OA21: Breakout (2) Building Open Source Identity Infrastructures

Jun 28, 2021 20:10 · 4453 words · 21 minute read

good morning everybody welcome to the building open source identity infrastructure session uh presenters are francesco and misagh please leave yourself muted and cameras turned off during the presentation if you’d like to ask a question wait until the q a portion after the presentation or use the shared notes to the left above the user list to ask the presenter questions please use the chat box only for chat not for presenter questions if you have any tech issues please send me kenny aragon direct message and we will assist you in any way we can with that i’ll hand it off to you francesco thank you very much kenny uh hello everyone uh welcome to this talk um it will be myself and my colleague misagh we will be talking about our experience in building uh open source identity infrastructure so just a few words about myself i am managing director at Tirasa tirasa is a company that is building services around open source identity and access management tools but i’m also a member at the apache software foundation and vice president apache syncope with me i have my colleague misagh yes hi good morning good afternoon good day to everybody here thank you for attending the presentation as francesco mentioned my name is misagh moayyed i work as a software architect at tirasa and likewise i am also a member of the apache software foundation and work with francesco and other folks on the apache syncope project and in parallel if there’s any time left i also sort of chair the apereo cas project and i’ve been with the project for over 10 years or so so thank you i’ll hand it back to francesco to get started with the presentation thank you misagh so let’s first start with with establishing some common ground and vocabulary to name the same things the same way so first of all when we say identity what are we talking about um it’s something that it’s all uh in everything in every system we interact with so we have accounts we have identity and the the most important thing is to uh understand the difference between them and to say uh with more confidence that account is what our computers are about so they are representing of information that are stored somewhere and each account rip is representing only a portion or a view of the overall identity an identity is uh conversely you can see it as the the composition of the partial views that are constituted by account so it seems to be crucial to establish a relationship uh that is correct and as much complete as possible between accounts and identity so how we deal with identity issues essentially we recognize two approaches one is identity management or uh that is the the the everything that you can do to keep identity data consistent and synchronized across repositories so uh essentially is the art of keeping all accounts that are sparse in different resources different formats different network protocols so to keep all this information collected together and consistent over time access management instead is everything that is attaining to user authentication and authorization so who you are and what you are entitled to do on my system identity management and access management are complementary when you use one you can use the other often they work very well together and out of our discussion here would be we show uh some use cases and the way how we keep them together so overall a high level the problem you are trying to solve is starting from a situation like this where you have uh from the top part of the screen several different actors of your systems and and on the bottom part of the screen all all of your systems naturally uh this is when we say um your systems they could be on-premise or on cloud there is no difference anyway no so uh we over time some relationships um are established between actors and systems that are often uh going out of control to the the teams that are supposed to uh make some order out of it so uh with enough complexity enough time and enough requirements you reach up to a situation like the following we represent in a picture the idea of establishing a centralized identity and access management system is to move to a situation like this where you have a point where you can take control of what’s happening where is happening and you from which you can query uh reporting auditing uh you can centralize the checks you can define policies you can establish approvals and essentially in one word you can take things all under control both from a technical and a business point of view one important thing is if you note the top right box is named former employees uh this is typically one of the the biggest troubles when you are not enforcing an iam system that is you are still allowing for former employees for some time to interact with your system so securities of course just this just while i security is of course one of the important items we are discussing here so um we we have a number of uh in the identity and access management tooling landscape we have essentially we recognize essentially three types of technologies the first being the identity stores so an identity store is a place where the account information is stored so you can have traditional or legacy identity stores like active directory ldap or relational databases or you can have nowadays identity stores in the cloud you have azure you have google suite you have any uh cloud you can mention but the principle is the same so we are talking of places that have the storage plus some apis on top to interact uh so to place the objects move the objects uh around uh the store uh what’s the point the identity store historically the first identity technology that came out or when you with identity source each application is uh can be managing its own applica authentication or provisioning separately because a store is a store so a place where to uh store information um from an authentication point of view users for example may or may not use the same password for all the applications but why this is this technology is not enough it’s not enough for several reasons essentially because you and end up by dealing with different technologies and technologies that could be very different like an old uh relational database and a cloud provider but uh you don’t also you don’t have any hierarchy in the the information so you don’t have a clear way to establish um the which system you can trust more uh often then you as a by experience you don’t have it’s very difficult also to enforce policies on uh identity stores when you have more than one of course you don’t have workflow uh available or then there are other additional issues like the fact of not being able to uh consistently foresee the infrastructure uh management cost because uh as as much as the organization is growing uh you will find even more difficult to correlate the various identity stores to each other and finally this is by experience uh very often you have applications that despite of having already available several identity stores in your infrastructure some applications might still require a local database for some purpose to store some dedicated profile information to uh to to work the way that they were meant to et cetera so for various reasons second the second technology we are introducing here are provisioning engines so the idea for the the job of a provisioning engine is to keep things synchronized as much as possible uh by uh defining a high-level concept that we call the identity life cycle management so the identity itself becomes becomes something you can track and you can uh for which you define a lifetime with a start and an end um of course provisioning engines need to need to follow to accompany the the the the real identity uh they are mapped from so uh everything starts with provisioning uh and but then the the identity can move inside the organization by getting promoted by being assigned to save certain uh project by making requests by had to change their password by being notified doing administration etc so uh and at the end of this life cycle there is that provisioning because the user is leaving the organization uh one primary need for provisioning engine is to be as much customizable and flexible as possible because a provisioning engine needs to adapt itself to exist to the existing infrastructure to existing need to existing flows or need also to evolve with company needs uh for several reasons we that might be appear clearer later um provisioning engines are focused on backhand because they are connect essentially they do their job against applications against identity stores as we said before provisioning engine finally can communicate with applications or with an entity source uh in a in a in two distinct ways they could be a connector uh oriented meaning that the the target application and entity sort of need to be changed to interact with the provisioning engine or they might require some sort of agent which is usually more invasive but also often more efficient the third type of technology that we use in the identity space we name it access managers so at the components that take care of authentication and authorization so several concepts or the standards are involved here we’re talking about single sign-on multi-factor authentication or protocols like oauth openid connect xacml so all these concepts are related to what we call access manager since access manager’s job is to deal with user and user authentication and authorization we realize that they are focused instead on front-end uh we if we try to put all the elements we’ve been introducing so far all together in a single picture we can we come out with something like this where we have the provisioning engine on the left side the access manager on the right side and then all the other components of a typical software architecture where several applications are uh available uh some of them are insisting on a given identity store but there are also other applications like hr and crm uh all controlled by the provision or identity store in the cloud that are controlled by the provisioning engine the provisioning engine is also connected somehow here we are imagining the the the simplest way uh we access managers an access manager will take care of authentication so everything that is required on front-end authorization etc while provisioning engine will offer specialized views to business help desks this admin for example and reporting and auditing and governance and administration to them uh so this to summarize the picture so let’s move to another section now that we have a common vocabulary and background let’s let’s talk about selling open source identity and access management so this is the iconic sentence we always by experience are learning and hearing from our customers or prospects when we start talking about identity management in the open source space um you can replace ibm here with any other vendor you can name the space so you can say oracle you can say for drop you can say octa cell point ntq ib whatever you want in the past you could even say some microsystems but the point here is uh finding a way to justify or to uh highlight the the benefit of open source in the iam space against what vendor could offer so what can we offer as open source iam producer not of course mentioning the price no because we are talking about hundreds of thousands of dollars for just the the license and then you have the project to do so in our case let’s uh leave the price aside what we could offer that vendor solutions don’t so first of all it’s the flexibility there is nothing more flexible than a tool you can inspect or you can extend by yourself or you can hire someone to extend and if you’re not satisfied anymore you can replace this one with someone else uh so that’s also why you don’t have vendor lock in you don’t have a black box on your infrastructure that is you know anything about uh that is driving your identity flows then you have security security management in open source especially when we talk about open source software that is ruled over uh large foundations like apereo or the apache software foundation they have a very well established and clear and reliable uh security policy for disclosure for reporting for security freight etc there is uh you have all the advantages of security management this way and of course uh customers can be and often are required to be involved in this solution because the solution itself is will be designed and very flexibly adapt to the the the requirements that customers might offer one important thing to beg to beat vendor lockin is that if you are not satisfied of your contractor because you’re not serving anymore you can go and seek into the open source the backend open source communities and find someone else that can support or you can just have your ict team to work this way the open source identity stock in our reference is composed by two pillars one being apache syncope for identity provisioning and governance so it’s the provisioning engine from the slides before the other one being apereo cas for authentication authorization etc uh that was mentioned as access manager uh in the slides before so now we are going to uh into some detail from some technical detail about these two products and also something about their roadmaps um let me leave the the the the presenter role to misagh thank you francesco um so this is the part of the presentation where as francesco said we keep talking about the the solution stack and the components that uh make up the stack in terms of open source identity access management and the first component is the part that handles well the access management and authentication authorization it sits at the front end of this entire stack and this is where the cas project comes into play cas is of course short for central authentication service many of you in the presentation might already know and be familiar with the project and it is a single sign-on manager an identity provider an access manager depending on your mood in the day you know any of those names seem might be appropriate and it is a multi-lingual platform in the sense that it can speak many or multiple standard authentication protocols uh to integrate with applications and you know verify identity and collect user attributes and claims and so on and so forth and it’s been a project that has been part of the jasig slash apereo portfolio from almost the beginning if not the very beginning and has been around since i don’t know mid 2003-ish five-ish and so in one sense it’s it can be seen as legacy software it’s been in production since 2000 mid-2000s so the current the current uh version and the current status of the cas project is is as follows the current release line is based on top of version 6.

3 then this is the release that is currently in maintenance and is i guess appropriate for production this is what you would call quote unquote the stable release and the developer developer community and the broader community in general was working on the next release of the software which is the next feature release and that would be under the 6. 4 release line so i’ll sort of give you a quick status update on what the current state of the world is and then we’ll briefly take a look at what the next state of the world might be uh in the coming 6.

4 line so today as i mentioned the the current stable slash maintenance releases the 6. 3 line you can see some screenshots here on this slide that present or demonstrate some of the capabilities that that exist in this particular release line you could have access to multi-factor authentication with fido2 or web authn you could log in with a qr code and scan a code on your mobile phone and log in sort of transparently you have the ability to set up google authenticator for multi-factor authentication and register multiple accounts and manage multiple accounts and so on and so forth and this is generally the the latest uh evolution of the software in this particular state that continues to add incremental features and enhancements and such in a way that is compatible and without too many breaking changes uh especially at the at the data layer and potentially at the api layer so when we move on to move on to the next release of the software of course this has been the cas 6.

4 release line it’s been in development for uh better part of last year 2020 and we’re getting very very close to actually releasing this this particular release sometime in mid to late summer 2021 summer of this year and uh there are a large number of features and releases sorry features and enhancements baked into the 6. 4 line various options for mfa integrations with amazon command line clients compatibility with java latest versions of java in general updates across the entire platform framework i have listed some links here on this slide that i think might be beneficial for those of you who are interested to follow the development or get more information about the project and status and things that happen as well as information around tutorials and walkthroughs and such and of course i also decided to list the end of life schedule for the project in case you are planning an upgrade or thinking about an upgrade or thinking about deploying a solution brand new these are the dates and these this is the schedule that the project goes by in terms of keeping releases alive and and keeping them in maintenance uh for the time to come and i should also mention sort of at the end of this particular portion that cas 6 4 is really the foundation of a brand new module in the apache syncope ecosystem that does handle access management and web access and authorization and it is something that i think francesco will provide additional details for you in a little bit so i’ll leave you for now get back to francesco thank you thank you misagh so uh briefly again about uh about syncope the project itself is uh as we said the provisioning engine so what it’s doing we have a simple screenshot of the dashboard in the admin console uh so essentially you can you you want to place uh users groups devices or whatever you want to pull it from the places where they are so they’re through from the identity stores and you you want to make some changes and then provision to other or the same identity stores you have a workflow features based on flowable that offer multi-level approval or request management you can do audit and reporting you have a full capable admin ui of which you are seeing a screenshot that is controlling the system in all of this aspect and you also have a self-service ui that is allowing for uh self-registration social registration password reset and any um profile update and any other operation you might you might want to offer to your end users uh the product itself is 100 percent restful it offers a rest interface to do all identity operations uh it offers uh features of scim it implements scim 2.

0 uh protocol and one very important aspect of syncope that is at the core of this design is the ability to allow for extension uh and adaptation on in all the environments is deployed and you can do such extension you can build such extensions both in java and groovy which allows runtime uh changes and adaptation here i’m rewarding a few links you might find useful from the project sources the mailing lists that are the primary way to interact with the project team and also to ask questions etc there will a wiki page uh we have for our roadmap uh about release the current release branch is the two one x uh from which we have released uh syncope of 219 uh in april back in april and we are expecting another release uh maintaining release two one ten uh by by the end by possibly the end of summer uh this this line this release branch 2 1x is currently the stable production code that is deployed in uh in in in all of these places uh but we are preparing and we will still get a few points something maintenance so i’m i’m expecting we will have a few uh maintenance releases more but the big work that is has been done during this the the last two years is now concentrating as misagh was suggesting in apache syncope 3.

0 uh you have a link also for the design notes from which this picture was was taken that has um for which we have prepared some sort of uh jump from the the uh the strict provisioning uh area to the broad iam uh featuring uh for for all systems so besides the existing core console and end users these are the modules that exist also in 2. 1 we have a new uh a couple of new modules one is named wa web access here in the picture you can see it as weblogin this was the original picture that is essentially uh based on cas 6.

4 and api gateway that is now named sra that is based on spring cloud gateway so the two these two new modules are essentially enabling the syncope uh as a platform for that could be deployed flexibly so if you only want provisioning only want access management or you want both you also want um api gateway slash reverse proxy so whatever you need uh will be based that can be done by this flexibly flexible deployment and one very important thing is that you can get all of uh the features from uh each component centralized and in management from the syncope admin ui so you would from the ui you can at run time make your configuration changes for the web access module and the connected cas instance will adapt itself to the new configuration you define a new route for your api gateway and the connected spring cloud gateway instance will add the new route immediately so uh we are trying to find a we hope this will be our uh the next step for to have an open source solution to implement several aspects of the uh iam features uh to enable more uh competition with vendor products uh from a technology point of view we are the cinco 3 is will be based on spring boot 2.

5 it will require jdk 11 but uh from the builds are running also against jdk 17 early access today so this is about technology the final part of the presentation would be to show some of our some of our uh success stories that we have been uh delivering for open source iam tools so first one i’m going to briefly present you is about university of florence in italy uh we have about 150 000 users with students teachers staff and all of these users need to are coming from different sources it could be uh ldap active directory databases and need to be provisioned in turn to different uh identity stores uh we we have to be uh to connect the system itself with the national authentication system that in easily is named speed based on saml 2 and also to provide self-service features for students and teachers so all of them was built on syncope and cas naturally uh the the the team itself from university was involved in development they are they’ve been opening also requests on upstream systems for the bugs they found so we found this as a very uh neat way to cooperate with an external team the second case i’m going to present you is about a cruise line in north america um well i we haven’t had the authorization to disclose its name but it’s a very large uh cruise line and here this this project was also quite difficult to approach because we had to orchestrate the identity and accesses across shore and several ships so we had to keep consistency to deal with this connection uh to deal with batch with events and in this case we had to develop an integration with apache kafka um we the the from an authentication point of view we had both open ap connect and saml2 enabled uh google auth uh for multi-factor authentication so a very stripped and involved project the number of users in total is not very high we’re talking about a few thousand but the very the most important part was to design and orchestrate the identity flows from ship from shore to ships and vice versa hey francesco yes sorry to interrupt we’re running up on time now it’s it’s uh 10 45.

oh okay i will another screenshot just this slide about a large food service distributor in north america please have a look and this uh healthcare institution in northern italy with all the connected existing applications standard features and so on if you need more information you can reach up us at the website we are linking here and also i think the links in all these slides will be available after the presentation okay and it did like it looked like dimitri uh was looking to see if somebody could paste the thanks guys thanks to you thanks very much bye for now.