openidm - an introduction
DESCRIPTION
An IAM for Beginners session led by ForgeRock Senior Instructor Matthias TristlTRANSCRIPT
OpenIDM for BeginnersEMEA Summit 2013
01-2
Upon completion of this presentation, you should be able to:
• Describe where OpenIDM fits into the OIS
• Describe the Business Needs for OpenIDM
• Describe IDM Use Cases Addressed by OpenIDM
• Describe OpenIDM Features
Objectives
01-3
Pillars of IAM
01-4
Classic scenario IUser wants to use an application...
User
Application
which does not require any of ForgeRock's products, but ...
01-5
Classic scenario IICentralization of Authentication
User
Application… and ...
OpenDJ
01-6
Classic scenario IIICentral Authorization
User
Application
OpenDJ
OpenAM
01-7
Classic scenario VIdentity Management
User
Application
HR DB
OpenAM
OpenDJOpenIDM
01-8
Common Use Cases
• Provisioning
• De-Provisioning
• Compliance and auditing
• Password management
01-9
Provisioning• Depending on a user's business role and predefined rules a
new user will:• Get accounts on backend systems on create• Get default group/role membership
• Therefore a central instance is needed which• Connects to all relevant systems• Is able to sync user attributes and memberships• Can automatically apply rules
• Manager, approving persons and end-user need well defined access to the user's data
01-10
HR DB
User
Central Provisioning Point
OpenIDM
01-11
Passwords• Passwords can be changed at a central place and distributed
to external systems based on flexible rules and password policies
• The provisioning engine needs to detect password changes from an external resource
• User administrators and end user need well defined access to the user's passwords
• A password reset mechanism is in place
• Passwords which have been reset can be sent to the end user in a secure way
01-12
Central Password Distribution Point
User
Changes Password
OpenIDM OpenDJ
01-13
Components used in OpenIDM Java → min 1.6 update 24 on Win: Java 7
OSGi → implementation: Felix
Servlet container → implementation: Jetty
Repository → OrientDB, MySQL and others
JSON → structure for configurations
OpenICF → local or remote connector server
Connectors to external systems → i.e. AD, LDAP, file...
Activiti → workflow engine
01-14
Putting It All Together
01-15
The REST Interface
Representational State Transfer (REST)
Conforming to the REST constraints is generally referred to as being "RESTful"
REST utilizes HTTP methods: GET PUT POST DELETE HEAD
01-16
• Install OpenIDM
• Start with workflow sample
• Get user through reconciliation
• Start
OpenIDM in action
01-17
Native Connection Protocols
Repo DB
DB
JDBCJNDI
SSHADSI
OpenIDM
01-18
Connector Architecture
01-19
Activiti Introduction A light-weight workflow and Business Process
Management Software BPMN 2 compliant A process engine for Java applications It's open-source and distributed under the Apache
license Workflows are deployed as business archives (.bar) Workflow definitions are in XML format
01-20
Apply for Contractor I
Workflow outline
01-21
Apply for Contractor II
Startup Form: (Screen shot)
01-22
Activiti Modeler II
01-23
Connector Configuration (simple)
01-24
Sync Configuration
01-25
Connector Configuration (flexible)"principal" : "cn=Directory Manager","ssl" : false,"baseContexts" : ["ou=People,dc=example,dc=com"],"groupMemberAttribute" : "uniqueMember","passwordAttribute" : "userPassword","accountSearchFilter" : null,"accountObjectClasses" : ["top",...],"maintainLdapGroupMembership" : false,"blockSize" : 100,"baseContextsToSynchronize" :
["ou=People,dc=example,dc=com"],"attributesToSynchronize" : [ "uid",...],... {"account" :
{"nativeType" : "__ACCOUNT__", "properties" : {"uid" : {"type" : "string", "nativeName" : ”userName", "nativeType" : "STRING", "flags" : ["NOT_CREATABLE”…
01-26
Other OpenIDM Features Task Scheduling
Cluster OpenIDM for High availability Horizontal scalability
OpenIDM command line
Data validation through policies
Managing Passwords
Send emails
01-27
Forgerock University