Embed Size (px)
Citation preview
Flexible Provisioning Platform
2
Your Guides■ Tim Sedlack, Product Manager for OpenIDM
■ Anders Askåsen, Senior Technical Product Manager
■ Rob MacDonald, Director of Product Marketing
3
A Quick Agenda
■ Overview of OpenIDM
■ Demo on the power of OpenIDM's extensibility
– Sample code will be made available
■ Q&A
4
House Keeping
■ This webcast will be on the technical side (after the
marketing guy talks)
– We promise he will be short
■ Previous knowledge helpful
– JavaScript, JSON, Groovy, HTML/CSS
The Evolution of Identity Management
Employees
Consumers
Employees &
Partners
Things
PerimeterPerimeter
Federation
Perimeter-less
Federation
Cloud / SaaS
Perimeter-less
Federation
Cloud
SaaS
Mobility
ForgeRockFastest-growing Identity Security Software company in the world ■ Founded 2010 with high double digit growth every year since inception
■ HQ in United States; Offices in United Kingdom, France, Germany, Norway, and Singapore
■ 50% of customers in North America and 50% International
■ Collaborative commercial open source model
■ Single identity platform for agile development & rapid time-to-value
■ Significantly lower cost alternative to legacy vendors
Award winning platform driving innovation worldwide■ Gold winner of the CEO World awards 2014
■ Silver Winner in the 6th Annual Golden Bridge Award 2014
■ Silver winner for the Fastest-Growing Company of the Year in Best in Biz Awards 2014
Investors: Our Origins:
ForgeRock | Confidential
CO
MM
ON
SE
RV
ICE
SForgeRock Identity PlatformThe platform is what makes us unique!
Benefits:
■ Common repeatable
platform for rolling out
identity services quickly
■ Unified platform optimized
for massive scale
■ Strategic approach for
long-term identity needs
rather than one-off projects
8
Flexible Provisioning Platform
AD, Sun, Oracle
User self service
Dashboard/Reports
Directories
Databases
Applications
SQL, SAP
Cloud, OnPremW
ork
flo
w
Wo
rkflo
w
9
Competitive Differentiator by
Accelerating time to deployment
• Identity done your way - faster than you ever thought possible
• Connect Users, Devices and Things with an infinitely scalable architecture
• A highly scalable and responsive web based UI
• Footprint
• Open-Source, Java-based architecture built on the OSGi framework.
Old World New World
10
The technical bits…
11
OpenIDM Architecture
Getting Started
■ UI
■ Data
■ Extension
■ Export/Reporting
■ Workflow
Two Scripting Languages
■ JavaScript and Groovy
JSON based configuration files
■ Services to consume these files
(and configure OpenIDM on the fly)
12
Flexible UI
■ Customizing and Extending
– Branding/Skinning
■ Logos, color schemes, etc
– Adding/removing/adjusting fields
■ Base UI is intended to be extended
■ Match your use cases
– Develop from scratch
■ Rest based API for CREST and IDM
REST
13
How?
■ Customizing the existing UI – theming
– Simple approach: Edit ../openidm/conf/ui-themeconfig.json
– Colors, background images, other commons styling options are all
under your control
■ Creating your own theme:
– 2 approaches
■ Per project based theme – on-the-fly UI reconfig/skinning
■ All encompassing
■ ../openidm/ui/extension – but be careful!
14
Custom End Points
• The power of a fully operational provisioning
system…PLUS!
• Extend OpenIDM to do just about
anything…securely and with the benefit of a
complete IDM system
• JavaScript or Groovy
15
DEMO
■ Password Check Out
– Allows you restrict access to privileged account passwords by limiting
the users of the service and allowing them to checkout a generated
(policy compliant) password for a specific length of time
– Exemplifies OpenIDM extensibility
■ Custom endpoint (Password Checkout)
■ New Role: passwordCheckOutService – limits access to authorized accounts only
■ Background scheduler – for password expiration
■ Follows Password Policy you set in OpenIDM
16
Building a Custom Endpoint
■ Configured and established in conf/endpoint-name.json
– Endpoint-pcs.json
■ Script in /script directory (.js for javascript, .groovy for Groovy)
– Added to access.js to restrict access
– PCS directory with 4 scripts:■ Paswordcheckoutservice.js
■ Passwordcheckoutservicebackgroundscanner.js
■ Passwordcheckoutservicelogmanager.js
■ passwordcheckoutserviceUtils.js
{
"pattern" : "endpoint/passwordCheckoutService
"roles" : "managed/role/passwordCheckoutService
"methods" : "read",
"actions" : "*"
},
17
The Password Checkout ServiceAlice and Bob BOTH want to
use the Administrator account
1. Alice performs a GET on PCS to
checkout the password for the admin
account
2. PCS checks to see that Alice is a
member of the PasswordCheckout
Role
3. PCS checks PCS_ValidAccounts to see
if Administrator is on the White list
PasswordCheckout
Service
CSV/
SQL Down
stream
System4. PCS checks PCS_Requests to see if
Administrator is already checked out to
another user
5. PCS creates a new complex password that
passes policy validation for a set period of time
6. Complex password for Administrators is passed to
the downstream system
7. PCS background scanner runs to see when to
reset the password issued to Alice
8. Bob’s attempts to check the password
fail until Alice’s has expired
9. When Alice’s time has reached it’s limit,
the password is reset to an unknown,
complex password and marked as ready
for checkout (forBob)
10. All requests stored in the PCS
Request Store for analysis
18
Where could this go?
■ Add request system in the UI
– Workflow for approval
– Extend to limit access times and dates
– Notification on access
– Possibilities are end-less
– All with modification to a simple set of JS
– http://identityrelationshipmanagement.blogspot.co.uk/2015/03/build
ing-password-checkout-service-in.html
19
Normalizing Data
■ Customizing Data
– Why would you customize data?
■ Policy compliance
■ Format matching
■ Simplification
– How is this accomplished?
■ Transformation scripts
■ Correlation scripts
■ Situational scripts
20
Transforming Data Examples■ CamelCase a user name
– Source: tim sedlack
– Target: Tim Sedlack
– source.userName.replace(/\s+(\w)/g, function (v) { return v.toUpperCase().replace(' ', ''); })
■ Transform an email by removing the period from an name
– Source: [email protected]
– Target: [email protected]
– source.email.replace(“.”,””)
– (or) source.email.split("@").map(function (val, idx) {return idx === 0 ? val.replace(/\./g, '') : val;
}).join("@")
Reporting■ Consuming log data
– Access Log, Activity Log, Reconciliation Log
■ Configuration of logs
– Exposed over REST @ ../openidm/config/audit
– Logtype: csv, repository or router (send to remote systems)
■ Data your way
– Scriptable event types – only log what you want/need!
22
Demo - Workflow
■ OpenIDM provides a workflow engine that is based on Activiti
– An open source project initiated by Alfresco
– ForgeRock is an active community member of Activiti
– Workflow engine uses the industry standard BPMNv2.0
– Easy to leverage third party modelling tools and IDEs
■ Demonstration Workflow - Alter newUserCreate to tweet welcome message to new User
23
Preparations■ Download and install Eclipse (Eclipse for Java developers -
Download)
■ Start eclipse and install the Activiti Designer plugin - Help -> Install new software
– Name:*Activiti BPMN 2.0 designer
– Location:*http://activiti.org/designer/update/
■ Set up and follow the $OPENIDM/sample/usecase storyline to usecase 2.
■ Add Task to samples/usecases/usecase2/newUserCreate.bar to tweet!
24
Workflow
25
Workflow
26
Further Reading
■ Using external (REST based) resources
– Using openidm.action(“external/rest”, “call”, params)
■ Policy – scriptable & configurable
– Manageable over REST
– Setup a password policy
– Require area codes or country codes in telephone numbers
– Simple to turn on and off (for OpenIDM Administrators)
■ Logging (Audit and Configuration)
Next Steps …
TRY LEARN
TESTIMONIALS PARTICIPATE
www.forgerock.com/download www.forgerock.com/irm
http://forgerock.orgwww.forgerock.com/resources
ForgeRock | Confidential
28
Give it a TRY
■ forgerock.com
29
Community
■ forgerock.org
30
ForgeRock
■ 2015 Identity Summit
Thank You
ForgeRock | Confidential
