SlideShare una empresa de Scribd logo

Fortress Open Source IAM on LDAPv3

LDAPCon
LDAPCon
TecnologíaEducación
1 de 24
Descargar para leer sin conexión
Fortress Open Source IAM on LDAPv3 Shawn McKinney November 18, 2013
Agenda l  Product Overview l  Technical Introduction l  RBAC SoD Demo l  Commander l  En Masse l  Multitenancy l  Next Steps l  Wrap-up 2
Product Overview 1 2 3 Fortress Core ANSI RBAC SDK Sentry RBAC Policy Enforcer EnMasse RBAC Policy Server October 2011 October 2011 October 2012 4 5 6 Commander Web Administration Perimeter Web Access Mgmt Patroller Audit Monitoring October 2013 April 2014 October 2014 ROADMAP 3
Fortress Introduction l  ANSI INCITS 359-2004 compliant IAM system l  Policy Decision Points l  l  l  Java APIs (Fortress Core) REST services (En Masse) Policy Administration Points l  Java APIs (Fortress Core) REST services (EnMasse) l  RBAC Web Management (Commander) l  l  Privileged Identity Management 4
Fortress Introduction (continued) l  Policy Enforcement Points l  l  l  Sentry Java EE Platform Security Sentry Other Platforms (in development) Audit Trail l  l  l  Authentication – tracks who is accessing the system Authorization – tracks who did what, when and where Administration – tracks historical changes to the data 5
Fortress System Architecture RBAC Accelerator Apache DS LDAPv3 OR LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAPv3 Extended Ops HTTP/S Legend Fortress Fortress RBAC Enforcement APIs will also call accelerator LDAP HTTP Applications 6 Fortress Core APIs Java App #2 HTTP/S Java VM Other App LDAPv3 Any Platform RBAC policy enforcement on any platform use accelerator RBAC policy administration and interrogation use Standard LDAPv3 protocols
ANSI RBAC INCITS 359 1.  2.  3.  4.  RBAC0: Users, Roles, Perms, Sessions RBAC1: Hierarchical Roles RBAC2: Static Separation of Duties RBAC3: Dynamic Separation of Duties Demo this capability 7
Dynamic Separation of Duties Demo 1 2 3 One and only one may be active Role 1 Assignment Role 2 Assignment Role 3 Assignment
Dynamic Separation of Duties Demo Fine AuthZ Granularity Users: •  User1 is assigned to ROLE_TEST1, ROLE_TEST2, and ROLE_TEST3 •  User2 is assigned to ROLE_TEST2 •  User3 is assigned to ROLE_TEST3 Permissions: •  Page1.Button1 is granted to ROLE_TEST1 •  Page1.Button2 is granted to ROLE_TEST1 •  Page1.Button3 is granted to ROLE_TEST1 •  Page2.Button1 is granted to ROLE_TEST2 •  Page2.Button2 is granted to ROLE_TES2 •  Page2.Button3 is granted to ROLE_TEST2 •  Page3.Button1 is granted to ROLE_TEST3 •  Page3.Button2 is granted to ROLE_TEST3 •  Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: •  Set of roles is [ROLE_TEST1, ROLE_TEST2, ROLE_TEST3] •  DSD Set Cardinality is 1 •  Only one Role can be active in Session Wicket Buttons Wicket Links Fortress RBAC PEP Wicket Pages Apache Wicket Spring Page-level Security Coarse Java EE Coarse-grained Security Fortress RBAC Proxy Tomcat Java Virtual Machine Fortress RBAC PDP
Where to get RBAC Demo l  Source l  l  https://github.com/shawnmckinney/fortressdemo1 Tutorial & other ANSI RBAC write-ups l  l  l  http://symas.com/ansi-rbac-intro/ http://symas.com/rbac-security-enforcementinside-wicket/ https://github.com/shawnmckinney/ fortressdemo1/blob/master/README.txt 10
Commander Introduction l  RBAC Web Administration l  Uses the Fortress Core APIs l  Communicate via HTTP or LDAPv3 protocols l  Secured by Fortress, Java EE and Spring l  Full audit trail l  Extensible – add new pages quickly l  Uses Apache Wicket UI framework 11
Commander System Architecture Apache DS OR LDAPv3 LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAP HTTP Commander can use either HTTP or LDAPv3 protocol LDAPv3 O R HTTP/S Commander HTTP/S 12 Java VM Fortress Core APIs Fortress Core APIs EnMasse HTTP/S HTTP protocol aids in firewall traversals Java VM Legend Fortress LDAPv3
Commander Demo l  View RBAC demo audit trail l  View RBAC management capabilities l  Enable REST communication with En Masse l  Run Commander Selenium automated test l  View wireshark trace 13
Where to get Commander l  Source l  l  Quickstart l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortresscommander.git;a=summary http://iamfortress.org/download Maven l  http://search.maven.org/#search%7Cga %7C1%7Ccommander 14
En Masse Introduction l  RBAC Policy Server l  Firewall Friendly l  120+ RESTful services l  Multitenant process and services l  Secured using Fortress RBAC enforcement l  Binds directly to Fortress entity model l  Uses Fortress Core to communicate LDAPv3 l  Uses Apache CXF for RESTful processing 15
En Masse System Architecture LDAPv3 Java VM Apache DS OpenLDAP OR LDAPv3 Either LDAP Server works LDAPv3 Apps may use any REST lib or Fortress APIs to connect with En Masse Fortress Core APIs EnMasse HTTP/S HTTP/S HTTP/S Legend Fortress Fortress Core APIs Java App HTTP/S 16 Java VM Other App Any Platform REST HTTP/S LDAP HTTP Applications Java VM HTTP protocol less efficient than LDAP but aids in firewall traversals
Where to get En Masse l  Source l  l  Quickstart l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-enmasse.git;a=summary http://iamfortress.org/download Maven l  http://search.maven.org/#search%7Cga %7C1%7Ca%3A%22enmasse%22 17
Introduction 18
Multitenant LDAP Data Structure l  l  l  Leverage LDAP's natural affinity to partition data by client organization. Each tenant has its own complete copy of DIT segregated by organizational unit Reduced cost due to fewer servers to maintain 19
Multitenant Programming Model l  l  Client’s id is passed to Fortress in factory initialization Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l  AnyMgr: l  createInstance(tenantId); // Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” ); 20
Multitenant Demo l  Load demo users Client 1, 2 & 3 l  Run test-full Client 1, 2 & 3 21
Where to get Fortress Multitenancy l  Source l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-core.git;a=summary Binaries <dependency> <groupId>us.joshuatreesoftware</groupId> <artifactId>fortress</artifactId> <version>RC-1.0-33</version> </dependency> 22
Next Steps l  RBAC Accelerator l  OpenLDAP overlay l  RBAC Policy Decision Point l  Web Access Management/SSO l  RBAC Policy-Enhance Standard (RPE) l  l  l  INCITS 494-2011 Support for dynamic attributes Attribute-based Access Control (ABAC) l  Maybe 23
Thanks!

Recomendados

Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Complete open source IAM solution
Complete open source IAM solutionComplete open source IAM solution
Complete open source IAM solution
Radovan Semancik
 
Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
LDAPCon
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity Management
Radovan Semancik
 

Recomendados

Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Complete open source IAM solution
Complete open source IAM solutionComplete open source IAM solution
Complete open source IAM solution
Radovan Semancik
 
Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
LDAPCon
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity Management
Radovan Semancik
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
Getting value from IoT, Integration and Data Analytics
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Getting value from IoT, Integration and Data Analytics
 
Open Source & Identity Management
Open Source & Identity ManagementOpen Source & Identity Management
Open Source & Identity Management
JISC Netskills
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
Alexander Bokovoy
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
Oracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node finalOracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node final
Getting value from IoT, Integration and Data Analytics
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con eu
Francesco Chicchiriccò
 
OpenDJ: An Introduction
OpenDJ: An IntroductionOpenDJ: An Introduction
OpenDJ: An Introduction
ForgeRock
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
sedukull
 
Con3036 soaring-through-the-clouds-oow2016-160920214845
Con3036 soaring-through-the-clouds-oow2016-160920214845Con3036 soaring-through-the-clouds-oow2016-160920214845
Con3036 soaring-through-the-clouds-oow2016-160920214845
Getting value from IoT, Integration and Data Analytics
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
LDAPCon
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStack
Seyed Ehsan Beheshtian
 
Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)
J V
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
Kai Zheng
 
Rest overview briefing
Rest overview briefingRest overview briefing
Rest overview briefing
◄ vaquar khan ► ★✔
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Smita Raut
 
Architecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web APIArchitecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web API
SHAKIL AKHTAR
 
Organizing open stack-meetup-in-china
Organizing open stack-meetup-in-chinaOrganizing open stack-meetup-in-china
Organizing open stack-meetup-in-china
Guangya Liu
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
LDAPCon
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 

Más contenido relacionado

La actualidad más candente

Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con eu
Francesco Chicchiriccò
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
LDAPCon
 

La actualidad más candente (20)

Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
 
Open Source & Identity Management
Open Source & Identity ManagementOpen Source & Identity Management
Open Source & Identity Management
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
 
Oracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node finalOracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node final
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con eu
 
OpenDJ: An Introduction
OpenDJ: An IntroductionOpenDJ: An Introduction
OpenDJ: An Introduction
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
 
Con3036 soaring-through-the-clouds-oow2016-160920214845
Con3036 soaring-through-the-clouds-oow2016-160920214845Con3036 soaring-through-the-clouds-oow2016-160920214845
Con3036 soaring-through-the-clouds-oow2016-160920214845
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStack
 
Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Rest overview briefing
Rest overview briefingRest overview briefing
Rest overview briefing
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
 
Architecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web APIArchitecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web API
 
Organizing open stack-meetup-in-china
Organizing open stack-meetup-in-chinaOrganizing open stack-meetup-in-china
Organizing open stack-meetup-in-china
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 

Destacado

Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
LDAPCon
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
LDAPCon
 
Presentatie Boxit Connecto1
Presentatie Boxit Connecto1Presentatie Boxit Connecto1
Presentatie Boxit Connecto1
Maarten Poppenk
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
LDAPCon
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
ForgeRock
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009
Jonathan Clarke
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
LDAPCon
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
LDAPCon
 
Ventajas y desventajas de los modelos de bd
Ventajas y desventajas de los modelos de bdVentajas y desventajas de los modelos de bd
Ventajas y desventajas de los modelos de bd
Irene Lorza
 

Destacado (19)

Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
 
LDAP
LDAPLDAP
LDAP
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
C* Summit 2013: Hardware Agnostic - Cassandra on Raspberry Pi by Andy Cobley
C* Summit 2013: Hardware Agnostic - Cassandra on Raspberry Pi by Andy CobleyC* Summit 2013: Hardware Agnostic - Cassandra on Raspberry Pi by Andy Cobley
C* Summit 2013: Hardware Agnostic - Cassandra on Raspberry Pi by Andy Cobley
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
 
Presentatie Boxit Connecto1
Presentatie Boxit Connecto1Presentatie Boxit Connecto1
Presentatie Boxit Connecto1
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
 
Ldap
LdapLdap
Ldap
 
ScalaCache: simple caching in Scala
ScalaCache: simple caching in ScalaScalaCache: simple caching in Scala
ScalaCache: simple caching in Scala
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
Opendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesOpendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummies
 
Ldap intro
Ldap introLdap intro
Ldap intro
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory Services
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theory
 
Ventajas y desventajas de los modelos de bd
Ventajas y desventajas de los modelos de bdVentajas y desventajas de los modelos de bd
Ventajas y desventajas de los modelos de bd
 

Similar a Fortress Open Source IAM on LDAPv3

Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC Project
Saltlux Inc.
 
Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
Revelation Technologies
 
Gert Vanthienen Presentation
Gert Vanthienen PresentationGert Vanthienen Presentation
Gert Vanthienen Presentation
guest27deb47
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and Californium
Julien Vermillard
 

Similar a Fortress Open Source IAM on LDAPv3 (20)

Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for Developers
 
Camel_From_The_Field
Camel_From_The_FieldCamel_From_The_Field
Camel_From_The_Field
 
Bee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingBee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installing
 
Can i service this from my raspberry pi
Can i service this from my raspberry piCan i service this from my raspberry pi
Can i service this from my raspberry pi
 
ApiOps Tampere meetup 17.11.2017- serverless_with_openfaas
ApiOps Tampere meetup 17.11.2017- serverless_with_openfaasApiOps Tampere meetup 17.11.2017- serverless_with_openfaas
ApiOps Tampere meetup 17.11.2017- serverless_with_openfaas
 
Scala at Netflix
Scala at NetflixScala at Netflix
Scala at Netflix
 
Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC Project
 
Neutron Advanced Services - Akanda - Astara 201 presentation
Neutron Advanced Services - Akanda - Astara 201 presentationNeutron Advanced Services - Akanda - Astara 201 presentation
Neutron Advanced Services - Akanda - Astara 201 presentation
 
Explore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration TopicsExplore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration Topics
 
Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
 
Qa Service Mesh approach
Qa Service Mesh approachQa Service Mesh approach
Qa Service Mesh approach
 
Gert Vanthienen Presentation
Gert Vanthienen PresentationGert Vanthienen Presentation
Gert Vanthienen Presentation
 
Donabe-essex-conference-readout
Donabe-essex-conference-readoutDonabe-essex-conference-readout
Donabe-essex-conference-readout
 
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 TutorialAdventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
 
Docker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain ViewDocker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain View
 
Rohit yadav cloud stack internals
Rohit yadav cloud stack internalsRohit yadav cloud stack internals
Rohit yadav cloud stack internals
 
RichFaces - Testing on Mobile Devices
RichFaces - Testing on Mobile DevicesRichFaces - Testing on Mobile Devices
RichFaces - Testing on Mobile Devices
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
 
Seattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js WorkshopSeattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js Workshop
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and Californium
 

Más de LDAPCon

Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
LDAPCon
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
LDAPCon
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
LDAPCon
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
LDAPCon
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
LDAPCon
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
LDAPCon
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over Web
LDAPCon
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 

Más de LDAPCon (8)

Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over Web
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Fortress Open Source IAM on LDAPv3

  • 1. Fortress Open Source IAM on LDAPv3 Shawn McKinney November 18, 2013
  • 2. Agenda l  Product Overview l  Technical Introduction l  RBAC SoD Demo l  Commander l  En Masse l  Multitenancy l  Next Steps l  Wrap-up 2
  • 3. Product Overview 1 2 3 Fortress Core ANSI RBAC SDK Sentry RBAC Policy Enforcer EnMasse RBAC Policy Server October 2011 October 2011 October 2012 4 5 6 Commander Web Administration Perimeter Web Access Mgmt Patroller Audit Monitoring October 2013 April 2014 October 2014 ROADMAP 3
  • 4. Fortress Introduction l  ANSI INCITS 359-2004 compliant IAM system l  Policy Decision Points l  l  l  Java APIs (Fortress Core) REST services (En Masse) Policy Administration Points l  Java APIs (Fortress Core) REST services (EnMasse) l  RBAC Web Management (Commander) l  l  Privileged Identity Management 4
  • 5. Fortress Introduction (continued) l  Policy Enforcement Points l  l  l  Sentry Java EE Platform Security Sentry Other Platforms (in development) Audit Trail l  l  l  Authentication – tracks who is accessing the system Authorization – tracks who did what, when and where Administration – tracks historical changes to the data 5
  • 6. Fortress System Architecture RBAC Accelerator Apache DS LDAPv3 OR LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAPv3 Extended Ops HTTP/S Legend Fortress Fortress RBAC Enforcement APIs will also call accelerator LDAP HTTP Applications 6 Fortress Core APIs Java App #2 HTTP/S Java VM Other App LDAPv3 Any Platform RBAC policy enforcement on any platform use accelerator RBAC policy administration and interrogation use Standard LDAPv3 protocols
  • 7. ANSI RBAC INCITS 359 1.  2.  3.  4.  RBAC0: Users, Roles, Perms, Sessions RBAC1: Hierarchical Roles RBAC2: Static Separation of Duties RBAC3: Dynamic Separation of Duties Demo this capability 7
  • 8. Dynamic Separation of Duties Demo 1 2 3 One and only one may be active Role 1 Assignment Role 2 Assignment Role 3 Assignment
  • 9. Dynamic Separation of Duties Demo Fine AuthZ Granularity Users: •  User1 is assigned to ROLE_TEST1, ROLE_TEST2, and ROLE_TEST3 •  User2 is assigned to ROLE_TEST2 •  User3 is assigned to ROLE_TEST3 Permissions: •  Page1.Button1 is granted to ROLE_TEST1 •  Page1.Button2 is granted to ROLE_TEST1 •  Page1.Button3 is granted to ROLE_TEST1 •  Page2.Button1 is granted to ROLE_TEST2 •  Page2.Button2 is granted to ROLE_TES2 •  Page2.Button3 is granted to ROLE_TEST2 •  Page3.Button1 is granted to ROLE_TEST3 •  Page3.Button2 is granted to ROLE_TEST3 •  Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: •  Set of roles is [ROLE_TEST1, ROLE_TEST2, ROLE_TEST3] •  DSD Set Cardinality is 1 •  Only one Role can be active in Session Wicket Buttons Wicket Links Fortress RBAC PEP Wicket Pages Apache Wicket Spring Page-level Security Coarse Java EE Coarse-grained Security Fortress RBAC Proxy Tomcat Java Virtual Machine Fortress RBAC PDP
  • 10. Where to get RBAC Demo l  Source l  l  https://github.com/shawnmckinney/fortressdemo1 Tutorial & other ANSI RBAC write-ups l  l  l  http://symas.com/ansi-rbac-intro/ http://symas.com/rbac-security-enforcementinside-wicket/ https://github.com/shawnmckinney/ fortressdemo1/blob/master/README.txt 10
  • 11. Commander Introduction l  RBAC Web Administration l  Uses the Fortress Core APIs l  Communicate via HTTP or LDAPv3 protocols l  Secured by Fortress, Java EE and Spring l  Full audit trail l  Extensible – add new pages quickly l  Uses Apache Wicket UI framework 11
  • 12. Commander System Architecture Apache DS OR LDAPv3 LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAP HTTP Commander can use either HTTP or LDAPv3 protocol LDAPv3 O R HTTP/S Commander HTTP/S 12 Java VM Fortress Core APIs Fortress Core APIs EnMasse HTTP/S HTTP protocol aids in firewall traversals Java VM Legend Fortress LDAPv3
  • 13. Commander Demo l  View RBAC demo audit trail l  View RBAC management capabilities l  Enable REST communication with En Masse l  Run Commander Selenium automated test l  View wireshark trace 13
  • 14. Where to get Commander l  Source l  l  Quickstart l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortresscommander.git;a=summary http://iamfortress.org/download Maven l  http://search.maven.org/#search%7Cga %7C1%7Ccommander 14
  • 15. En Masse Introduction l  RBAC Policy Server l  Firewall Friendly l  120+ RESTful services l  Multitenant process and services l  Secured using Fortress RBAC enforcement l  Binds directly to Fortress entity model l  Uses Fortress Core to communicate LDAPv3 l  Uses Apache CXF for RESTful processing 15
  • 16. En Masse System Architecture LDAPv3 Java VM Apache DS OpenLDAP OR LDAPv3 Either LDAP Server works LDAPv3 Apps may use any REST lib or Fortress APIs to connect with En Masse Fortress Core APIs EnMasse HTTP/S HTTP/S HTTP/S Legend Fortress Fortress Core APIs Java App HTTP/S 16 Java VM Other App Any Platform REST HTTP/S LDAP HTTP Applications Java VM HTTP protocol less efficient than LDAP but aids in firewall traversals
  • 17. Where to get En Masse l  Source l  l  Quickstart l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-enmasse.git;a=summary http://iamfortress.org/download Maven l  http://search.maven.org/#search%7Cga %7C1%7Ca%3A%22enmasse%22 17
  • 19. Multitenant LDAP Data Structure l  l  l  Leverage LDAP's natural affinity to partition data by client organization. Each tenant has its own complete copy of DIT segregated by organizational unit Reduced cost due to fewer servers to maintain 19
  • 20. Multitenant Programming Model l  l  Client’s id is passed to Fortress in factory initialization Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l  AnyMgr: l  createInstance(tenantId); // Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” ); 20
  • 21. Multitenant Demo l  Load demo users Client 1, 2 & 3 l  Run test-full Client 1, 2 & 3 21
  • 22. Where to get Fortress Multitenancy l  Source l  l  http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-core.git;a=summary Binaries <dependency> <groupId>us.joshuatreesoftware</groupId> <artifactId>fortress</artifactId> <version>RC-1.0-33</version> </dependency> 22
  • 23. Next Steps l  RBAC Accelerator l  OpenLDAP overlay l  RBAC Policy Decision Point l  Web Access Management/SSO l  RBAC Policy-Enhance Standard (RPE) l  l  l  INCITS 494-2011 Support for dynamic attributes Attribute-based Access Control (ABAC) l  Maybe 23