OpenSource Identity Management with
Apache Syncope
Viale D'Annunzio, 267 - 65127 PescaraPartita IVA
01974100685
N. REA 143460Tel +39 0859116307 / FAX +39
0859111173http://[email protected]
Agenda
Identity and Access Management
Vendor Vs Open Source solutions
Apache Syncope
Tirasa: Apache Syncope Enterprise support
What's IdM about?
Data records that contains a collection of data about a personData record Account
A person Identity
The joint effort of business
process and IT to manage user data on systems and applications.
IdM technologies
Identity StoresStorage of user information
ProvisioningSynchronize account data across identity stores and a broad range of data formats, models, meanings and purposes
Access ManagementSecurity mechanisms that take place when a user is accessing a specific system or functionality
Identity Stores
ExamplesLDAP / Active Directory
RDBMS
Meta and Virtual Directories
Accounts can be created and managed in one place only
Each application manages authentication separatelyUsers may use the same password for all connected applications
Aren't Identity Stores enough?
Heterogeneity of systems
Lack of a single source of informationHR for corporate id, Groupware for mail address, ...
Need for a local user database
Inconsistent policies
Lack of workflow management
Hidden infrastructure management cost, growing with organization size
Provisioning
Keeping identity stores as synchronized as possible
Need to be customizable and flexible
Priority: non-intrusiveness
Focused on application
back-end
Communication:Connectors
Agents
Identity Lifecycle
Access Management
Mediator to all access to all applications
Focused on application front-end
AspectsAuthentication (Single SignOn)
Authorization
Federation (SAML, Liberty, OAuth, OpenID, ...)
Mainly applicable to web applications
Difficult integration with pre-existing apps
IdM in practice: before...
IdM in practice: ...after!
Vendor products
Oracle (with addition of ex-Sun suite)
Novell
IBM (Tivoli)
Microsoft (Forefront)
Niche playersPing
NetIQ
SailPoint
Quest (now Dell)
Open Source non-ASF products
Identity Stores
Access Management
Provisioning
Open Source ASF projects
Identity StoresApache Directory
ProvisioningApache Syncope
Access ManagementApache Shiro
Apache Syncope
Inception by Tirasa in 2010
Entered ASF incubator in February 2012
Graduated as TLP in November 2012
Active community13 committers, 5 contributors
~130 mailing list subscribers, stable traffic
Syncope: features
Workflow-based provisioning engine
of users and roles
Account / Password policies
Agentless connection
with Identity Stores
Auditing & Reporting
Shining admin console
Customizable and
extensible by design
Syncope: architecture
Syncope: mapping
Syncope and the external world
Syncope: connectors
Based on ConnId, hosted at GitHub, new home of Sun's Identity Connectors
Ready-to-use bundles:LDAP
Active Directory
Database
CSV Directory
SOAP
Google Apps
UNIX
Write your own bundle
Syncope: roadmap
Security realms (multi-tenant scenarios)
SCIM interface
Concurrent / Asynchronous communication with external resources
Access Management features
More at http://s.apache.org/SyncopeRoadmap
Syncope: (some) success stories
Italian limited company established in 2011
Small, highly skilled staffDeliverying IAM solutions for Sun Microsystems for 10 years
Instructors of IdM, Access Manager and Directory Server for Sun Microsystem's courses
Creates and leverages Open Source tools for Enterprise IntegrationConnId
Hippo Cocoon Toolkit
Product evaluationIntroductory workshop
Proof of Concept (PoC)
Development support
Production support
Syncope Compliance Dashboard
More at http://syncope.tirasa.net
Syncope: enterprise services
Syncope: trying it out
Online http://syncopedemo.tirasa.net
Virtual Machine image
Ubuntu Juju / Microsoft Azure
.deb packages
Standalone distribution
Quickstart projects on GitHub
Maven Archetype
Questions?