Scenarios: Univention Nubus as leading IAM in a Datacenter,
UCS instances as „satelites“
» Example: UCS instances in schools
» Idea: Univention Nubus emulates standard
services of a UCS Primary Node
→ no timeline yet
Feedback welcome!
Univention Nubus is in an early stage – best time to give feedback!
» Test it with openDesk: https://gitlab.opencode.de/bmi/opendesk
» Univention Nubus fits into your project? Get in touch with me!
» Use UCS to get started with Univention IAM and Portal functionality
VIELEN DANK!
Ingo Steuwer
Univention GmbH
steuwer@univention.de

More Related Content

Similar to Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024

20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf
ssuser34f58c1
 
Drilett aws vpc_presentation_shared
Drilett aws vpc_presentation_sharedDrilett aws vpc_presentation_shared
Drilett aws vpc_presentation_shared
David Rilett
 

Similar to Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024 (20)

Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
 
Lightening the burden of cloud resources administration: from VMs to Functions
Lightening the burden of cloud resources administration: from VMs to FunctionsLightening the burden of cloud resources administration: from VMs to Functions
Lightening the burden of cloud resources administration: from VMs to Functions
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
 
Microservices, Containers and Docker
Microservices, Containers and DockerMicroservices, Containers and Docker
Microservices, Containers and Docker
 
Kubernetes on on on on on on on on on on on on on on Azure Deck.pptx
Kubernetes on on on on on on on on on on on on on on Azure Deck.pptxKubernetes on on on on on on on on on on on on on on Azure Deck.pptx
Kubernetes on on on on on on on on on on on on on on Azure Deck.pptx
 
20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf
 
Federated Cloud Computing
Federated Cloud ComputingFederated Cloud Computing
Federated Cloud Computing
 
KubeCon China 2019 - Building Apps with Containers, Functions and Managed Ser...
KubeCon China 2019 - Building Apps with Containers, Functions and Managed Ser...KubeCon China 2019 - Building Apps with Containers, Functions and Managed Ser...
KubeCon China 2019 - Building Apps with Containers, Functions and Managed Ser...
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Ism
IsmIsm
Ism
 
Intro to spring cloud &microservices by Eugene Hanikblum
Intro to spring cloud &microservices by Eugene HanikblumIntro to spring cloud &microservices by Eugene Hanikblum
Intro to spring cloud &microservices by Eugene Hanikblum
 
Sviluppare velocemente applicazioni sicure con SUSE CaaS Platform e SUSE Manager
Sviluppare velocemente applicazioni sicure con SUSE CaaS Platform e SUSE ManagerSviluppare velocemente applicazioni sicure con SUSE CaaS Platform e SUSE Manager
Sviluppare velocemente applicazioni sicure con SUSE CaaS Platform e SUSE Manager
 
Mesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overviewMesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overview
 
DCHQ
DCHQDCHQ
DCHQ
 
KubeCon China June 2019 - Survey of Kubernetes related solutions for IoT and ...
KubeCon China June 2019 - Survey of Kubernetes related solutions for IoT and ...KubeCon China June 2019 - Survey of Kubernetes related solutions for IoT and ...
KubeCon China June 2019 - Survey of Kubernetes related solutions for IoT and ...
 
Drilett aws vpc_presentation_shared
Drilett aws vpc_presentation_sharedDrilett aws vpc_presentation_shared
Drilett aws vpc_presentation_shared
 
Understanding Kubernetes
Understanding KubernetesUnderstanding Kubernetes
Understanding Kubernetes
 
Understanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container ServiceUnderstanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container Service
 
Docker EE 2.0 Choice, Security & Agility
Docker EE 2.0Choice, Security & AgilityDocker EE 2.0Choice, Security & Agility
Docker EE 2.0 Choice, Security & Agility
 
Docker Enterprise Edition Overview by Steven Thwaites, Technical Solutions En...
Docker Enterprise Edition Overview by Steven Thwaites, Technical Solutions En...Docker Enterprise Edition Overview by Steven Thwaites, Technical Solutions En...
Docker Enterprise Edition Overview by Steven Thwaites, Technical Solutions En...
 

More from Univention GmbH

Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Univention GmbH
 

More from Univention GmbH (20)

Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
 
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best ...
 
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
Keycloak as the New Identity Provider for UCS - Felix Botner & Erik Damrose -...
 
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
 
Modularisierung und Containerisierung von UCS
Modularisierung und Containerisierung von UCSModularisierung und Containerisierung von UCS
Modularisierung und Containerisierung von UCS
 
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
 
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
 
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
 
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
 
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
 
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
 
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
 
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
 
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
 
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
 
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
 
Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022
 
Alles schon da? IT-Architektur für die digital souveräne Verwaltung
Alles schon da? IT-Architektur für die digital souveräne VerwaltungAlles schon da? IT-Architektur für die digital souveräne Verwaltung
Alles schon da? IT-Architektur für die digital souveräne Verwaltung
 

Recently uploaded

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 

Recently uploaded (20)

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 

Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024

  • 1. Univention IAM and Portal for Kubernetes Ingo Steuwer, Univention GmbH
  • 2. Why containers? » Kubernetes becomes de-facto standard in larger datacenters » Deutsche Verwaltungscloud-Strategie (DVS) » Includes: Kubernetes is a must » Includes: BSI „base security“ („BSI IT Grundschutz“) – Containers will allow a higher degree of fullfillment / higher security levels than UCS » Good technical reasons: automation, scalability, separation of concern, ... Image sources: https://en.m.wikipedia.org/wiki/File:Kubernetes_logo_without_workmark.svg https://www.it-planungsrat.de/ https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/IT_Grundschutz_Kompendium_Edition2023.html
  • 3. Univention objectives » Bring „core Univention functionality“ to Kubernetes » Identity and Access Management » Manage identities, rights and related information (UDM, LDAP) » Single Sign-On (Keycloak) » Integrations: Provisioning-Backend, Connectors, Integrations » Portal & Self Service » Easy access to IT Services and own data for end users » Share as much as possible with Univention Corporate Server (UCS) » One codebase, two alternative deployments » Allow migrations from UCS and combinations with UCS instances » OSI compliant Open Source Software
  • 4. Approach: „separation of concerns“ - „divide and conquer“ 1) Identify the needed functionality 2) Separation of concerns: group functionality in „blocks“ 3) Divide and conquer: individual development of each functional block midterm objective: each functional block becomes a dedicated software project: own lifecycle, fixed APIs, ...
  • 5. Functional blocks Identity Store and Directory Service (OpenLDAP) Identity Provider (Keycloak) Directory Manager (UDM) Management UI (UMC) Interconnect Service (Authentication Reverse Proxy) Provisioning Service (Event Queue) Authorization Service (Open Policy Agent) End User Self Service (Univention Self Service) End User Portal (Univention Portal)
  • 6. Envision a product – Univention Nubus Univention Nubus is the enterprise grade open source software solution for integrated identity and access management to connect and combine applications to an end user friendly offering. http://nubus.io/
  • 7. Are you „Nubus“ or „UCS“ ? » Kubernetes deployment » Demand for scalability and automation » Mix of standard and individual IAM integrations & configuration » DevSecOps teams with deep insight to deployment, configuration and software architecture » Virtual Machine or Hardware deployment » Demand for preconfiguration or interactive deployments » Standard integrations with easy installation from Univention App Center » Administration teams with broad expertise which need to cover all day to day tasks
  • 8. Nubus & UCS - same codebase Image Source: https://icon-icons.com/icon/source-repository/135163 Feature Development Product Releases 3rd Party Integrations Functional Blocks
  • 9. Provisioning backend – the only rewrite » Objective of the provsioning backend: Queue „events“ (i.e. „user has been created“) to give integrations the opportunity to react on them. » Example: Inform a connected service if a user object has been modified. » In UCS, Event-Handling ist done by OpenLDAP Notifier Listener → → » Analysis: Notifier/Listener concepts are bound to a virtual machine, the needed changes for a move into containers would result in a rewrite. Decision: re-build from scratch based on http://www.nats.io
  • 10. Concept new provisioning backend Directory Manager (UDM) Provisioning Service (Event Queue) Authorization Service (Open Policy Agent) Involved services Identity Provider (Keycloak) UDM REST API Notification REST API Other Services MOM processing MOM Backend nats.io Consumer REST API Registration REST API Prefill Service Open-Xchange Consumer Portal Consumer Send Events Send Events Register consumer ... Other Consumer Consumers register themselves on deployment Backend holds one queue for each consumer Prefill allows new consumers to catch up with events Access to provisioning APIs needs authentication (with Keycloak as IDP) and authorization (based on OPA) Dovecot Consumer Event-sources Event-handling Event-consumer Each Consumer is a dedicated Kubernetes Pod (Container / Service)
  • 11. What happend in 2023 » Iterative approach – try to keep a functioning stack » I. phase: Detachment of a first „functional block“ (finished in Q1/23) » PoC: Portal – splitted in several containers, deployment together with a full UCS instance » II. phase: Dev-Env without virtual machine (finished mid of 2023) » All functional blocks run in one or several containers » III. phase: Kubernetes deployment & functional completeness for „openDesk“ (finished Q4/2023) » All functionality and integrations needed for openDesk are available https://gitlab.opencode.de/bmi/opendesk » All containers are deployed on Kubernetes as part of an automated openDesk HELM deployment » Disclaimer: Restrictions / workarounds still in place, not for productive use
  • 12. Current status – what’s included? » All functional blocks available » Separation into containers, communication moved into APIs » Full functionality including integrations needed for OpenDesk » Shared code, containers and binaries with UCS » For example Keycloak container in UCS has seen improvements based on nubus implementations » Review based on BSI Base Security („Grundschutz“) with high level of fullfillment » Example: Standardized and reduced container images (based on „Debian Slim“ image builds) » Core of new Provisioning backend is implemented (but not yet in use) » Provisioning Workaround based on Listener/Notifier in place » New Authorization Framework provided as part of the „Rights and Roles“ project (but not yet in use) » „Guardian“, based on OPA https://www.openpolicyagent.org/
  • 13.
  • 14. Features of Nubus, which are not (yet) in UCS » New provisioning backend » Not yet decided if/how to be integrated in UCS » „Brute force detection“ for Keycloak » Objectives: » Inform end users about logins from new devices » (Temporary) block devices or accounts with suspicous activities (too many failed logins) » Companion containers for a Keycloak deployment, will be ported to UCS » Notification API of the Portal » Objective: process information from Services and inform end users in the portal » Currently no integration finished, port to UCS after initial integrations available
  • 15. Current status – what’s needed for a first release? » Finish new provisioning backend & integrations » Full „maintainability“ – close gaps in test coverage and the release process » Provide standard deployments (independent from openDesk) » Address last findings from BSI base security review » Documentation
  • 16. Next steps – expected in 2024 » Finish open tasks for first production usage » First stable releases will be focused on individual projects » Continue work in openDesk » First releases focused on integration partners, first partner: Dataport / Phoenix » Availability as enterprise product » Will offer more flexible integration modules and APIs » Migration from existing UCS deployments to Univention Nubus
  • 17. Outlook: Migration & Integration with UCS » Migration from existing UCS instances » Tooling to migrate data and configuration from UCS to Univention Nubus » Expectation: Nubus will replace Primary and Backup UCS Nodes in one downtime » Co-Existance » Scenarios: Univention Nubus as leading IAM in a Datacenter, UCS instances as „satelites“ » Example: UCS instances in schools » Idea: Univention Nubus emulates standard services of a UCS Primary Node → no timeline yet
  • 18. Feedback welcome! Univention Nubus is in an early stage – best time to give feedback! » Test it with openDesk: https://gitlab.opencode.de/bmi/opendesk » Univention Nubus fits into your project? Get in touch with me! » Use UCS to get started with Univention IAM and Portal functionality
  • 19. VIELEN DANK! Ingo Steuwer Univention GmbH steuwer@univention.de