mayeronline.it

Some days ago I was wondering why among the enterprise level Identity and Access Management (IAM) infrastructures, I’ve never seen an open source solution.

The main driver of my curiosity was the following question: Why small and medium size companies spend a lot of money to pay very expensive licenses for products offering features that they will never use? Why companies which require only few simple identity provisioning and access control tasks don’t use open source solutions?

Then, I started a brief research on one of the most publicized open source identity management project: SUN Identity Management Community Project.

SUN Identity Management Community Project offers an open source identity infrastructure that includes federation management, directory services, web single-sign-on, provisioning and other key components.

The main project is composed by several subprojects that are:

• Identity Connectors
• OpenDS
• OpenPtk
• OpenSSO
• OpenSpml
• Identity Manager Ide

The approach is to set free in the wild the projects after being initially developed to a usable point by SUN itself.

Identity Connectors

The Identity Connectors Framework and Toolkit is designed to separate the implementation of an application from the dependencies of the target system it is attempting to connect to.
The framework provides just a consistent generic layer between applications and target resources dependent connectors. This means that each connector implementation can be easily replaced and, in addition, an application may choose to use multiple connectors simply using the connector interface without worrying about the type of target resources used. The main focus of the exposed API is then to offer provisioning operations and password management.

While the framework is intended to offer the discussed decoupling features, toolkit is intended to facilitate development of new Connectors.

From the project page you can download the framework, the toolkit and a set of connectors but to leverage the features of the project you must develop your own application.
As you can imagine, Identity Connectors must not be considered a download, install and use product but a framework for the development of your provisioning applications.

In my, short to be honest, experience with Identity Connectors, I’ve found a well designed and implemented framework with a good set of available Connectors.
The problems I faced were mainly related to lack of documentation and to missing support for specific resources in the available Connectors (e.g. when I used it, the LDAP connector supported only OpenDS server).

The only documentation I found is represented by some JavaDoc, an overview, a sort of Getting Started and, at the moment, a quite poor blog.

Probably the best source for information is the users’ mailing list, where you can obtain precise and fast answers to all your doubt directly from the project’s developers.

For additional details go to the project home page [HERE].

OpenDS

The aim of the OpenDS project is building a free directory service based on LDAP and DSML. OpenDS is designed to address large deployments, to provide high performance, to be highly extensible, and to be easy to deploy, manage and monitor. The OpenDS directory service will include not just the Directory Server, but also other essential services like: directory proxy, virtual directory, namespace distribution and data synchronization.

I’ve never used OpenDS but it seems to be a good LDAP server and, probably, the most mature subproject of the SUN Identity Management Community suite.

I’m not able to give a personal opinion on OpenDS, but I’m wondering if this product can be compared to OpenLDAP, that also support services like meta-directory and replication, and if it can offer some added value to our small size company looking for an open source IAM solution.

For additional details go to the project home page [HERE].

OpenSSO

As reported on the home page of the project “the Open Web SSO project (OpenSSO) provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security component in a network infrastructure. OpenSSO provides the foundation for integrating diverse web applications, that might typically operate against a disparate set of identity repositories and are hosted on a variety of platforms such as web and application servers”.

As soon as possible I’ll test OpenSSO and add more details about it.

For additional details go to the project home page [HERE].

OpenPtk

OpenPTK is an open source project that provides a collection of tools and sample applications that Web and Java developers can use to integrate custom applications with user provisioning systems. Using industry standard interfaces, developers can build flexible user management applications.

Project OpenPTK is a three-tier architecture which enables developers to focus on the business application interface and not on the underlying user data store. There are:
Consumer Tier interfaces which address various development options. The project exposes API’s, Web Services, HTML Taglibs, JSR-168 Portlets with user self-service and administration examples.
Service Tier interface that give an abstract view of the backend users data stores. The architecture supports several pluggable back-end services including Sun’s Identity Manager (SPML), Databases (JDBC) and LDAPv3 (JNDI), and allows developing new custom services.
Framework Tier that integrates the Consumer and Service tiers while also managing configurations, logging/debugging and provisioning operations.

The role of OpenPTK services can be compared to that of Identity Connectors. Project OpenPTK has been tested an Identity Connector Service to allow the use of Identity Connectors as a service in the OpenPTK framework. However, this testing is not yet ready to be considered for inclusion in the OpenPTK. When this service will be ready, OpenPtk users will be able to include all the available Identity Connectors in the OpenPtk based applications. One drawback I see is that, if the framework remains the same, some of the useful features of the Identity Connectors will be lost because of the minimal set of operations supported by Service interface. This can be the lever for a better collaboration between the two projects.

For additional details go to the project home page [HERE].

OpenSPML and Identity Manager IDE

In addition to the subproject reported above, SUN Identity Management Community provide also OpenSPML and Identity Manager IDE.
The former is an open source client code that supports the Service Provisioning Markup Language (SPML) developed by the OASIS Provisioning Services Technical Committee (PSTC), while the latter provides a comprehensive toolset to view, customize, debug and profile one or more installations of  SUN Identity Manager.

While OpenSPML is used in some other subproject, like in the SPML Service of OpenPtk, the second is just a NetBeans plugin that can be used to configure and customize a SUN Identity Manager installation.

For additional details go to the projects home page [HERE] and [HERE].

Tags: connectors, open source, opends, openptk, openspml, opensso, SUN

This is a personal blog. The views and opinions expressed here represent my own and not those of the people, institutions or organizations that I may or may not be related with unless stated explicitly.
My blog includes links to other sites operated by third parties. These are provided as a means of convenient access to you to the information contained therein. I am in no way responsible for the content of any other sites or any products or services that may be offered through other sites.

This entry was posted on Wednesday, November 18th, 2009 at 3:43 pm and is filed under Identity & Access Management. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.