Identity Management with midPoint Radovan Semank FOSDEM, January - - PowerPoint PPT Presentation

identity management with midpoint
SMART_READER_LITE
LIVE PREVIEW

Identity Management with midPoint Radovan Semank FOSDEM, January - - PowerPoint PPT Presentation

Aug 13, 2023 196 likes •524 views

Identity Management with midPoint Radovan Semank FOSDEM, January 2016 Radovan Semank Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM

slide-1
SLIDE 1

Identity Management with midPoint

Radovan Semančík

FOSDEM, January 2016

slide-2
SLIDE 2

Radovan Semančík

Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects

slide-3
SLIDE 3

Identity and Access Management

Identity Repository HR Application Application Application Application A M Identity Management Users CRM System Admin Requester Approver Application

slide-4
SLIDE 4

There is no security without identity management

slide-5
SLIDE 5

If you have no IDM, how can you be sure that ...

  • illegal accounts are disabled/deleted?
  • temporary accounts are deleted?
  • users have only the least privileges?
  • the privileges are not accumulated?
  • no secondary authentication is possible?
  • the data are up to date? (title, affiliation, …)
  • notifications and tasks are suspended?
slide-6
SLIDE 6

The solution is trivial Let's put everything in LDAP!

slide-7
SLIDE 7

Expectation

Application Application Application Application S S O Users Application LDAP HR

slide-8
SLIDE 8

Reality

Application Application Application Application S S O Users Application LDAP HR

Unsupported No standard

(ugly script needed)

Unsupported

!

Custom schema Incompatible schema Relational database Extremely expensive

!

Expensive Home directory Local copy Incompatible identifiers

slide-9
SLIDE 9

“Single directory” approach is not going to work

… and this has been known since 2006 (at least)

slide-10
SLIDE 10

Identity and Access Management

Identity Repository HR Application Application Application Application A M Identity Management Users CRM System Admin Requester Approver Application

slide-11
SLIDE 11

How IDM works?

Identity Repository HR Application Application Application Application A M Identity Management

slide-12
SLIDE 12

Automatic user provisioning

Identity Repository HR Application Application Application Application A M Identity Management

Policies RBAC Rules

slide-13
SLIDE 13

Business As Usual

Identity Repository HR Application Application Application Application A M Identity Management

slide-14
SLIDE 14

Password reset (self-service)

Identity Repository HR Application Application Application Application A M Identity Management

slide-15
SLIDE 15

Employee Leaves Company

Identity Repository HR Application Application Application Application A M Identity Management

slide-16
SLIDE 16

Automatic user deprovisioning

Identity Repository HR Application Application Application Application A M Identity Management

Policies RBAC Rules

slide-17
SLIDE 17

Business As Usual

Identity Repository HR Application Application Application Application A M Identity Management

slide-18
SLIDE 18

Bidirectional Synchronization

Identity Repository HR Application Application Application Application A M Identity Management

slide-19
SLIDE 19

Policy enforcement

Identity Repository HR Application Application Application Application A M Identity Management

Policies RBAC Rules

slide-20
SLIDE 20

What Identity Management does?

  • Provisioning
  • Synchronization
  • Self-service
  • Password management
  • Credentials distribution

(SSH, X.509)

  • RBAC
  • Organizational structure
  • Entitlement management
  • Identifier management
  • Data mapping
  • Segregation of duties
  • Workflow
  • Notifications
  • Auditing
  • Reporting
  • Governance
  • ...
slide-21
SLIDE 21

This IDM looks like the best thing since the sliced bread. What's the catch?

slide-22
SLIDE 22

This IDM looks like the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive.

slide-23
SLIDE 23

This IDM looks like the best thing since the sliced bread. What's the catch? The commercial IDM products are expensive. Very, very expensive.

slide-24
SLIDE 24

Open Source to the Rescue

There was no practical FOSS solution until 2010

(Sun Identity Manager was the king)

2010-2011: Syncope, OpenIDM, midPoint, ...

(that was the time when Oracle acquired Sun)

Now there are two leading open source* IDMs:

  • Apache Syncope
  • Evolveum midPoint

*) by “open source” I mean both license and practice

slide-25
SLIDE 25

Evolveum midPoint?

slide-26
SLIDE 26

Identity Repository HR Application Application Application Application A M Identity Management Users CRM Application

midPoint

slide-27
SLIDE 27

The midPoint Story

  • Started 2010-2011 (5 years, 14 releases)
  • Github, Apache 2.0 License
  • ~500K lines of code (Java)
  • State-of-the-art IDM features

Provisioning

Synchronization

RBAC

Governance

Consistency Workflow

Audit Authorization

Management

Self-service

Delegated administration

Data mapping

REST

Policy

Entitlements

Segregation of duties

HA

Identifiers

Notifications

Connectors

Localization

Parametric roles

Password reset Organizational structure

Web UI Expressions Schema

Conditions Extensibility

Scripting

Bulk actions

slide-28
SLIDE 28
slide-29
SLIDE 29
slide-30
SLIDE 30

Questions and Answers

Provisioning

Synchronization

RBAC

Governance

Consistency Workflow

Audit Authorization

Management

Self-service

Delegated administration

Data mapping

REST

Policy

Entitlements

Segregation of duties

HA

Identifiers

Notifications

Connectors

Localization

Parametric roles

Password reset Organizational structure

Web UI Expressions Schema

Conditions Extensibility

Scripting

Bulk actions

slide-31
SLIDE 31

Radovan Semančík

www.evolveum.com

Thank You