Building Open Source Identity Building Open Source Identity - - PowerPoint PPT Presentation

building open source identity building open source
SMART_READER_LITE
LIVE PREVIEW

Building Open Source Identity Building Open Source Identity - - PowerPoint PPT Presentation

Jul 09, 2023 164 likes •497 views

Building Open Source Identity Building Open Source Identity Infrastructures Infrastructures Francesco Chicchiricc Francesco Chicchiricc ilgrosso@apache.org ilgrosso@apache.org https://about.me/ilgrosso https://about.me/ilgrosso The

slide-1
SLIDE 1

Building Open Source Identity Infrastructures

Francesco Chicchiriccò ilgrosso@apache.org https://about.me/ilgrosso

Building Open Source Identity Infrastructures

Francesco Chicchiriccò ilgrosso@apache.org https://about.me/ilgrosso

slide-2
SLIDE 2

The Identity Management Need The Identity Management Need

slide-3
SLIDE 3

Identity Vs Account

Source: https://saberhamidi.wordpress.com/2015/02/22/topic-2-should-we-have-more-than-one-online-identity/

slide-4
SLIDE 4

Identity Vs Account

  • Account
  • record containing data about a person
  • technical info needed by the information system for

which the account is created and managed

  • (Digital) Identity
  • representation of a set of claims made by one digital

subject about itself

  • ...it's you
slide-5
SLIDE 5

Why Identity Management?

  • Operational costs
  • Multiple sources of identity data
  • Manual user provisioning and password reset
  • Labor-intensive, paper-based approval
  • Compliance
  • No record of who has access to which IT resources
  • Diffjcult to deprovision access rights upon termination
  • No complete audit trail available
  • Hard to prevent unauthorized access
slide-6
SLIDE 6

Which identity?

slide-7
SLIDE 7

Identity Solutions Identity Solutions

slide-8
SLIDE 8

Identity T echnologies

  • Identity Stores
  • Storage of user information
  • Provisioning Engines
  • Synchronize account data across identity stores and a

broad range of data formats, models, meanings and purposes

  • Access Managers
  • Security mechanisms that take place when a user is

accessing a specifjc system or functionality

slide-9
SLIDE 9

Identity Store

  • Examples
  • LDAP / Active Directory
  • RDBMS
  • Meta and Virtual Directories
  • Accounts can be created and managed in one place only
  • Each application manages authentication separately
  • The user may use the same password for all the

connected applications

slide-10
SLIDE 10

...is it enough?

  • Heterogeneity of systems
  • Lack of a single source of information
  • HR for corporate id, Groupware for mail address, ...
  • Need for a local user database
  • Inconsistent policies
  • Lack of workfmow management
  • Hidden infra management cost, growing with organization
slide-11
SLIDE 11

Provisioning Engine

  • Keeping the identity stores as much synchronized as

possible (and practical)

  • Need to be customizable and fmexible
  • Priority: non-intrusive
  • Focused on application back-end
  • Critical: data exchange with identity stores
  • Connectors
  • Agents
slide-12
SLIDE 12

Identity Lifecycle

slide-13
SLIDE 13

Access Manager

  • Mediator to all access to all applications
  • Focused on application front-end
  • Aspects
  • Authentication
  • Single SignOn
  • Authorization (OAuth, XACML, ...)
  • Federation (SAML, Liberty, ...)
  • Mainly applicable to web applications
  • Diffjcult integration with pre-existing apps
slide-14
SLIDE 14

Reference Identity Scenario

slide-15
SLIDE 15

Identity Infrastructures Identity Infrastructures

slide-16
SLIDE 16

Gather...

  • Number and type of identities
  • Number of roles / groups (and what are they used for)
  • External resources (all covered by standard connectors?)
  • Approval workfmow(s)?
  • Self-service?
  • Which applications to protect?
  • Which authentication mechanisms?
  • Which authorization types?

...essentially, shape the identity and access fmows

slide-17
SLIDE 17

...design...

  • Schema for various identities (users, roles, groups, ...)
  • Identify mapping for all resources
  • Not too complex!
  • Watch roles size to avoid RBAC's role explosion
  • Don't be tempted to redesign the whole network
  • Provisioning needs to be fmexible
  • Reduce impact of access management on existing

applications

  • Prioritize requirements
slide-18
SLIDE 18

...build...

  • Carefully choose the building blocks
  • Can't simply buy COTS
  • On-premises
  • Proprietary
  • Open Source
  • As-a-service
  • Consider prototyping the designed solution (PoC)
slide-19
SLIDE 19

...and start again

  • IAM is a continuous process, not a turn-key project
  • New applications to protect
  • New resources to integrate
  • Identity fmows evolution
  • IAM deliveries frequently fail
  • Mix of complex and unrelated technologies
  • Unexpected interactions
  • Mess with internal processes
  • Discover Policy Vs Reality
slide-20
SLIDE 20

The Open Source Identity Stack The Open Source Identity Stack

slide-21
SLIDE 21

Open Source IAM

  • Why?
  • Flexibility, adaptability and agility
  • Cost efgectiveness
  • Start small and grow
  • Solid information security
  • No vendor lock-in
  • Caveats
  • Integration with proprietary software (AD over all)
  • Enterprise support availability
slide-22
SLIDE 22

Available Components

slide-23
SLIDE 23

Selection Criteria

  • Open Standards
  • Design for integration
  • Well-established
  • Supported
  • Alive
  • ...Open Source!
slide-24
SLIDE 24

The Identity Ecosystem

  • Triggered by open companies in the Open Source IAM area
  • Common place for open source players, system integrators

and service providers

  • Ensuring IAM open source components work well together
  • Easy access to enterprise support providers
  • Several options for each single component
  • More at http://www.identity-ecosystem.org/
slide-25
SLIDE 25

Real World Use Cases Real World Use Cases

slide-26
SLIDE 26

Disclaimer

I am V.P . Apache Syncope and CEO of Tirasa, providing enterprise support and services for Apache Syncope, so… don't be surprised Syncope is everywhere :-)

Disclaimer

I am V.P . Apache Syncope and CEO of Tirasa, providing enterprise support and services for Apache Syncope, so… don't be surprised Syncope is everywhere :-)

slide-27
SLIDE 27

#1 Stadtwerke München

  • One of largest German municipal utilities
  • Mobile ticketing for public transportation and bike sharing
  • self-registration
  • login
  • password reset
  • user suspend / reactivate
  • > 250k registered users
  • > 80k authentications per day
slide-28
SLIDE 28

#2 Ospedali Riuniti Ancona

  • University hospital
  • Active synchronization from HR to Microsoft Active

Directory

  • Centralized provisioning, authentication and authorization
  • f medical record systems
  • Windows domain SSO
  • SAML 2.0 federation with regional network
  • ~ 5000 users
slide-29
SLIDE 29

#3 Stichting Bibliotheek.nl

  • Dutch foundation that aims to expand and manage the

Digital National Library

  • The IAM infrastructure aims to hold all users of the national

library in the Netherlands, fed by a continuous feed from the local libraries

  • All Dutch library members can authenticate and use digital

services connected to the IAM infrastructure

  • > 8 million users
slide-30
SLIDE 30

#4 University of Milan

  • Very complex provisioning fmows involving
  • Microsoft Active Directory
  • OpenLDAP
  • 3 difgerent RDBMS
  • Oracle E-Mail Server
  • ~ 5k employees
  • > 60k students
  • ~ 800 roles
slide-31
SLIDE 31

Questions?

All text and image content in this document is licensed under the Creative Commons Attribution-Share Alike 3.0 License (unless otherwise specified). Apache, Syncope, Apache Syncope, the Apache feather logo, the Apache Syncope project logo and the Apache Syncope logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.