magnolia and idm
DESCRIPTION
Presentation at Magnolia Conference 2009TRANSCRIPT
Magnolia Conference 2009 © deron GmbH September 2009
Identity Management and Magnolia
Ralf Hirning
Magnolia Conference 2009 © deron GmbH September 2009
Introduction
IDM User Study 2009
IDM Magnolia Integration
IDM – an Overview
Integration ModuleIntegration Module
Magnolia Conference 2009 © deron GmbH September 2009
Introduction
IDM User Study 2009
IDM Magnolia Integration
IDM – an Overview
Integration ModuleIntegration Module
Magnolia Conference 2009 © deron GmbH September 2009
� Spin Off from Fraunhofer Gesellschaft
� Foundation in 2001
� 25 employees
� Locations
� Headoffice Stuttgart
� Köln / Burscheid
� Hamburg
� Zürich
Company
Magnolia Conference 2009 © deron GmbH September 2009
� 15 years IT consulting and project management
� 10 years CMS projects
� Magnolia projects
� Magnolia training
� Now: Identity Management consulting
Ralf Hirning
Magnolia Conference 2009 © deron GmbH September 2009
Introduction
IDM User Study 2009
IDM Magnolia Integration
IDM – an Overview
Integration ModuleIntegration Module
Magnolia Conference 2009 © deron GmbH September 2009
IDM: IT Business Process Management
Magnolia Conference 2009 © deron GmbH September 2009
Identity Management Usage
Identity Manag ement E ins atz
23%
7%
36%
34%
J a
In E inführung
In P lanung
Nein
© deron
yes
introducing
planned
no
Magnolia Conference 2009 © deron GmbH September 2009
Definition of Processes ...
D e fin itio n d er IT -G es c h ä fts p ro z e s s e
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
A nlegen A k tivieren D eak tivieren L ös c hen
IT -G e sc h ä ftsp ro z e sse
Hä
ufi
gk
eit
(in
Pro
ze
nt)
Interner Mitarbeiter [mit IdM] Interner Mitarbeiter [ohne IdM]
E x terner Mitarbeiter [mit IdM] E x terner Mitarbeiter [ohne IdM]
© deron
create activate deactivate delete
Magnolia Conference 2009 © deron GmbH September 2009
but ...
D e fin itio n d e r Ä n d e ru n g s p ro z e s s e
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Namens änderung P as s wortänderung A bteilungs wec hs el Mitarbeiterfunk tion P rojek tmitg lieds c haft V erantwortung
tec hnis c he-/
funk tions ac c ounts
IT -G e sc h ä ftsp ro z e sse d e s Ä n d e rn s
Hä
ufi
gk
eit
(in
Pro
ze
nt)
Interner Mitarbeiter [m it IdM] Interner Mitarbeiter [ohne IdM]
E x terner Mitarbeiter [mit IdM] E x terner Mitarbeiter [ohne IdM]
© deron
change
name
change
password
change
organization
change
function
project
memberresponsibility for
technical accounts
Magnolia Conference 2009 © deron GmbH September 2009
Introduction
IDM User Study 2009
IDM Magnolia Integration
IDM – an Overview
Integration ModuleIntegration Module
Magnolia Conference 2009 © deron GmbH September 2009
IDM functional layers
Infrastructure:
Provisioning
Authorization managementsynchronization
Business-Layer:
Personal information
Business role modelIT business process
IDM-Layer:
Central identity storeMiddleware
Entry new User information
Approval process
for new accounts
IDM
HR
Microsoft
Active Directory
ADS Help Desk
Help Desk SAP
SAP
VPN
VPN
further
applications
...
...
...
Orga
Magnolia Conference 2009 © deron GmbH September 2009
Business Processes & IDM Components
Meta-Store für Accounts
Provisioning
Benutzer Self Service
Single Sign On
Public Key Infrastructure
Federation
Audit
Bausteine des Identity& Access Management
Workflow-Management
Role Based Access Control
Meta-Store für Accounts
Provisioning
User Self Servie
Single Sign On
Public Key Infrastructure
Federation
Audit
Components ofIdentity& Access Management
Workflow-Management
Role Based Access Control
Magnolia Conference 2009 © deron GmbH September 2009
IDM: The classical approach
HR
IDM
ADS
> Regelbasierte Verarbeitung der Informationen aus HR
> Regelbasierte Weiterverarbeitung der Daten
pros:
� data synchronization
� simple initial user setup
� fast implementation
cons:
� a complete base installation
is necessary
� no workflow integration
� overall benefits are low
rule based processingof HR data
rule basedprovisioning
Magnolia Conference 2009 © deron GmbH September 2009
pros:
� workflow integration
� extended user
administration
cons:
� No auditing and reporting
tools
� No role management
IDM: workflows and authorization management
Magnolia Conference 2009 © deron GmbH September 2009
> Personendaten> Orga-Zugehörigkeit
> ...HR
Manager A
> mehrstufiges Genehmigungsverfahren> Eskalationsszenario (Vertreterregelungen, etc...)
ORGA
RBAC
Audit
Reporting
IDM
Manager B
Manager C
User
User-Self-Service> Access-Right Request> Passwort-Self-Service> ....
ADS
> Anlegen des Benutzers und Zuordnung innerhalb der Struktur
> Anlage eines Home-Directorys
X X
> Automatisierte Zuordnung der Gruppenzugehörigkeit
> Regelbasierte Weiterverarbeitung der Daten
Administration
Webfrontend für die IDM-Administration
IDM: business roles & compliance
pros:
� audit and reporting in place
� extended user
administration
cons:
� Additional expenses
� Long term strategy
necessary
Magnolia Conference 2009 © deron GmbH September 2009
Real Challenge: multiple different Life-Cycles
Anlegen
Mail-
Verteilerlisten
Life-Cycle
ÄndernLöschen
Sammeluser Life-Cycle
Prüfen
Anlegen
ÄndernLöschen
Projekt-Life-Cycle
Prüfen
Anlegen
Ändern
Anlegen
ÄndernDeaktivieren
Löschen
Mitarbeiter
Life-Cycle
Aktivieren /Reaktivieren
Magnolia Conference 2009 © deron GmbH September 2009
name
function
organization
project member
deprovisioning
...
Real Challenge: multiple different change types
Anlegen
ÄndernDeaktivieren
Löschen
Mitarbeiter
Life-Cycle
Aktivieren /Reaktivieren
Magnolia Conference 2009 © deron GmbH September 2009
Real Challenge: organizational change
t
OU ‘old’ OU ‘new’
New Permissions
Old Permissions
OU = organizational unit
Magnolia Conference 2009 © deron GmbH September 2009
Introduction
IDM User Study 2009
IDM Magnolia Integration
IDM – an Overview
Integration ModuleIntegration Module
Magnolia Conference 2009 © deron GmbH September 2009
Email Integration
IDM
Magnolia
JCRAdmin
Send email
Magnolia Conference 2009 © deron GmbH September 2009
LDAP Integration
IDM
Sync
LDAP
LDAP Connector
Magnolia
JCR
Magnolia Conference 2009 © deron GmbH September 2009
Direct Integration
IDM
Magnolia
JCR
Query
Remote Module
Create
Modify
Delete
Magnolia Conference 2009 © deron GmbH September 2009
Introduction
IDM User Study 2009
IDM Magnolia Integration
IDM – an Overview
Integration ModuleIntegration Module
Magnolia Conference 2009 © deron GmbH September 2009
� Create filter to handle remote requests
� Define a URL pattern for the filter to handle
� /.remote/…
Remote Module - Filter
Magnolia Conference 2009 © deron GmbH September 2009
Remote Module – XML Query<?xml version="1.0" encoding="UTF-8"?>
mgnl-command>
<query repository="users"
language="xpath"
statement="//*"
event-id="0815"/>
</mgnl-command>
Magnolia Conference 2009 © deron GmbH September 2009
Remote Module – XML Create
Magnolia Conference 2009 © deron GmbH September 2009
Remote Module – Config tag handler
� Create tag handler for
� delete
� move
� rename
� …
Magnolia Conference 2009 © deron GmbH September 2009
Ralf Hirningderon GmbHSchelmenwasenstr. 3270567 StuttgartGermany