applying novell identity manager to your everyday problems
Post on 21-May-2015
2.263 Views
Preview:
DESCRIPTION
TRANSCRIPT
Identity Web ServicesApplying Novell® Identity Manager to Everyday Problems
Jerry CombsPrincipal ArchitectNovell Inc.
© Novell, Inc. All rights reserved.2
Agenda
• Introduction to Novell® Identity Manager web services– Identity Manager core architecture– Available identity web services– Enabling the test page functionality
• Implementing custom identity services with workflows– Provisioning identities from a custom interface
• Demonstration– Provisioning Service– Password Management Service
© Novell, Inc. All rights reserved.3
Novell® Identity ManagerCore Architecture
© Novell, Inc. All rights reserved.4
Novell® Identity Manager is an event based system!
Nothing happens without an event
© Novell, Inc. All rights reserved.5
Event Sources
• Connected Systems
• Direct changes to the Identity Directory
– Identity and Provisioning Application Server
– LDAP/LDIF/NDAP
• Job Service
– “cron” like function to periodically generate events based on query parameters
– Jobs are defined and processed on a per connector basis
© Novell, Inc. All rights reserved.6
Two Active Processing Components
• Identity Event Rule Engine– Processes data events based on rules (Policies)– No User Interface– “System” Level Integration
• Application Server (User Application)– Workflow Engine– User Interface– Web services– “Service” Level Integration
All processing by the App Server results in a data event that is processed by the Rule Engine
>
© Novell, Inc. All rights reserved.7
Rule Engine Connectors
• Historically called “Drivers”• All processing is XML based• A connector is a collection of rules, communication
APIs, and any API/Code required to translate events to XML
• All rule processing is done by connectors!• Special Connectors
– A “Loop Back” connector is used to implement processes that need to act on identity data events within the Rule Engine
– User Application Connector– Role and Resource Connector
© Novell, Inc. All rights reserved.8
Identity Directory
• Pure object database– Highly scalable– Very extensible
• Multi-master replication– High Availability and horizontal scalability– Patented replication process provides an event system
• Event system is used by connectors to subscribe to data events
• This event mechanism is NOT available in any other directory or database
© Novell, Inc. All rights reserved.9
Identity Web Services
• Provisioning management• Role management• Resource management• Password management
– Password Change, Challenge/Response reset• Virtual Directory / Data Abstraction
– Access to Identity data• Metrics
– Data on system usage and performance• Notification
– Enables the sending of emails based on stored templates
© Novell, Inc. All rights reserved.10
Provisioning Service
• Functions to initiate, monitor, and interact with workflows
– Start a Workflow (Provisioning Request)– Get Workflow Status– Approve/Deny a request– Get requests for a user– Get requests by a user– Get available requests
• URLhttp://<server>:<port>/IDM/provisioning/service/
© Novell, Inc. All rights reserved.11
Role Management Service
• Complete roll API
– Request a role assignment
– Check SOD policy
– Get role catalog
– Remove a role assignment
• URL
http://<server>:<port>/IDM/role/service/
© Novell, Inc. All rights reserved.12
Password Management Service
• Get password policy for a user– Complexity requirements
• Check password synchronization status• Change password• Reset password using challenge/response
– Available only as a SOAP endpoint
• URLhttp://<server>:<port>/IDM/pwdmgt/service/
© Novell, Inc. All rights reserved.13
Virtual Directory / Data Abstraction Service• Access to identity data through the Directory
Abstraction layer
– Ad-hoc queries
– Get Attribute(s)
– Pre-defined queries (Global Queries)
– Update Attribute
• URL
http://<server>:<port>/IDM/vdx/service/
© Novell, Inc. All rights reserved.14
Resource Management Service
• Key services– requestResourceGrant
– requestResourceRevoke
– getResourceAssignmentsForUser
• New end points in RBPM 3.7 patch B– Create, update, and delete Resources
• URLhttp://<server>:<port>/IDM/resource/service/
© Novell, Inc. All rights reserved.15
Metrics Service
• Provisioning usage and processing statistics
• Used for reporting
• Not exposed in the RBPM 3.7 Interface
• URL
http://<server>:<port>/IDM/metrics/service/
© Novell, Inc. All rights reserved.16
Notification Service
• Used to send email notifications
– sendNotification is the only end point
• Utilizes templates stored in the Identity Vault
– Supplied parameters used to populate template
• URL
http://<server>:<port>/IDM/notification/service/
© Novell, Inc. All rights reserved.17
Enabling the Test Services
• Extract the WAR file using the jar utility from the proper JDK
• Modify web.xml <servlet-name>Provisioning</servlet-name>
<servlet-class>com.novell.soa.af.impl.soap.ProvisioningImpl</servlet-class>
<init-param>
<param-name>com.novell.soa.ws.test.disable</param-name>
<param-value>false</param-value>
• Rebuild the WAR file using the jar utility– Do NOT use any other zip application
• Deploy the new WAR file• Access the test pages
http://<server>:<port>/IDM/provisioning/service?test
© Novell, Inc. All rights reserved.18
Custom Identity Services
• Three simple steps– Build a workflow that implements the function you need– Deploy the workflow– Use the provisioning web service to start the workflow
• Benefits– Allows external applications and systems to perform identity
functions in a standardized, controlled, and secure way– No need for direct access to Identity Vault
• Limitations– Asynchronous only, you must check process status if you
need to know that the request succeeded.
© Novell, Inc. All rights reserved.19
WebService
Interface
A Real World Example
Provisioning Workflow Engine
***PRD
Disable external user PRD
Create “special” external user PRD
Create std external user PRD
Modify role assignment PRD
Identity Rule Engine
SAP ConnectorCreate user in SAP rule
LDAP ConnectorCreate user in LDAP ruleCommon
ExternalAccountinterface
Identity Database
SAP
LDAP
Event System
A.A Provisioning Request Definition (PRD)- Defines the workflow for a provisioningaction. There may be many PRDs thatcan define any required process.
B.The provisioning requestworkflows can be initiatedvia web services.
C.Access to a specificPRD can be controlledat a very granular level.Two applications / userscan have different flowsfor the same end function.
D.Once the flow is complete and allrequirements have been met theflow creates the new user accountand adds the appropriate entitlements.
E.The eDirectory event system sendsthe event to each subscribing driver.
F.The rules are evaluatedand the account is createdin the appropriate systems.
Demonstration
Questions?
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
top related