eSCIMo - User Provisioning over Web

  • Published on

  • View

  • Download




<ul><li> 1. User Provisioning Over Web Kiran Ayyagari </li> <li> 2. Kiran Ayyagari PMC ApacheDS project Consulting &amp; Support on ApacheDS Started project eSCIMo, 2 </li> <li> 3. What Is SCIM System for Cross-domain Identity Management A standard for provisioning 3 </li> <li> 4. SCIM Schema A collection of attribute definitions e.g. { } "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... 4 </li> <li> 5. SCIM Schema... Simple Attribute e.g. userName a user's name Complex Attribute e.g. name a collection of firstName, lastName etc. Multi-valued Attribute e.g. emails a collection of all emails Sub-attribute e.g. familyName a user's family name 5 </li> <li> 6. SCIM Schema... Platform neutral JSON format URN as a ID 6 </li> <li> 7. SCIM Data Model User Name : Naveen S UID : naveens Last Name : Sivashankar First Name : Naveen { } "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{""},{""}], 7 </li> <li> 8. SCIM Data Model... e.g. Extended user User Enterprise User Name : Naveen S UID : naveens Employee No : 11011 Cost Center : 007 { "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" } } </li> <li> 9. SCIM Data Model... Group Name : Administrators Members : naveens { "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875", "display": "naveens" } ] } 9 </li> <li> 10. SCIM API Uses REST Supports CRUD operations Bulk modification Paged search </li> <li> 11. What Is eSCIMo An implementation of SCIM v2.0 Supports LDAP as a backend by default Can work with any LDAP server Embeddable in ApacheDS 11 </li> <li> 12. Running eSCIMo Scenario 1 App Server/ Container eSCIMo eSCIMo LDAP Server 12 </li> <li> 13. Running eSCIMo... Scenario 2 ApacheDS Jetty eSCIMo eSCIMo 13 </li> <li> 14. Architecture of eSCIMo Security Filter REST API Resource Provider Interface LDAP Resource Provider RDBMS Resource Provider ???? Resource Provider Implemented Not Implemented LDAP RDBMS 14 ??? </li> <li> 15. How Does It Work? Attribute mapping Mapping a simple attribute - e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875" "userName": "naveens" 15 </li> <li> 16. How Does It Work... Attribute mapping contd... Mapping a complex attribute e.g. "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" } 16 </li> <li> 17. How Does It Work... Attribute mapping contd... Mapping a multi-valued attribute e.g. "emails" : [{""},{""}] 17 </li> <li> 18. How Does It Work... Attribute mapping contd... e.x "groups": [ { "id": "484fbc39-ae09-427b-896f-d469d28895ad", "$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad", "display": "Administrators" }] "id" - How can we fetch the ID of the member entry? "$ref" - How do we build a URL dynamically? 18 </li> <li> 19. How Does It Work... Attribute Handlers Handler Implementation public class GroupsAttributeHandler extends LdapAttributeHandler { public void read(); public void write(); public void patch(); } Handler definition Handler mapping 19 </li> <li> 20. eSCIMo Json2Java Is a Maven plugin Generates Java classes from SCIM schemas 20 </li> <li> 21. eSCIMo Client Works with the generated model classes e.x. Adding a User resource User user = new User(); user.setUserName( "naveens" ); user.setDisplayName( "Naveen Sivashankar" ); user.setPassword( "secret" ); Name name = new Name(); name.setFamilyName( "Sivashankar" ); name.setGivenName( "Naveen" ); user.setName( name ); EscimoResult result = client.addUser( user ); 21 </li> <li> 22. Demo 22 </li> <li> 23. Questions ? 23 </li> <li> 24. Thank you! </li> </ul>


View more >