Radovan Semancik, profile picture
Uploaded byRadovan Semancik
PDF, PPTX3,952 views

Complete open source IAM solution

The document discusses a comprehensive open-source identity and access management (IAM) solution, emphasizing the limitations of LDAP alone and the need for a more integrated approach. It outlines essential IAM components, their interoperability within a unified system, and the benefits of using an open-source identity ecosystem to avoid vendor lock-in. The content also highlights various deployment examples and encourages participation in the ecosystem for better technological collaboration.

Embed presentation

Download as PDF, PPTX
Complete open source IAM solution Radovan Semančík LDAPcon, November 2015
Radovan Semančík Current: Software Architect at Evolveum Architect of Evolveum midPoint Contributor to ConnId and Apache Directory API Past: Sun LDAP and IDM deployments (early 2000s) OpenIDM v1, OpenICF Many software architecture and security projects
Complete solution? Why? Is LDAP not enough?
Yes, theoretically ... LDAP Application Application Application Application Users Good architecture: Don't repeat yourself (DRY)
Practice: Application-Local DB LDAP Application Application Application Application Users join? uid: js123 cn: Jack Sparrow uid: js123 loot: 20000 Name | loot -------------+------- Jack Sparrow | 20000
Practice: Data Sources LDAP Application Application Application Application Users HR CRM Custom scripts? Data conflicts? Reliability? Maintenance?
Practice: Legacy LDAP Application Application Application Application Users uid: js123 uid: jack3 uid: jsparrow uid: x665342 uid: jsp007
Practice: Authentication LDAP Application Application Application Application Users Password SAML+X.509 2-factor OAuth SASL will get you only so far ...
But … these are application problems! Let's fix the appliations and standardize. We'll be fine.
Standardization? Really? dn: cn=foo,ou=groups,o=example objectclass: groupOfNames member: uid=bar1,ou=people,o=example member: uid=bar2,ou=people,o=example dn: cn=foo,ou=groups,o=example objectclass: groupOfUniqueNames uniqueMember: uid=bar1,ou=people,o=example uniqueMember: uid=bar2,ou=people,o=example RFC2256 (1997) mandatory(!!!) (Examples are simplified)
Standardization? Really? dn: cn=foo,ou=groups,o=example objectclass: groupOfNames member: uid=bar1,ou=people,o=example member: uid=bar2,ou=people,o=example dn: cn=foo,ou=groups,o=example objectclass: groupOfUniqueNames uniqueMember: uid=bar1,ou=people,o=example uniqueMember: uid=bar2,ou=people,o=example RFC2256 (1997) dn: cn=foo,ou=groups,o=example objectclass: posixGroup memberUid: bar1 memberUid: bar2 RFC2307 (1998) (Examples are simplified)
Practice: more problems ● Password reset ● Adaptive authentication ● SSO ● Session management ● ACLs ● Account activation (enabled/disabled status) ● “memberOf” ● Roles / RBAC ● Password policies ● Access policies (autz) ● Paging (SPR vs VLV) ● Audit ● Reporting ● Data consistency ● Management tools ● User experience ● Schema consistency issues ● Standard violations ● Common sense violations ● Too many data types ● … most of them unsupported ● DN case sensitivity ● Synchronization
Practice: really messy LDAP 1 Application Application Application Application Users copy LDAP 2 Manual sync HR CRM export transform script ESB S S O LDAP 3 *) *) nobody really knows how this part works because the guy that did it left 3 years ago script Pull on demand Home-brew LDAP editor
LDAP-only solutions work only in simple cases.
IAM needs more components Identity Repository HR Application Application Application Application A M Identity Provisioning Users CRM System Admin Requester Approver Application
Basic IAM Components ● Access Management • Authentication, single sign-on • Basic authorization ● Identity Repository • Storage of identity data ● Identity Provisioning • Management (data, policies, workflows) • Synchronization Access Management Identity Repository Identity Provisioning End Users Admins
Interoperability ● The components should work together as one system ● Easy product integration ● Smooth user experience • The user should not see component boundaries
Technology stacks “Stack” is the obvious answer to interoperability problem. … or … is it? Access Management Identity Provisioning Identity Repository
What's wrong with stacks? ● Usually single-vendor stacks ● Still quite heterogeneous due to acquisitions ● Vendor lock-in • You can check out any time you like, but you can never leave ● Limited integration options • Just one option for each component • Proprietary interfaces
Is there any better way? The Ecosystem
Open Source Identity Ecosystem midPoint (Identity Provisioning) OpenLDAP (Directory Server) Fortress (IAM SDK) OSIAM (Access Management) (Identity Repository) CAS (Single Sign-On) (GRC) (Access Management) Syncope (Identity Provisioning) Shibboleth (Federation) ConnId (Identity Connectors) 389 Directory Server (Identity Repository)
Open Source Identity Ecosystem ● Pure open source model • Any engineer can have complete understanding of the technology • Technological excellence and efficiency ● Standardized or open source interfaces • Unlimited integration options • Replaceable components → no vendor lock-in ● Cooperation instead of domination • Trade influence for control to get substantial benefits
Ecosystem Deployment Examples OpenLDAP (Directory Server) midPoint (Identity Provisioning) CAS (Single Sign-On) 389ds (Directory Server) Apache Syncope (Identity Provisioning) Shibboleth (Federation) OpenLDAP (Directory Server) Fortress (IAM SDK) Custom application
Ecosystem Deployment Examples midPoint (Identity Provisioning) ConnId (Identity Connector Framework) ConnId Unix Connector Custom SAP Connector Apache Syncope (Identity Provisioning) ConnId (Identity Connector Framework) midPoint LDAP Connector ConnId Unix Connector Custom SAP Connector OpenLDAP (Directory Server) midPoint LDAP Connector 389ds (Directory Server)
We know that it works, because ... ● we have tested the technology • test suites, pilots, real projects ● we share the same goal ● there are business agreements in place
Join the Ecosystem now!
Questions and Answers
Radovan Semančík www.evolveum.com Thank You

More Related Content

PPT
Open Source & Identity Management
byJISC Netskills
 
PDF
Open Source Identity Management
byRadovan Semancik
 
PDF
Identity Management with midPoint
byRadovan Semancik
 
PDF
Project midPoint or how a handful of fools fought the Giants
byRadovan Semancik
 
PDF
Infrastructure Provisioning in the context of organization
byKatarína Valaliková
 
ODP
Apache Syncope and Tirasa
byFrancesco Chicchiriccò
 
PDF
Building Open Source Identity Management with FreeIPA
byLDAPCon
 
PPTX
OpenDJ: An Introduction
byForgeRock
 
Open Source & Identity Management
byJISC Netskills
 
Open Source Identity Management
byRadovan Semancik
 
Identity Management with midPoint
byRadovan Semancik
 
Project midPoint or how a handful of fools fought the Giants
byRadovan Semancik
 
Infrastructure Provisioning in the context of organization
byKatarína Valaliková
 
Apache Syncope and Tirasa
byFrancesco Chicchiriccò
 
Building Open Source Identity Management with FreeIPA
byLDAPCon
 
OpenDJ: An Introduction
byForgeRock
 

What's hot

PPT
Case Study: University of California, Berkeley and San Francisco
byForgeRock
 
PDF
Case Study: Plus Retail - Moving from the Old World to the New World
byForgeRock
 
PDF
How AD has been re-engineered to extend to the cloud
byLDAPCon
 
PDF
Talent42 2014 Sam Wholley -
byTalent42
 
PPTX
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
byForgeRock
 
PPTX
Platform Deep Dive
byConrad23
 
PPTX
Identity Manager Opensource OpenIDM Architecture
byAidy Tificate
 
PPTX
Experian Health: Moving Universal Identity Manager from ANSI SQL to MongoDB
byMongoDB
 
PPTX
OpenIDM - An Introduction
byForgeRock
 
PDF
Oracle Access Manager Overview
byguestf6dc99b
 
PPTX
Externalizing Authorization in Micro Services world
bySitaraman Lakshminarayanan
 
PDF
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
byLDAPCon
 
PPTX
Building a document e-signing workflow with Azure Durable Functions
byJoonas Westlin
 
PPS
Idm Workshop
byMohamed Atef
 
PPTX
An Introduction to Domain Driven Design in PHP
byChris Renner
 
PPTX
Standardizing Identity Provisioning with SCIM
byHasiniG
 
PDF
SharePoint Saturday The Conference DC - How the bcs saved my marriage
byLiam Cleary [MVP]
 
PDF
WSO2 Charon
byHasiniG
 
PPTX
Deep thoughts from the real world of azure
byMichele Leroux Bustamante
 
PDF
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
byWSO2
 
Case Study: University of California, Berkeley and San Francisco
byForgeRock
 
Case Study: Plus Retail - Moving from the Old World to the New World
byForgeRock
 
How AD has been re-engineered to extend to the cloud
byLDAPCon
 
Talent42 2014 Sam Wholley -
byTalent42
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
byForgeRock
 
Platform Deep Dive
byConrad23
 
Identity Manager Opensource OpenIDM Architecture
byAidy Tificate
 
Experian Health: Moving Universal Identity Manager from ANSI SQL to MongoDB
byMongoDB
 
OpenIDM - An Introduction
byForgeRock
 
Oracle Access Manager Overview
byguestf6dc99b
 
Externalizing Authorization in Micro Services world
bySitaraman Lakshminarayanan
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
byLDAPCon
 
Building a document e-signing workflow with Azure Durable Functions
byJoonas Westlin
 
Idm Workshop
byMohamed Atef
 
An Introduction to Domain Driven Design in PHP
byChris Renner
 
Standardizing Identity Provisioning with SCIM
byHasiniG
 
SharePoint Saturday The Conference DC - How the bcs saved my marriage
byLiam Cleary [MVP]
 
WSO2 Charon
byHasiniG
 
Deep thoughts from the real world of azure
byMichele Leroux Bustamante
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
byWSO2
 

Similar to Complete open source IAM solution

ODP
Building open source identity infrastructures
byFrancesco Chicchiriccò
 
PDF
Building Open Source Identity Infrastructures
byMisagh Moayyed
 
PDF
Open iam technicalarchitecture-v3-a
byBibhuti Kr Jha +91-9810016292
 
PPTX
Identity and Access Management Introduction
byAidy Tificate
 
PDF
Id m what-why-how presentationv2.0
byJohn Bernhard
 
PPT
Up 2011-ken huang
byKen Huang
 
PPTX
OIS Roadmap
byForgeRock
 
PPTX
Identity Manager OpenSource OpenIDM - introduction
byAidy Tificate
 
PPTX
OpenIDM 3.0 - What's New
byForgeRock
 
PPTX
OpenAM - An Introduction
byForgeRock
 
PDF
IdM Reference Architecture
byHannu Kasanen
 
PDF
OpenAM as Flexible Integration Component
byForgeRock
 
PPTX
Webinar: OpenIDM 3.1
byForgeRock
 
PDF
ForgeRock OpenAM as flexible integration component
byOlivier Naveau
 
PPT
Open Identity Stack Roadmap
byForgeRock
 
PPTX
Identity and User Access Management.pptx
byirfanullahkhan64
 
PDF
A Guide To Single Sign-On for IBM Collaboration Solutions
byGabriella Davis
 
PPTX
The lazy programmer`s way to secure application
byLev Maltsev
 
PDF
Identity & Access Management for Securing DevOps
byEryk Budi Pratama
 
PPTX
OneIdentity - A Future-Ready Approach to IAM
byAdrian Dumitrescu
 
Building open source identity infrastructures
byFrancesco Chicchiriccò
 
Building Open Source Identity Infrastructures
byMisagh Moayyed
 
Open iam technicalarchitecture-v3-a
byBibhuti Kr Jha +91-9810016292
 
Identity and Access Management Introduction
byAidy Tificate
 
Id m what-why-how presentationv2.0
byJohn Bernhard
 
Up 2011-ken huang
byKen Huang
 
OIS Roadmap
byForgeRock
 
Identity Manager OpenSource OpenIDM - introduction
byAidy Tificate
 
OpenIDM 3.0 - What's New
byForgeRock
 
OpenAM - An Introduction
byForgeRock
 
IdM Reference Architecture
byHannu Kasanen
 
OpenAM as Flexible Integration Component
byForgeRock
 
Webinar: OpenIDM 3.1
byForgeRock
 
ForgeRock OpenAM as flexible integration component
byOlivier Naveau
 
Open Identity Stack Roadmap
byForgeRock
 
Identity and User Access Management.pptx
byirfanullahkhan64
 
A Guide To Single Sign-On for IBM Collaboration Solutions
byGabriella Davis
 
The lazy programmer`s way to secure application
byLev Maltsev
 
Identity & Access Management for Securing DevOps
byEryk Budi Pratama
 
OneIdentity - A Future-Ready Approach to IAM
byAdrian Dumitrescu
 

Recently uploaded

PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PPTX
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
PPTX
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
PDF
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
PPTX
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
OutSystsems User Group Brabant November 2025
bymail496323
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PPTX
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
PDF
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
OutSystsems User Group Brabant November 2025
bymail496323
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
In this document
Powered by AI

Overview of Radovan Semančík, current role, and background in software architecture and IAM.

Discussion on the inadequacies of LDAP as a complete solution; emphasizes the importance of good architecture.

Exploration of various practical issues faced with LDAP applications such as data sources, legacy systems, authentication, password management, and more.

Highlights challenges associated with using LDAP in complex scenarios and argues for more comprehensive IAM solutions.

Identification of the core components necessary for IAM including access management and identity provisioning, and the limitations of single-vendor stacks.

Introduction to the open source identity ecosystem, its benefits, components, and deployment examples showcasing interoperability.

Confidence in the ecosystem's effectiveness; invites participation in the open source identity ecosystem.

Wrap-up of the presentation with an invitation for questions and acknowledgment of audience participation.

Complete open source IAM solution