Upload
manfred-furuholmen
View
1.091
Download
3
Embed Size (px)
DESCRIPTION
Managing OpenAFS users with OpenIDM
Citation preview
October 2011
Identity Management
2
Agenda
q Problem
q Identity Management
q OpenIdM q AFS Integration
3
Identities
Many Accounts and Identities: afs: [email protected] Krb5: manfred/[email protected] Krb5:[email protected] AD : fabriziom Unix:manfred …
4
System Identities
5
Identities
User Remember password and Account
System administration Account distribution Permission Audi
6
Identity Management
Wikipedia “Identity management (or ID management, or simply IdM) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an organization) and controlling access to the resources in that system by placing restrictions on the established identities of the individuals…”
7
IDM IdM covers many areas q Identity management system (identification, permission, .. )
q Legal – Deals with legislation data protection
q Police – Deals with identity theft
q Social and humanity – Deals with issues such as privacy
q Security – Manages elements such as access control
q Organizations – Hierarchies and divisions of access
8
IDM
IdM is not a Software, it is a Project
9
Overview
10
OpenIDM
OpenIDM is an identity management solution based on open standards “In addition to being open source, OpenIDM offers high flexibility in business process handling and compliance. A flexible user interface combined with a robust workflow engine make OpenIDM ready for any identity management project…”
11
Architecture
12
Architecture Core Services Object Model Artifacts handled by OpenIDM are Java object representations of the JavaScript object model as defined by JSON. Managed Objects A managed object is an object that represents the identity-related data managed by OpenIDM. System Objects System objects are a pluggable representation of objects on external systems. There is a default implementation for the OpenICF framework which allows any connector object to be represented as a system object. Mappings The mappings define the policies between source and target objects and their attributes during synchronization and reconciliation. Mappings may also define triggers for validation, customization filtering, and transformation of the source and target objects. Synchronization and Reconciliation Reconciliation provides for on-demand, or scheduled comparison of resources between the OpenIDM managed object repository and source or target systems.
13
Architecture Infrastructure Modules Scheduler The scheduler is a cron like scheduling component implemented using the to schedule regular synchronizations and reconciliations Script Engine The script engine is a pluggable module that provides the triggers and plugin points for OpenIDM. Audit Logging Auditing logs all relevant system activity to the configured log stores. This includes the data from reconciliation as a basis for reporting, as well as detailed activity logs to capture operations on the internal (managed) and external (system) objects. Repository The repository provides a common abstraction for a pluggable persistence layer. Plugged in repositories could be NoSQL, relational databases, LDAP, or even flat files. The repository API operates with a JSON-based object model with RESTful principles consistent with the other OpenIDM services.
14
Architecture
15
OpenIDM
Target Mapper System Obj
Internal db
$ curl -X PUT -d '{"name":"joe","firstname":"joe","lastname":"smith","email":"[email protected]"}' http://localhost:8080/openidm/managed/user/joe
Trigger
Source System Obj
Scheduler
16
OpenIDM
{ "name": string, "source": string, "target": string, "validSource": script object, "validTarget": script object, "correlationQuery": script object, "properties": [ property object, … ], "policies": [ policy object, … ], "onCreate": script object, "onUpdate": script object }
Mapper Object
POST /openidm/system/xml/account/jsmith?action=sync …
Rest
17
OpenIDM
{ "name" : "systemADAccounts_managedUser”, "source" : "system/ad/account”, "target" : "managed/user”, "properties" : [ { "source" : "sAMAccountName”, "target" : "name” },
{ "source" : "sn”, "target" : "lastname” }, { "source" : "givenName”, "target" : "firstname” } ] },
{ "name" : "managedUser_systemPtsAccounts”, "source" : "managed/user”, "target" : "system/pts/account”, "properties" : [
{ "source" : "name", "target" : "name" }, { "source" : "_id", "target" : ”aid" },
], "policies" : [
{ "situation" : "CONFIRMED", "action" : "UPDATE" }, { "situation" : "FOUND", "action" : "UPDATE" }, { "situation" : "ABSENT", "action" : "CREATE" }, { "situation" : "AMBIGUOUS", "action" : "EXCEPTION" }, { "situation" : "MISSING", "action" : "UNLINK" }, { "situation" : "UNQUALIFIED", "action" : "DELETE" }, { "situation" : "UNASSIGNED", "action" : "DELETE" }
] }
18
OpenIDM
{ "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "name" : { "type" : "string", "nativeName" : "__NAME__", "nativeType" : "JAVA_TYPE_PRIMITIVE_LONG", "flags" : [ "NOT_CREATABLE", "NOT_UPDATEABLE", "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ] }, ...
19
Integration
PTS integration Operation q User operation q Group Operation Connection q OpenICF custom connector q Command Line q Sync/reconciliation from file
20
Integration 1
OpenIDM
PTS LDAP AD APPS
Rest Interface
Internal Protocol/ Application Protocol Internal db
$ curl -X PUT -d '{"name":"joe","firstname":"joe","lastname":"smith","email":"[email protected]"}' http://localhost:8080/openidm/managed/user/joe
OpenAM
21
Integration 2
OpenIDM
PTS LDAP
AD
APPS
Rest Interface
Internal Protocol/ Application Protocol
Internal Protocol/ Application Protocol
Internal db
22
Integration
IDM is not IAM !!! IAM main components: q Authentication q Authorization, q User Management q Central User Repository
23
IDM
q Know who everyone is in the organisation
q Accurate and consistent people data in all systems
q Single source of data input/storage
q Lower maintenance costs in each application
q Consistency of data across many applications
q People only get access to those systems they need
q Audit
24
Conclusion
Advantages • Open • Flexible • Support/Community
Disadvantages • Still beta • Documentation
25
Integration
OpenIDM Summit November 8th 2011, Darmstadt Germany