Más contenido relacionado La actualidad más candente (20) Similar a The Future is Now: What’s New in ForgeRock Directory Services (20) The Future is Now: What’s New in ForgeRock Directory Services1. © 2017 ForgeRock. All rights reserved.
Ludovic Poitou
Director, Product Management
The Future is Now: What’s New in
ForgeRock Directory Services
Michelle Fallon
Senior Product Marketing Manager
2. © 2017 ForgeRock. All rights reserved.
Disclaimer
The presentation represents ForgeRock’s current view of its
product development cycle and future directions. It is intended for
information purposes only, and should not be interpreted as a
commitment on the part of ForgeRock. ForgeRock makes no
warranties, expressed or implied, on future functionality and
timeline.
3. © 2017 ForgeRock. All rights reserved.
2010 Founded
10 Offices worldwide with headquarters in San Francisco
400+ Employees
600+ Enterprise Customers
50% Americas / 50% International commercial revenues
30+ Countries
ForgeRock
The leading, next-generation,
identity security software platform, driving digital business.
5. © 2017 ForgeRock. All rights reserved.
Everyone
And
Every Thing
Identity For
Customer Identity Relationship Management
6. © 2017 ForgeRock. All rights reserved.
ForgeRock Identity Platform
UMA Provider
Mobile App
Synchronization
Auditing
LDAPv3
REST/JSON
Replication
Access Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active
Directory Pass-thru
Reporting
Authentication
Authorization
Provisioning
User Self-Service
Authentication
OIDC / OAuth2
Federation / SSO
User Self-Service
Workflow Engine
Reconciliation
Password Replay
SAML2
Adaptive Risk
Stateless/Stateful
Registration
Aggregated User
View
Message
Transformation
API Security
Scripting
Built from Open Source Projects:
UMA Resource
Access Management Identity Management Identity Gateway
Directory Services
CommonRESTAPI
CommonUserInterface
CommonAudit/Logging
CommonScripting
7. © 2017 ForgeRock. All rights reserved.
Directory Services
• Specialized identity store
• Rapid deployment
• Global replication
• Massive scale/performance
• Extensive security
• Password management
• REST & LDAP APIs
1
self-contained
app
5
min. download
to install
1
module
1B+
entries
9. © 2017 ForgeRock. All rights reserved.
Directory Proxy Server
Access
Layer
Directory
Service
Layer
LDAP | REST
dc=Tenant1,dc=com dc=Tenant2,dc=com
10. © 2017 ForgeRock. All rights reserved.
ForgeRock Directory Service 5.0
• Two Modules : Directory Server & Directory Proxy Server
• Single download
• Role selected at Installation
• setup [directory-‐server] –port 1389 …
• setup proxy-‐server –port 1389 …
• New Setup tool, no more GUI
11. © 2017 ForgeRock. All rights reserved.
Directory Proxy Server
• Introduces a “Proxy Backend”
• Remote services can be discovered:
• List of DS
• List of Replication Servers
• Automatically handles replica DS
• Also retrieves replica group to prioritize local servers
• Load-balancing: Affinity, Least requests
• Failover with primary/secondary services
• Uses “Proxy AuthZ control” between Proxy and DS
12. © 2017 ForgeRock. All rights reserved.
Supporting JSON
• Added support for JSON Syntax
myA;r: { "_id":"bjensen", "_rev":"123", "name": { "first": "Babs", "surname":
"Jensen" }, "age": 25, "roles": [ "sales", "admin" ] }
• JSON Validation configurable
• Added JSON Matching Rules
ldapsearch … "(myA;r=age lt 30 and name/first sw ’b')"
• Can be indexed
• Can be customized for finer indexing and matching
13. © 2017 ForgeRock. All rights reserved.
Indexing JSON Attributes
$ dsconfig -‐h localhost -‐p 4444 -‐D "cn=Directory Manager" -‐w secret12 -‐X –n
set-‐backend-‐index-‐prop -‐-‐backend-‐name userRoot
-‐-‐index-‐name myA;r -‐-‐set index-‐type:equality
$ dsconfig -‐h localhost -‐p 4444 -‐D "cn=Directory Manager" -‐w secret12 -‐X -‐n
create-‐schema-‐provider -‐-‐provider-‐name "Json Schema"
-‐-‐type json-‐schema -‐-‐set enabled:true
-‐-‐set case-‐sensi_ve-‐strings:false -‐-‐set ignore-‐white-‐space:true
-‐-‐set matching-‐rule-‐name:caseIgnoreJsonQueryMatch
-‐-‐set matching-‐rule-‐oid:1.3.6.1.4.1.36733.2.1.4.1
-‐-‐set indexed-‐field:_id -‐-‐set "indexed-‐field:name/**"
14. © 2017 ForgeRock. All rights reserved.
REST 2 LDAP
• Sub-Resources
• Sub-Types
• Versioning
• Multi-Tenant Support
• Integration of Attributes with
JSON syntax
• OAuth2 protected
• Exposes API Descriptors
(OpenAPI)
15. © 2017 ForgeRock. All rights reserved.
DevOps
• Support and document use of HSM
• HSM support through the JVM and PKCS11
• Now documented
• Easier automated deployments in the Cloud
• Simplification of KeyStore(s) and TrustStore(s)
• Possible to use expressions in config.ldif
• ds-‐cfg-‐listen-‐port: ${env['OPENDJ_PORT']}
• ds-‐cfg-‐listen-‐port: ${readProper_es(config.proper_es)['port']}
• But not through dsconfig
• Support running in Docker containers
• Template images in Beta
16. © 2017 ForgeRock. All rights reserved.
More Security
• New Security Guide
• New option to install for
production use
• More secure default settings
• Password Policy
• Cipher Suites
17. © 2017 ForgeRock. All rights reserved.
LDAP Based KeyStore
• Extension to Keytool and
OpenDJ directory schema
• Centralizes public key, private
management
• Everything is encrypted
• And can be replicated for
availability
18. © 2017 ForgeRock. All rights reserved.
Directory Service 5.0 Summary
• One Download
• Two Modules: Directory Server & Directory Proxy Server
• First phase towards Elastic Horizontal Scalability, for the Cloud
• Consolidated Backend Story. JE is here to stay.
• JSON Support in the data
• Secure REST and LDAP access
• More security out of the box