This document provides an overview of OpenIDM for beginners. It describes where OpenIDM fits within identity and access management. OpenIDM addresses common identity management use cases like provisioning, deprovisioning, compliance and auditing, and password management. It utilizes connectors to interface with external systems and repositories. Workflow engines like Activiti can be integrated to automate approval processes. The document demonstrates OpenIDM configuration and provides an example of implementing a user provisioning workflow.

1. OpenIDM for Beginners
EMEA Summit 2013

2. Objectives
Upon completion of this presentation, you should be
able to:
•
Describe where OpenIDM fits into the OIS
•
Describe the Business Needs for OpenIDM
•
Describe IDM Use Cases Addressed by OpenIDM
•
Describe OpenIDM Features
01-2

3. Pillars of IAM
01-3

4. Classic scenario I
User wants to use an application...
which does not require any of ForgeRock's
products, but ...
Application
User
01-4

5. Classic scenario II
Centralization of Authentication
… and ...
Application
OpenDJ
User
01-5

6. Classic scenario III
Central Authorization
OpenAM
OpenDJ
Application
User
01-6

7. Classic scenario V
Identity Management
OpenAM
Application
HR DB
OpenIDM
OpenDJ
User
01-7

8. Common Use Cases
•
Provisioning
•
De-Provisioning
•
Compliance and auditing
•
Password management
01-8

9. Provisioning
•
Depending on a user's business role and predefined rules a
new user will:
•
•
•
Therefore a central instance is needed which
•
•
•
•
Get accounts on backend systems on create
Get default group/role membership
Connects to all relevant systems
Is able to sync user attributes and memberships
Can automatically apply rules
Manager, approving persons and end-user need well defined
access to the user's data
01-9

10. Central Provisioning Point
HR DB
OpenIDM
User
01-10

11. Passwords
•
Passwords can be changed at a central place and distributed to
external systems based on flexible rules and password policies
•
The provisioning engine needs to detect password changes
from an external resource
•
User administrators and end user need well defined access to
the user's passwords
•
A password reset mechanism is in place
•
Passwords which have been reset can be sent to the end user
in a secure way
01-11

12. Central Password Distribution Point
User
Changes
Password
OpenIDM
OpenDJ
01-12

13. Components used in OpenIDM

Java → min 1.6 update 24 on Win: Java 7

OSGi → implementation: Felix

Servlet container → implementation: Jetty

Repository → OrientDB, MySQL and others

JSON → structure for configurations

OpenICF → local or remote connector server

Connectors to external systems → i.e. AD, LDAP, file...

Activiti → workflow engine
01-13

14. Putting It All Together
01-14

15. The REST Interface



Representational State Transfer (REST)
Conforming to the REST constraints is generally
referred to as being "RESTful"
REST utilizes HTTP methods:





GET
PUT
POST
DELETE
HEAD
01-15

16. OpenIDM in action
•
Install OpenIDM
•
Start with workflow sample
•
Get user through reconciliation
•
Start
01-16

17. Native Connection Protocols
DB
ADSI
SSH
JNDI
JDBC
OpenIDM
Repo DB
01-17

18. Connector Architecture
01-18

19. Activiti Introduction

A light-weight workflow and Business Process
Management Software

BPMN 2 compliant

A process engine for Java applications

It's open-source and distributed under the Apache
license

Workflows are deployed as business archives (.bar)

Workflow definitions are in XML format
01-19

20. Apply for Contractor I
Workflow outline
01-20

21. Apply for Contractor II
Startup Form:
(Screen shot)
01-21

22. Activiti Modeler II
01-22

23. Connector Configuration (simple)
01-23

24. Sync Configuration
01-24

25. Connector Configuration (flexible)
"principal" : "cn=Directory Manager",
"ssl" : false,
"baseContexts" : ["ou=People,dc=example,dc=com"],
"groupMemberAttribute" : "uniqueMember",
"passwordAttribute" : "userPassword",
"accountSearchFilter" : null,
"accountObjectClasses" : ["top",...],
"maintainLdapGroupMembership" : false,
"blockSize" : 100,
"baseContextsToSynchronize" :
["ou=People,dc=example,dc=com"],
"attributesToSynchronize" : [ "uid",...],
{"account" :
...
{"nativeType" : "__ACCOUNT__",
"properties" :
{"uid" :
{"type" : "string",
"nativeName" : ”userName",
"nativeType" : "STRING",
"flags" :
["NOT_CREATABLE”…
01-25

26. Other OpenIDM Features

Task Scheduling

Cluster OpenIDM for


High availability
Horizontal scalability

OpenIDM command line

Data validation through policies

Managing Passwords

Send emails
01-26

27. Forgerock University
01-27