1. Open Source Identity ManagementFrancesco Chicchiricc

2. Agenda Identity and Access Management Vendor Vs Open Source solutions Apache Syncope 3. Whats IdM about? Data records that contains a collection ofdata about a person Data record Account A person Identity The joint effort of businessprocess and IT to manage user data onsystems and applications. 4. IdM technologies Identity Stores Storage of user information Provisioning Synchronize account data across identitystores and a broad range of data formats,models, meanings and purposes Access Management Security mechanisms that take place when auser is accessing a specific system orfunctionality 5. Identity Stores Examples LDAP / Active Directory RDBMS Meta and Virtual Directories Accounts can be created and managed inone place only Each application manages authenticationseparately The user may use the same password for allthe connected applications 6. Provisioning Keeping the identity stores assynchronized as possible (and practical) Need to be customizable and flexible Priority: non-intrusive Focused on application back-end Communication: Connectors Agents 7. Identity Lifecycle 8. Access Management Mediator to all access to all applications Focused on application front-end Aspects Authentication Single SignOn Authorization Federation (SAML, Liberty, ...) Mainly applicable to web applications Difficult integration with pre-existing apps 9. Arent Identity Stores enough? Heterogeneity of systems Lack of a single source of information HR for corporate id, Groupware for mailaddress, ... Need for a local user database Inconsistent policies Lack of workflow management Hidden infra management cost, growingwith organization size 10. IdM in practice: before... 11. IdM in practice: ...after! 12. Vendor products Oracle with addition of ex-Sun suite Novell IBM (Tivoli) Microsoft (Forefront) Niche players Ping NetIQ SailPoint Quest (now Dell) 13. Open Source non-ASF productsIdentity StoresProvisioningAccess Management 14. Open Source ASF projects Identity Stores Apache Directory Provisioning Apache Syncope Access Management Apache Shiro 15. Apache Syncope (incubating) Inception by Tirasa in 2010 Entered ASF incubator in February 2012 6 ASF releases made Graduation as TLP currently under [VOTE] Rising in popularity New PPMC members joined ~80 mailing list subscribers, noticeable traffic Our mentor Colm higeartaigh is these daysintroducing Syncope at JAXCON 2012http://lanyrd.com/2012/w-jax/sxcyz/ 16. Syncope: features Workflow-based provisioning engine Account / Password policies Agentless connectionwith Identity Stores Auditing & Reporting Shining admin console Customizable andextensible by design 17. Syncope: building blocks 18. Syncope: architectureThird-party Third-partyapplications applications RESTful controllersAdministrationAdministrationconsole console Users RolesPolicies WorkflowBusinessSchedulerConnectorsEngineIntelligence Persistence (JPA) 19. Syncope: attribute mapping LDAP Useruid: jblack givenName: John sn: jblack User Attributes mail: john.black@apache.org Username: jblackuserpassword: ********** Nickname: jontheblack Firstname: John employeeNumber: 1432 Surname: Blackcn: John Black Email: john.black@apache.org DatabasehomeDirectory: /home/jblack Password: ********** Badge: 1432accountId: jblacksurname: jblackUser Derived Attributes Fullname: John Blackfirstname: JohnUser Virtual Attributespassword: ********* HomeDirectory: /home/jblack(stored only on external resource)employeeNumber: 1432fullname: Jock Black 20. Syncope: connectors Based on ConnId, hosted at GoogleCode,new home of Suns Identity Connectors Ready-to-use bundles: LDAP Active DirectoryProvisioningEngine DB Table CSV Directory API SOAPCommonCodeObjects& Utils SPI Google Apps UNIX Write your own bundle UsingConnectors 21. Syncope and the external world 22. Syncope: JEE deployment 23. Syncope: internal storage 24. Syncope: roadmap Role provisioning SOAP / SCIM interface via CXF Access Management features via Shiro Concurrent / Asynchronous communicationwith external resources OpenICF support 25. Syncope: (some) success stories iWelcome Bibliotheek.nl SURFnet Ospedali Riuniti di Ancona ARAG 26. Syncope: trying it out Online http://syncopedemo.tirasa.net Virtual Machine image Quickstart projects on Github New project from Maven Archetype Standalone distribution(soon available) 27. Questions? All text and image content in this document is licensed under the Creative Commons Attribution-Share Alike 3.0 License (unless otherwise specified). Apache, Syncope, Apache Syncope, the Apache feather logo, the Apache Syncope project logo and the Apache Syncope logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.