eSCIMo - User Provisioning over Web
-
Upload
ldapcon -
Category
Technology
-
view
660 -
download
0
description
Transcript of eSCIMo - User Provisioning over Web
![Page 1: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/1.jpg)
User Provisioning Over Web
Kiran Ayyagari
![Page 2: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/2.jpg)
Kiran Ayyagari
PMC ApacheDS project
Consulting & Support on ApacheDS
Started project eSCIMo
[email protected], [email protected]
2
![Page 3: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/3.jpg)
What Is SCIM
System for Cross-domain Identity Management
A standard for provisioning
3
![Page 4: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/4.jpg)
SCIM Schema
A collection of attribute definitions
4
e.g. { "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... }
![Page 5: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/5.jpg)
SCIM Schema...
Simple Attributee.g. userName – a user's name
Complex Attributee.g. name – a collection of firstName, lastName etc.
Multi-valued Attributee.g. emails – a collection of all emails
Sub-attributee.g. familyName – a user's family name
5
![Page 6: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/6.jpg)
SCIM Schema...
Platform neutral JSON format URN as a ID
6
![Page 7: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/7.jpg)
SCIM Data Model
7
Name : Naveen S UID : naveensLast Name : SivashankarFirst Name : Naveen
User
{ "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"[email protected]"},{"[email protected]"}], …}
![Page 8: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/8.jpg)
SCIM Data Model...
e.g. Extended user
{ "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … }}
Name : Naveen S UID : naveens
Employee No : 11011 Cost Center : 007
User Enterprise User
![Page 9: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/9.jpg)
SCIM Data Model...
9
{ "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-1695-4c03-ab18-33ac71e91875", "display": "naveens" } ]}
Name : AdministratorsMembers : naveens
Group
![Page 10: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/10.jpg)
SCIM API
Uses REST Supports
CRUD operations Bulk modification Paged search
![Page 11: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/11.jpg)
What Is eSCIMo
An implementation of SCIM v2.0 Supports LDAP as a backend by default Can work with any LDAP server Embeddable in ApacheDS
11
![Page 12: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/12.jpg)
Running eSCIMo
Scenario 1
12
App Server/Container
eSCIMoeSCIMo LDAP Server
![Page 13: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/13.jpg)
Running eSCIMo...
Scenario 2
13
ApacheDS
Jetty
eSCIMoeSCIMo
![Page 14: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/14.jpg)
Architecture of eSCIMo
14
Resource Provider Interface
LDAP Resource Provider
RDBMS Resource Provider
???? Resource Provider
RDBMS ???LDAP
Security Filter
Implemented
Not Implemented
REST API
![Page 15: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/15.jpg)
How Does It Work?
Attribute mapping Mapping a simple attribute -
e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875"
"userName": "naveens"
<attribute name="id" mappedTo="entryUUID" />
<attribute name="userName" mappedTo="uid" />
15
![Page 16: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/16.jpg)
How Does It Work...
Attribute mapping contd...
Mapping a complex attribute
e.g. "name": {
"familyName": "Sivashankar",
"givenName": "Naveen Sivashankar"
}
<complex-attribute name="name">
<at-group>
<attribute name="familyName" mappedTo="sn" />
<attribute name="givenName" mappedTo="cn" />
</at-group>
</complex-attribute>
16
![Page 17: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/17.jpg)
How Does It Work...
Attribute mapping contd...
Mapping a multi-valued attribute
e.g. "emails" : [{"[email protected]"},{"[email protected]"}]
<multival-attribute name="emails">
<at-group>
<attribute name="value" mappedTo="mail" />
</at-group>
</multival-attribute>
17
![Page 18: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/18.jpg)
How Does It Work...
Attribute mapping contd...
e.x "groups": [
{
"id": "484fbc39-ae09-427b-896f-d469d28895ad",
"$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896f-d469d28895ad",
"display": "Administrators"
} ]
"id" - How can we fetch the ID of the member entry?
"$ref" - How do we build a URL dynamically?
18
![Page 19: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/19.jpg)
How Does It Work... Attribute Handlers
Handler Implementation
public class GroupsAttributeHandler extends LdapAttributeHandler {
public void read();
public void write();
public void patch();
}
Handler definition
<handler name="groupsHandler"
class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" />
Handler mapping
<multival-attribute name="groups" baseDn="ou=system"
filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" />
19
![Page 20: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/20.jpg)
eSCIMo Json2Java
Is a Maven plugin Generates Java classes from SCIM schemas
20
![Page 21: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/21.jpg)
eSCIMo Client
Works with the generated model classes
e.x. Adding a User resource
User user = new User();
user.setUserName( "naveens" );
user.setDisplayName( "Naveen Sivashankar" );
user.setPassword( "secret" );
Name name = new Name();
name.setFamilyName( "Sivashankar" );
name.setGivenName( "Naveen" );
user.setName( name );
EscimoResult result = client.addUser( user );
21
![Page 22: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/22.jpg)
Demo
22
![Page 23: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/23.jpg)
Questions
23
?
![Page 24: eSCIMo - User Provisioning over Web](https://reader033.fdocuments.net/reader033/viewer/2022051816/546c2d94b4af9f8e2c8b505d/html5/thumbnails/24.jpg)
Thank you!