October 2011

Identity Management

2

Agenda

q Problem

q Identity Management

q OpenIdM q AFS Integration

3

Identities

Many Accounts and Identities: afs: manfred.admin@zeropiu.com Krb5: manfred/admin@zeropiu.com Krb5:manfred@freemail.ch AD : fabriziom Unix:manfred …

4

System Identities

5

Identities

User Remember password and Account

System administration Account distribution Permission Audi

6

Identity Management

Wikipedia “Identity management (or ID management, or simply IdM) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an organization) and controlling access to the resources in that system by placing restrictions on the established identities of the individuals…”

7

IDM IdM covers many areas q  Identity management system (identification, permission, .. )

q Legal – Deals with legislation data protection

q Police – Deals with identity theft

q Social and humanity – Deals with issues such as privacy

q Security – Manages elements such as access control

q Organizations – Hierarchies and divisions of access

8

IDM

IdM is not a Software, it is a Project

9

Overview

10

OpenIDM

OpenIDM is an identity management solution based on open standards “In addition to being open source, OpenIDM offers high flexibility in business process handling and compliance. A flexible user interface combined with a robust workflow engine make OpenIDM ready for any identity management project…”

11

Architecture

12

Architecture Core Services Object Model Artifacts handled by OpenIDM are Java object representations of the JavaScript object model as defined by JSON. Managed Objects A managed object is an object that represents the identity-related data managed by OpenIDM. System Objects System objects are a pluggable representation of objects on external systems. There is a default implementation for the OpenICF framework which allows any connector object to be represented as a system object. Mappings The mappings define the policies between source and target objects and their attributes during synchronization and reconciliation. Mappings may also define triggers for validation, customization filtering, and transformation of the source and target objects. Synchronization and Reconciliation Reconciliation provides for on-demand, or scheduled comparison of resources between the OpenIDM managed object repository and source or target systems.

13

Architecture Infrastructure Modules Scheduler The scheduler is a cron like scheduling component implemented using the to schedule regular synchronizations and reconciliations Script Engine The script engine is a pluggable module that provides the triggers and plugin points for OpenIDM. Audit Logging Auditing logs all relevant system activity to the configured log stores. This includes the data from reconciliation as a basis for reporting, as well as detailed activity logs to capture operations on the internal (managed) and external (system) objects. Repository The repository provides a common abstraction for a pluggable persistence layer. Plugged in repositories could be NoSQL, relational databases, LDAP, or even flat files. The repository API operates with a JSON-based object model with RESTful principles consistent with the other OpenIDM services.

14

Architecture

15

OpenIDM

Target Mapper System Obj

Internal db

$ curl -X PUT -d '{"name":"joe","firstname":"joe","lastname":"smith","email":"joe@abc.com"}' http://localhost:8080/openidm/managed/user/joe

Trigger

Source System Obj

Scheduler

16

OpenIDM

{ "name": string, "source": string, "target": string, "validSource": script object, "validTarget": script object, "correlationQuery": script object, "properties": [ property object, … ], "policies": [ policy object, … ], "onCreate": script object, "onUpdate": script object }

Mapper Object

POST /openidm/system/xml/account/jsmith?action=sync …

Rest

17

OpenIDM

{ "name" : "systemADAccounts_managedUser”, "source" : "system/ad/account”, "target" : "managed/user”, "properties" : [ { "source" : "sAMAccountName”, "target" : "name” },

{ "source" : "sn”, "target" : "lastname” }, { "source" : "givenName”, "target" : "firstname” } ] },

{ "name" : "managedUser_systemPtsAccounts”, "source" : "managed/user”, "target" : "system/pts/account”, "properties" : [

{ "source" : "name", "target" : "name" }, { "source" : "_id", "target" : ”aid" },

], "policies" : [

{ "situation" : "CONFIRMED", "action" : "UPDATE" }, { "situation" : "FOUND", "action" : "UPDATE" }, { "situation" : "ABSENT", "action" : "CREATE" }, { "situation" : "AMBIGUOUS", "action" : "EXCEPTION" }, { "situation" : "MISSING", "action" : "UNLINK" }, { "situation" : "UNQUALIFIED", "action" : "DELETE" }, { "situation" : "UNASSIGNED", "action" : "DELETE" }

] }

18

OpenIDM

{ "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "name" : { "type" : "string", "nativeName" : "__NAME__", "nativeType" : "JAVA_TYPE_PRIMITIVE_LONG", "flags" : [ "NOT_CREATABLE", "NOT_UPDATEABLE", "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ] }, ...

19

Integration

PTS integration Operation q  User operation q  Group Operation Connection q  OpenICF custom connector q  Command Line q  Sync/reconciliation from file

20

Integration 1

OpenIDM

PTS LDAP AD APPS

Rest Interface

Internal Protocol/ Application Protocol Internal db

$ curl -X PUT -d '{"name":"joe","firstname":"joe","lastname":"smith","email":"joe@abc.com"}' http://localhost:8080/openidm/managed/user/joe

OpenAM

21

Integration 2

OpenIDM

PTS LDAP

AD

APPS

Rest Interface

Internal Protocol/ Application Protocol

Internal Protocol/ Application Protocol

Internal db

22

Integration

IDM is not IAM !!! IAM main components: q Authentication q Authorization, q User Management q Central User Repository

23

IDM

q Know who everyone is in the organisation

q Accurate and consistent people data in all systems

q Single source of data input/storage

q Lower maintenance costs in each application

q Consistency of data across many applications

q People only get access to those systems they need

q Audit

24

Conclusion

Advantages •  Open •  Flexible •  Support/Community

Disadvantages •  Still beta •  Documentation

25

Integration

OpenIDM Summit November 8th 2011, Darmstadt Germany

26

Zeropiu

•  www.zeropiu.com •  manfred@zeropiu.com