From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland - - PowerPoint PPT Presentation

From LDAP to IdM

Presentation at the Athens Eurocamp 2008 by Roland Hedberg <roland.hedberg@adm.umu.se>

The transition -starting point

LDAP Admin interface Scripts

The transition - toward nirvana

LDAP Admin interface Scripts LDAP Admin interface AD

IdM

SIS HR

Transition

!"#$%&'()*+',-./'01)23-+0'01)4(+(5-%-+0)64(1)7889:

;.<='0-<0$.-)>,-.,'-?

2+0-.(<0',- 6@-&: A."+0-+3

B(,(CDE.'+5F)GHHID

J-(#)H'%- 6D>;I: 2+0-.K(<-

B(,(CDE.'+5F)@DLM

N(0<= 2+0-.K(<-

A'O-3)@'30=F)I-.#

P2Q>);I2 J-<"+<'#'(0'"+

I-.#

23-+0'K'-. ;//'5+%-+0

>.(<#-)I."<-3$.-

Q-?R N$/'+-// J$#-/ SO-<$0'"+ *E3(0- T$-$-

@='0-E(5-/)UV;I

23-+0'01)V(0()W N$/'+-//)J$#-/ J-E"/'0".1 >.(<#-

X Q

;<<"$+0 2+K"

*IQ Q-02V

P."$E/ I-"E#- V-E(.0%-+0 ;3%'+'/0.(0"./ D1/0-%/)"K J-<".3 S+3)*/-./ S,-+0);I2

B(,(CDE.'+5F)D>;I

V'.-<0".1 G'-.(.<=1 ;$0=Y G'-.(.<=1 N(0<= 2+0-.K(<-

A'O-3)@'30=F)I-.#

;$0=-+0'<(0'"+

Z-.&-."/F)@-&2D>

V'.-<0".1

UV;I

;$0=".'Y(0'"+

UV;IF)@-&2D>

N(0<=)SO0.(<0/ (+3)N(<[K--3/

J-(#)H'%-)2+0-.K(<- (+3)S,-+0)2+0-.K(<- 6P2Q>L@D:)(.-)0=- /(%-)'+)(<0$(# '%E#-%-+0(0'"+\ @-&)A."+0-+3 6P2Q>L*2:)<(+)&- $/-3)K".)]$-.1)(/ ?-##)(/)$E3(0-\

*+'O)2+0-.K(<-

P."$E)W);<<"$+0 4(+(5-%-+0 !^^

U-5(<1)@-&

@-&!.-(0-F)-0< ;<<"$+0)4(+(5-%-+0 !^^

I$&#'<)D(K-01

2V)!(.3/)6U-+-#:

I."E.'-0(.1 I.",'/'"+'+5

<1.(3%F)[(3%'+F)#3(E

S%('#);<<"$+0/

!1.$/ $+'O #3(E

P2Q> !".-

P2Q>L@D P2Q>L*2 P2Q>L@D

The basic model

S L R Db

What’s IdM ?

“Identity management is the management of the identity life cycle of entities.” Establish Describe Destroy

Where the big challange is !

Establish Describe Destroy

Francis Bacon

1561-1626

knowledge of the essence of things

the way things really are

Ideals of the mind

ideal of the tribe (human nature) ideal of the cave (hobby horse, prejudice) ideal of the market place (social interaction, language) ideals of the theater (learned)

Ontology

Ontology deals with questions concerning what entities exist or can be said to exist, and how such entities can be grouped, related within a hierarchy, and subdivided according to similarities and differences

Data models

LDAP Ontology language (OWL)

LDAP

Object class

set of must/may attributes

Attribute

value type <=1 or >=0 size

Object relationsship

DIT seeAlso,Alias,...

LDAP limitations

Simple inheritance You can not have objects as values No value sets No meta-information

OWL

Web Ontology Language

Object classes

set of properties property restrictions

Properties

domain / range

Multiple inheritance Version control

• ntology meta information

Our present model

Basic objects

person, collection, unit, user, course, ...

Relation objects

employee, student, partOf, belongsTo,...

The information

Who owns it ?

Responsibility Accountability Stability

What does it mean ?

Special / Universal Usage uncoupled from definition

Leads up to

Information services Service definitions

Business rules

Examples

Life cycles Source priorities Value construction algoritms Object matching/reconciliation Harmonization

Features

Declarative Atomic Distinct, independent

Repositories

Identifiers

Any identifier an object has ever had

State

The complete state of an object

Messages

All messages ever seen by the system

Views

Different applications - different needs

There are so many ways of doing things, that we can not mandate one.

LDAP/AD WS Provisioning

Transformation between data models

Information security

Confidentiality

Ensuring that information is accessible only to those authorised to have access

Integrity

Data cannot be modified without authorisation

Availability

the information must be available when it is needed

Correctness/Coherence

That’s it ! Questions ?