![Page 1: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/1.jpg)
How to Install and Configure your
own Identity Manager GE
Álvaro Alonso – Federico Fernández
Security Team
Technical University of Madrid (UPM)
![Page 2: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/2.jpg)
Outline
Introduction
KeyRock Architecture
Installing and Configuring KeyRock
Demo
1
![Page 3: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/3.jpg)
Why do I need an
Identity Manager?
2
![Page 4: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/4.jpg)
What is an Identity Manager?
3
![Page 5: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/5.jpg)
Why should I install
FIWARE Identity Manager GE?
4
![Page 6: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/6.jpg)
KeyRock GE: features
Users
Organizations
Authorization via roles
Applications and OAuth
IoT identity management
OpenStack services
Admin tools
SCIM API
5
![Page 7: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/7.jpg)
KeyRock Architecture
6
![Page 8: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/8.jpg)
KeyRock Architecture
7
Horizon
Keystone
DB
![Page 9: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/9.jpg)
KeyRock Architecture: Horizon
Front-end view
Based on OpenStack Horizon
User views
Contains…
• Oauth2 Driver
• reCAPTCHA
• FIWARE Accounts
• Admin Tools
• AuthZForce Driver
Extra dependencies
• Python Keystoneclient
• Django OpenStack Auth
8
Horizon
Keystone
DB
![Page 10: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/10.jpg)
KeyRock Architecture: Keystone
Back-end component
Resources management
Connection to database
Extensions
• OAuth2
• SCIM 2.0
• User registration
• Two factor authentication
9
Horizon
Keystone
DB
![Page 11: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/11.jpg)
KeyRock Architecture: Database
For development:
For deployment:
10
Horizon
Keystone
DB
![Page 12: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/12.jpg)
#handsOn
11
![Page 13: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/13.jpg)
Documentation & Source Code
Quick Installation Guide
• http://fiware-idm.readthedocs.io/en/latest/introduction.html#how-to-build-
install
Detailed Installation Guide
• http://fiware-idm.readthedocs.io/en/latest/admin_guide.html#step-by-
step-installation
GitHub
• https://github.com/ging/fiware-idm
• https://github.com/ging/horizon
• https://github.com/ging/keystone
API description
• http://docs.keyrock.apiary.io
12
![Page 14: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/14.jpg)
Installing KeyRock
13
![Page 15: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/15.jpg)
Installing
the back-end
1. Install Ubuntu
dependencies
1. 14.04 LTS fully
supported
2. 16.04 LTS should work
2. Get the code
3. Install Python
dependencies
4. Create a configuration
file
14
![Page 16: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/16.jpg)
5. Create the tables and
populate the database
Creation of the idm
user account
15
Installing
the back-end
![Page 17: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/17.jpg)
5. Create the tables and
populate the database
Creation of the idm
user account
6. That’s it!!
16
Installing
the back-end
![Page 18: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/18.jpg)
1. Install Ubuntu
dependencies
2. Get the code
3. Create a configuration
file
4. Install Python
dependencies
17
Installing
the front-end
![Page 19: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/19.jpg)
1. Install Ubuntu
dependencies
2. Get the code
3. Create a configuration
file
4. Install Python
dependencies
5. That’s it!
18
Installing
the front-end
![Page 20: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/20.jpg)
Installing Keyrock
Good News
Installation tools to ease
the process
Bash script• Idm user: idm
• Idm psswd: idm
• Keystone port: 5000
• Horizon port: 8000
Docker image
Chef cookbook
19
![Page 21: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/21.jpg)
Configuring KeyRock
20
![Page 22: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/22.jpg)
Configuring
the back-end
Admin token
Admin port
Public port
Configure authorization,
roles…
21
![Page 23: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/23.jpg)
Configuring
the front-end
Credentials foridm user
reCAPTCHA
Accont expiration
22
![Page 24: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/24.jpg)
Configuring
the front-end
AJAX pagination
Connection with
Access Control GE
23
![Page 25: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/25.jpg)
Considerations for production environments
Do not run Horizon from the
dev server
Do not run KeyRock without
having enabled reCAPTCHA
Do not use SQLite
Do not forget about the
emails!
Do not run Keystone in dev
mode
24
Do run Horizon under
Apache+mod_wsgi
Do enable reCAPTCHA
Do use some production-
ready DB engine (MySQL)
Do set up an SMTP server to
send mails (POSTFIX)
Do set up Keystone as a
service
![Page 26: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/26.jpg)
Production env:
MySQL
Configure the new SQL
backend in Keystone
Grant privileges to
database
25
![Page 27: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/27.jpg)
Production env:
This will get the
settings from the
default SMTP server in
your host
26
![Page 28: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/28.jpg)
Production env:
setting up Keystone as a service
It works like any other
Linux service
Create a
/etc/init/
keystone_idm.conf file
To run the service...
27
![Page 29: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/29.jpg)
Production env:
CORS
Whitelist to restritc
access to all the
endpoints in the front-
end
Django signal to allow
everyone access only
some of the endpoints
28
![Page 30: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/30.jpg)
Administrating KeyRock
29
![Page 31: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/31.jpg)
Administrating KeyRock
30
$ git clone https://github.com/ging/fiware-idm
imd-admin && cd imd-admin
$ sudo pip install -r requirements.txt
$ sudo python setup.py install
$ idm-admin --help
![Page 32: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/32.jpg)
#handsOn
31
![Page 33: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/33.jpg)
Achievements
What is an IdM and why should I install one?
What is the architecture of FIWARE IdM GE?
Installing KeyRock
• Step-by-step
• Installation tools
Configuring KeyRock
• Development environment
• Production environment
Administrating KeyRock
32
![Page 34: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/34.jpg)
33
Contact us!Open an Issue in GitHub:
https://github.com/ging/fiware-idm
E-mail & Help Desk
Here at the Summit!!
![Page 35: How to Install & Configure Your Own Identity Manager GE](https://reader033.vdocuments.us/reader033/viewer/2022051007/5876bef41a28ab6d5a8b46f1/html5/thumbnails/35.jpg)
Thank you!
http://fiware.org
Follow @FIWARE on Twitter