OpenIDM for BeginnersEMEA Summit 2013

01-2

Upon completion of this presentation, you should be able to:

• Describe where OpenIDM fits into the OIS

• Describe the Business Needs for OpenIDM

• Describe IDM Use Cases Addressed by OpenIDM

• Describe OpenIDM Features

Objectives

01-3

Pillars of IAM

01-4

Classic scenario IUser wants to use an application...

User

Application

which does not require any of ForgeRock's products, but ...

01-5

Classic scenario IICentralization of Authentication

User

Application… and ...

OpenDJ

01-6

Classic scenario IIICentral Authorization

User

Application

OpenDJ

OpenAM

01-7

Classic scenario VIdentity Management

User

Application

HR DB

OpenAM

OpenDJOpenIDM

01-8

Common Use Cases

• Provisioning

• De-Provisioning

• Compliance and auditing

• Password management

01-9

Provisioning• Depending on a user's business role and predefined rules a

new user will:• Get accounts on backend systems on create• Get default group/role membership

• Therefore a central instance is needed which• Connects to all relevant systems• Is able to sync user attributes and memberships• Can automatically apply rules

• Manager, approving persons and end-user need well defined access to the user's data

01-10

HR DB

User

Central Provisioning Point

OpenIDM

01-11

Passwords• Passwords can be changed at a central place and distributed

to external systems based on flexible rules and password policies

• The provisioning engine needs to detect password changes from an external resource

• User administrators and end user need well defined access to the user's passwords

• A password reset mechanism is in place

• Passwords which have been reset can be sent to the end user in a secure way

01-12

Central Password Distribution Point

User

Changes Password

OpenIDM OpenDJ

01-13

Components used in OpenIDM Java → min 1.6 update 24 on Win: Java 7

OSGi → implementation: Felix

Servlet container → implementation: Jetty

Repository → OrientDB, MySQL and others

JSON → structure for configurations

OpenICF → local or remote connector server

Connectors to external systems → i.e. AD, LDAP, file...

Activiti → workflow engine

01-14

Putting It All Together

01-15

The REST Interface

Representational State Transfer (REST)

Conforming to the REST constraints is generally referred to as being "RESTful"

REST utilizes HTTP methods: GET PUT POST DELETE HEAD

01-16

• Install OpenIDM

• Start with workflow sample

• Get user through reconciliation

• Start

OpenIDM in action

01-17

Native Connection Protocols

Repo DB

DB

JDBCJNDI

SSHADSI

OpenIDM

01-18

Connector Architecture

01-19

Activiti Introduction A light-weight workflow and Business Process

Management Software BPMN 2 compliant A process engine for Java applications It's open-source and distributed under the Apache

license Workflows are deployed as business archives (.bar) Workflow definitions are in XML format

01-20

Apply for Contractor I

Workflow outline

01-21

Apply for Contractor II

Startup Form: (Screen shot)

01-22

Activiti Modeler II

01-23

Connector Configuration (simple)

01-24

Sync Configuration

01-25

Connector Configuration (flexible)"principal" : "cn=Directory Manager","ssl" : false,"baseContexts" : ["ou=People,dc=example,dc=com"],"groupMemberAttribute" : "uniqueMember","passwordAttribute" : "userPassword","accountSearchFilter" : null,"accountObjectClasses" : ["top",...],"maintainLdapGroupMembership" : false,"blockSize" : 100,"baseContextsToSynchronize" :

["ou=People,dc=example,dc=com"],"attributesToSynchronize" : [ "uid",...],... {"account" :

{"nativeType" : "__ACCOUNT__", "properties" : {"uid" : {"type" : "string", "nativeName" : ”userName", "nativeType" : "STRING", "flags" : ["NOT_CREATABLE”…

01-26

Other OpenIDM Features Task Scheduling

Cluster OpenIDM for High availability Horizontal scalability

OpenIDM command line

Data validation through policies

Managing Passwords

Send emails

01-27

Forgerock University