Embed Size (px)
Citation preview
WANTED ** Large IT service and operations provider seeks identity
management solution supporting 1100+ tenants **
** Tenants ranging from dozens to thousands of users **
** No nonsense! Full range of IDM functionality required **
!! Financial sector - strict tenant separation down to the log file level is a MUST !!
AD LDAP
IDM1 IDM2 IDM1100
OpenAM OpenDJ
T1 T2 T1100
REPO
x1100
x1100
TRYING TO VISUALISE THIS…
…
…
So does OpenIDM ‘do’ multi-tenancy ?? Formally no…… but actually:
YES ! because it’s a well-behaved tenant itself:
- devops friendly
- lightweight and compact
- ForgeRock platform provides integration
Copyright © 2016 ForgeRock, all rights reserved.
BUILDING IDAAS w OpenIDM
4
▪ swarm of isolated, lightweight OpenIDM instance
▪ no extra Java appserver required ▪ low memory footprint (1GB+) ▪ multi-tenancy down to loglevel ▪ devops ready
TENANT 1
TENANT 2
TENANT 3
TENANT 1100
AD RACF SAP LDAP
OpenIDM 1
OpenIDM 2
OpenIDM 3
OpenIDM 1100
ACCESS Layer (e.g. Reverse Proxies with Access Agent; URL Rewrite)
IDaaS Service Layer
SAML | OIDC IDP
OpenIDM Repository DATABASE LAYER (eg pluggable DB)
OpenIDM Audit & Registration DATABASE | FILE | ANY LAYER (eg pluggable DB)
GIT Repo Docker
Kubernetes
Copyright © 2016 ForgeRock, all rights reserved.
HOOKING UP OpenIDM
5
Tenant config repo holds- Dockerfile- OpenIDM Config
- auditing & logging
- endpoint config- managed
objects- system
System Update
Docker Base Image
Setup
Pull OpenIDM
Binary
Extract OpenIDM
Add DB Repo
Config
Add Tenant specific Config
Setup container
network & proxy
LAUNCH
BINARY REPO
File, Git, SVN
TENANTCONFIG
REPO
CONFIG REPOeg Git
git clone
RUN wget
Re-config LB /
Access Proxy
etcd/confd
docker data volume
UPGRADE
PATCH
START
POC INGREDIENTS
6
• Virtual machine host for multiple IDM instances
• Dedicated file system folder per instance
• Binaries deployed (unzipped) via shell script
• Configuration version-controlled and deployed via Github
• Script sets up dedicated repo (Amazon RDS), LDAP base DN (OpenDJ) and admin users (OpenAM)
• Script parametrises boot properties (TCP ports, instance name, certificates etc.) and sets up forwarding on IG
ACTUALLY, WHO NEEDS DOCKER?
7
OPENIG
OPENAM
OPENIDM
T0234 T1256 T3378 T9402 …
CLIENT
MYSQL (RDS)
OPENDJ
SSH
repo
bin
deploy.sh
GITHUB AD
CONNECTORS
master adminglobal service admin
tenant admintenant service admin
https://t9402.forgerock.test
https://idmhost:9402
DEPLOY.SH
1. Refreshes repo from github
2. Displays inventory of tenant instances
3. Prompts admin for desired operation
CREATE/DEPLOY NEW TENANT
1. Select menu item 1 2. Enter tenant ID
Script: • copies binaries • fetches master config from repository • applies per-instances settings • time to completion: < 5 seconds
3. ‘Y’ to start service initial startup: < 20 seconds
IDM FEATURES WHICH SAVED OUR DAY
10
• Scalability: Expands well AND shrinks well - allows for physical co-location of many small instances
• Lightweight and compact - single zip file to distribute
• JSON config - infrastructure as code, easy to manage and deploy
• Built-in parametrisation and auto-replacement of config settings
• License model agnostic to number of instances
• Stack integration - IG and AM re-integrate separate tenants into one solution
THE REAL THING - MOVING TO PROD
11
• Need Docker after all… swarm + …
• DB Backend
• High-availability - all rats don’t sink with the ship
• SLAs - parallel architecture gives flexibility/granularity
• “The white layer” - integration and translation layer for operational purposes and service access
• IG + AM -> IDM UI + custom endpoints (password reset)
THE DEVOPS FUTURE
12
• Docker replaces deployment script
• …
© 2017 ForgeRock. All rights reserved.
Docker Support - March 2017 • Sample Dockerfiles provided for all products
• Currently, customers must build their own docker images from the provided binaries.
• Sample Kubernetes manifests for dev / test / QA environments • Support for deployment using Docker Images
• From a support perspective it’s just another VM platform
Future:• Provide reference Docker images
• Distribution mechanism TBD - “ForgeRock Docker Registry”
• Reference Kubernetes manifests for large scale production
THE DEVOPS FUTURE
13
• Docker replaces deployment script
• …
© 2017 ForgeRock. All rights reserved.
OpenIDM 5.0• OpenIDM has always been REST/JSON friendly by design from the
groundup• Native support for infrastructure as code (json export / import)• Requires persistence service (database) that is cluster aware
Enhancements coming in 5.5:• Enhanced dynamic cluster node handling• Deal with cluster nodes that come and go (DevOps
environment)• Support for Immutable Server Configuration • Configuration read at startup, stored in memory, not in repo
• Development mode: Configuration is synced back to disk• Production mode: Configuration is read only
