onsdag 29 januari 2014

Tackling some traditional IdM use-cases with OpenIDM

Although OpenIDM is built for consumer facing identity management as part of the ForgeRock Identity Relationship Management Stack, it provides a number of typical capabilities that traditional enterprises can use to tackle some of their problems. Since many of our customers are investigating options to their Sun Identity Manager environment, I thought it would be helpful to describe the use-cases with this in mind.


Lets look at four typical use-cases, a Sun Identity Manager customer might have deployed and discuss how OpenIDM matches up.


1.) Orphan account detection
Sun IdM provides a reconciliation engine allowing customers with XPRESS rules to define correlations between target resource accounts and the virtual identity in Sun IdM. The reconciliations runs per resource, compares and produces situations on whether accounts are matched, unmatched, not known etc.


OpenIDM offers a similar reconciliation engine allowing these correlation rules to be migrated from XPRESS to JavaScripts. The reconciliation results are similar to what Sun IdM offers and also exposes the capability of invoking custom reactions to a discovered situation such as running a script or invoking a BPMN 2.0 workflow. The reconciliation similar to Sun IdM also provides the necessary information needed to produce reports such as orphan accounts reports.


A key differentiator from traditional IdM vendors, is that OpenIDM is made for the consumer facing world where scale and performance is critical.


2.) Authoritative Source driven provisioning
Sun IdM provides the mechanism of ActiveSync, where certain connectors or resource adapters are extended with the capability of reacting to near real-time (via scheduled polling).


The ActiveSync process then discovers CREATE, UPDATE or DELETE situations on resource accounts and three different workflows parses a set of forms (typically referred to as ActiveSync forms) to manage the attribute transformations and identity data flow.


OpenIDM offers a similar capability and also leverages the same set of connectors as Sun IdM. In the world of OpenIDM this capability is referred to as LiveSync. The LiveSync process is typically a scheduled process running as a background process and instead of UserForms and XPRESS to define the transformations, these are specified in mappings describing the flow from one system to another. The LiveSync life-cycle offers a number of hooks that allows you to specify actions such as running custom scripts or invoking workflow offering the same flexibility and capabilities as Sun IdM.


3.) Password Management
A typical quick-win and low hanging fruit with Sun IdM was that once resource adapters or connectors were configured, the password management aspect came with the setup. Sun IdM allows you to specify governing password policy according to company requirements and enforce them during password resets. Sun IdM also allowed to intercept passwords on Active Directory by deploying a special plugin on the AD domain controllers. Self Service capabilities to reset passwords was by default managed using challenge/response questions that could either be specified by administrator or self-defined, or a combination of the two.

OpenIDM provides equal functionality to manage passwords, specify policies using flexible regular expressions in JavaScript rules, to reset and change passwords accordingly and to leverage challenge questions to do self-service resets. OpenIDM also provides a plugin for AD to intercept passwords and allow them to be synchronized as well as a plugin for OpenDJ to expose the same capability there.


4.) Self Service requests
Sun IdM allows you to quickly and easily expose custom workflows that can interact with the virtual identity and the underlying integrated resources to do attribute updates or to provision new accounts etc. OpenIDM exposes the same capability but instead of using a proprietary workflow definition language, leverage the industry standard BPMN 2.0 to specify workflows.



So despite OpenIDM really is targeting a different market segment with its consumer facing approach which includes focus on scalability, some of the typical and traditional use-cases often found within Enterprises can be addressed. OpenIDM also provides the ideal platform to extend your Enterprise to the Cloud, where user provisioning and administration with ease can bridge that gap. Further more does OpenIDM also give you the opportunity to expose Identity Management services via the common RESTful API that exposes all capabilities in the product.


Inga kommentarer:

Skicka en kommentar

The Whats, Whys, and Hows of XDR

Preventing security incidents is one of the primary goals of any security program. This should come as no surprise, and with today's eve...