Identity Management (IdM) in Portal, ECM and BPM Projects

When developing projects Portal, ECM or BPM, often tend to ignore authentication and authorization solution, and a solution that will store user identities.

The Authentication, Authorization and Web-SSO solutions require that we have an infrastructure for Identity Management already installed and configured, often commonly use a Meta Directory or LDAP server, but experience leads us to have to use something more dynamic and scalable, especially in projects where it is not clear the initial source of users, roles and hierarchy within the organization.

In this scenario, I usually recommend a solution of Virtual Directory to store the identities of our users and CAS as a service and Web-SSO authentication. Both are fully complementary to each other and lead to very quickly build an identity management solution robust and “lowcost” in our organization.

Services in Identity Management Systems (IdM)

If we have already an Identity Management infrastructure involves:

Directory or Repository Centralized for Identities.

Corporate Directory is an LDAP server that allows to store user or identity information to the applications in the Organization. Organizations should have 2 directories, one for internal services (windows or intranet login, kerberos authentication, etc..) And other web applications or standalone as Liferay Portal.

Mechanisms of replication, synchronization and consolidation of directories or repositories.

Some organizations usually have several offices around the world, each has a Directory or LDAP server that allows us to provide services to the office to which  belongs, while through the LDAP Directory Server or Consolidated Global can offer services such as search people from other offices through a single Address Book. To do this, we need mechanisms to consolidate data from LDAP Server and data from different sources such as DBMS regardless of where and how them are stored, etc..

Identities Lifecycle Management.

This basically is to create, read, update and delete identities or any of its attributes. Some solutions include services such as Rollout, Renewal,Forgotten password, …

Single Authentication Service or Identity Validation.

Authentication is only identity validation, that is, when we make a validation request, the validation authority or authentication service responds by saying that the details of the person or users (data credentials or identity) exist or not in the LDAP server.

In addition to the centralized storage of all identities in the Directory or LDAP Server, you need a validation service that can respond if the credentials are correct to requests for validation made by the standalone application, portal, login windows, etc.. of the organization. Such service must know how to respond to different requests of different types of applications and protocols.Typically different protocols are often defined, as many as types of requests for validation, for example, a protocol could be a “bind ldap”, “soap” or a simple “https” request.

Authorization Service.

Authorization is the process of decision based on certain attributes by which allows a person, machine or server to access a particular resource.

“Single Sing On” Service.

This service is logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.

Solutions Free/Open Source most used are:

Virtual Directory services

Virtual Directory services

What is the difference between Virtual and Meta Directory?

Virtual Directory is a service that operates between applications and identity data as a real directory. A virtual directory receives queries and directs them to the appropriate data sources.

  • Virtual Directory loosely couple identity data and applications.
  • Virtual and Meta Directory provide a consolidated view of identity data by adding a layer on native repositories (ldap, rdbms, …).
  • Meta Directory draw identity data from native repositories and store it in a new consolidated real directory that faces enterprise applications.
  • Meta Directory (tight coupling) is a good in which identity data is not updated frequently.
  • Virtual Directory offers a way to provide that consolidated view of identity data without having to reconstruct an entire real directory infrastructure.

“[…]Instead of creating new identity repositories, virtual directory handle identity queries on a case-by-case basis, drawing the required, authorized data (and only the required data) in real time from its native repositories around a network and presenting it to an enterprise application as needed. When the query is complete the virtual directory disappears; once again, the data exists only in its native repositories, under the control of the original owner.”

(Penrose FAQ – http://docs.safehaus.org/display/PENROSE/FAQ)

There are few solutions for Virtual Directory, here are some FOSS and Commercial:

List of FOSS products and technologies for IdM

Virtual Directory and IdM products

Virtual Directory and IdM products

Bye.

@Chilcano

Tagged with: , , , , , ,
Posted in BPM, ECM, Portal, Security
3 comments on “Identity Management (IdM) in Portal, ECM and BPM Projects
  1. […] When development projects of the portal, ECM or BPM, often tend to ignore the authentication and authorization solution, a solution that will store user identities. authentication, authorization, and Web-SSO solutions require that we have an infrastructure for identity management is already installed and configured, most commonly use a meta-directory or an LDAP server, but the experience leads us to having to use something more dynamic and evolving, especially in projects where it is not certain of the original source of users, roles and hierarchy within the organization. In this scenario, I usually recommend a solution of Virtual Directory to store the identity of our users and the CAS as an authentication service and Web-SSO. The two are perfectly complementary to each other and lead to very quickly build a solution to identity management and strong “lowcost” in our organization. Services in systems of identity management (IdM) If we have an infrastructure for identity management is to: Directory or centralized repository for identities. Business Directory is an LDAP server that used to store user information or identity applications in the Organization. Organizations should have 2 directories, one for internal services (Windows or an intranet connection, authentication, Kerberos, etc.). And other web applications or as standalone Liferay Portal.Les mechanisms of replication, synchronization and consolidation of directories or folders. Some organizations usually have several offices around the world, everyone has an LDAP directory server or we can provide the function belongs, while the server LDAP or consolidated worldwide can offer such services as people search for other offices through a single address book. To do this, we need mechanisms to consolidate the data from the LDAP server and data from various sources such as RDBMS, regardless of where and how they are stored, etc.. Lifecycle Management identities. It is essentially to create, read, modify and delete identity or one of its attributes. Some solutions include services such as deployment, renewal, Lost Password, … Service authentication or validation of identity. Authentication is only the validation of identity, that is, when we make a request for validation, validation authority or service authentication responds by saying that the details of the person or users (government data or identity) exist or not in the LDAP server. In addition to the centralized storage of all identities in the LDAP directory or a server, you need a validation service that can intervene if the credentials are correct to validation requests made by the standalone application, portal, login windows, etc.. the organization. This service must be able to meet different demands of different types of applications and protocols.Typically different protocols are often defined, as far as the types of requests for validation, for example, a protocol could be a “ldap bind”, “soap” or a simple “https” request. Authorization Service. Authorization is the process of decision based on certain attributes that allows a person, machine or server to access a particular resource. “Single Sing On” service. This service is login once and access all systems without being prompted to log in again to each of them. Single Sign-Off is the inverse property that a single action of signing to terminate access to multiple software systems. Solutions Free / Open Source most used are: CAS (Central Authentication Service) – http://www.jasig.org/casOpenSSO (now Oracle, it has an uncertain future) – http : / / opensso.dev.java.netOpenam (a branch of OpenSSO) – http://forgerock.com/openam.html Virtual Directory Services What is the difference between the virtual and Meta Directory? Virtual Directory is a service that operates between applications and identity data as a real directory. A virtual directory receives requests and directs them to appropriate data sources. Virtual Directory loose some data and identity applications.Virtual Meta Directory and provide a consolidated view of identity data by adding a layer on the depositions (LDAP, RDBMS, …). Meta Directory shoot identity data from native repositories and store them in a directory of new and meaningful consolidated facing business applications. Meta Directory (tight coupling) is a good spirit in which identity data is not updated fréquemment.Répertoire Virtual offers a way to provide this consolidated view of identity data without having to rebuild a whole directory infrastructure real. “[…] Instead of creating new identity repositories The virtual directory handle requests identity case by case, drawing the necessary data allowed (and only the necessary data) in real time from its native repositories around a network and present an application company, as required. Where the request is completed, the virtual directory disappears once more, the data exists only in his native repositories, under the control of the original owner “. (Penrose FAQ – http : / / docs.safehaus.org / display / PENROSE / FAQ) There are few solutions for the Virtual Directory, here are some free and commercial software: Penrose – http://penrose.redhat.com / display / PENROSE / HomeAtlassian Crowd – http://www.atlassian.com/software/crowd/Radiant Logic VDS – http://www.radiantlogic.com/main/products_vds.htmlListe free software and technology management Identity and Virtual Directory IdM products Bye. Identity Management – Google Blog Search […]

  2. […] 22, 2010 We explained in a previous post “Identity Management (IdM) in Portal, ECM and BPM Projects” how important is having a Corporate Directory (LDAP server) that serves as a repository for […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
%d bloggers like this: