Child pages
  • OpenIAM Identity Manager PoC VM - v3.5

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 simplify the effort to carry out proof of concepts, OpenIAM has prepared a virtual machine with a pre-installed copy of the OpenIAM version 3.5.  This VM has been pre-configured to carry out a number of common use cases including:

  • User Provisioning / De-provisioning
    • Pre-configured connectors for Active Directory and Linux Server
  • Synchronization from a source such as a CSV File
  • Synchronizing existing users in Active Directory
  • Self Registration
  • Role based povisioning
  • Selfservice forgot password
  • Delegated administration

This document describes how each of these use cases has been configured.  These details should simplify the effort needed to setup the PoC in your environment.

** The VM is provided solely for testing and POC purposes and not for production use ** 

The section provides:

For additional information please contact: sales@openiam.com or use our Forums at:

Product documentation is available at:



Table of Contents



VM Components

Excerpt

The VM contains the following components:

  • OpenIAM Identity and Access Manager 3.5
  • CentOS 7
  • Java 7
  • Maria DB 5.5 (MySQL equivalent) 
  • JBoss 7.1.1



Getting Started

Install VM

The VM has been delivered in an OVA file format. Open the file use VMWare. The compatibility options are listed below:

Memory and CPU

Minimum required to start the application:

  • 2 vCPUs
  • 8 GB of RAM

Recommended for a PoC

  • 4 vCPUs
  • 12 GB of RAM


The OpenIAM application has been deployed in a two tier configuration and has been configured to auto start. On a PoC VM the application may take a few minutes to start. You can check if the application is running by checking the processes and logs:

JBoss (Service Layer):

To check if the process is running:

    ps -ef | grep jboss

To check the logs and see if the :

   service jbossas7 log
 
Code Block
16:55:23,652 INFO  [org.mule.DefaultMuleContext] (MSC service thread 1-2) 
**********************************************************************
* Application: openiam-esb                                           *
* OS encoding: ANSI_X3.4-1968, Mule encoding: UTF-8                  *
*                                                                    *
* Agents Running:                                                    *
*   JMX Agent                                                        *
**********************************************************************
16:55:23,730 INFO  [org.springframework.web.context.support.XmlWebApplicationContext] (MSC service thread 1-2) Refreshing Root WebApplicationContext: startup date [Tue Feb 28 16:55:23 EST 2017]; parent: Root WebApplicationContext

Starting and stopping JBoss:

    service jbossas7 start
    service jbossas7 stop

Tomcat (UI):

To check if the process is running:

    ps -ef | grep tomcat

To check the logs and see if the :

   cd /usr/local/OpenIAM/tomcat/logs
   tail -f catalina.out
Code Block
Feb 28, 2017 5:15:56 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-/0.0.0.0-8080"]
Feb 28, 2017 5:15:56 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Feb 28, 2017 5:15:56 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 154860 ms

The last line tells us that the UI is running and we can login.

Starting and stopping tomcat:

    service tomcat start
    service tomcat stop

Primary Content Provider Configuration

Some parts of the user interface in OpenIAM are template based and these template can be linked to multiple URL. To support this behavior, OpenIAM uses a "Content Provider".  While the content provider concept provides a significant amount of functionality within OpenIAM, at its most basic level,  a content provider is used to define the URLs / DNS names which OpenIAM will respond to.  This configuration is particularly important if we are using the reverse proxy which provides an extra level of security for the OpenIAM application as well as SSO for legacy applications.  

For the purpose of the PoC, we have created a DNS name called: openiam.mycompany.local . You can create any DNS name that is appropriate within your environment. You can test locally by updating the /etc/hosts file.

For example: 192.168.149.140 openiam.mycompany.local

You can then access the UI at:

http://openiam.mycompany.local:8080/webconsole
http://openiam.mycompany.local:8080/selfservice

The VM includes a content provider for this DNS name. To update it for your environment, follow the steps below:

  • Login to Webconsole
  • Click on Access Control → Content Provider
  • Select the "Primary Content Provider" configuration



In the configuration above, replace JUST the DNS name in each entry. Do NOT replace this with an IP Address.


Pre-Defined PoC Configuration

The PoC VM has been pre-configured to demonstrate common use cases found in mid to large organizations.  The implementation of these use cases has been simplified for use in a POC, but they are complex enough to demonstrate how OpenIAM solves real world problems.  To support this objective, the OpenIAM PoC contains several pre-defined roles, users, connection to active directory and synchronization from a CSV file.  These details are defined below.

Predefined Roles

Organizational RoleJob Profile Role

SALES

  • AD
  • AD PATH = OU=Service,OU=users,OU=pocvm35,DC=dev,DC=local
  • Sales Group

Help Desk Rep

IT

  • AD
  • AD PATH = OU=IT,OU=users,OU=pocvm35,DC=dev,DC=local
  • IT Group

Developer

  • Provisions to Linux
  • Selfservice access is limited to:
    • Selfservice center
    • Access Management → Create Request

FINANCE

  • AD
  • AD PATH = OU=finance,OU=users,OU=pocvm35,DC=dev,DC=local

Manager

  • Selfservce access is limited to:
    • Selfservice center
    • Request approval - { In-box, request history }
    • Access Management → {Create Request, New User}

HUMAN RESOURCE

  • AD
  • AD PATH = OU=hr,OU=users,OU=pocvm35,DC=dev,DC=local

Human Resource Generalist

  • Self Service access is limited to:
    • Selfservice Center
    • Access Control → Create User

ORG ADMIN

  • Self Service access is limited to:
    • Selfservice Center
    • Access Control → Manage User


Predefined Users and Credentials

User IdRolePassword
sysadminSuper Sec Adminpasswd00
helpdeskHelpDeskPassword$52
Tom.ManagerManagerPassword$52
Joe.DeveloperDeveloperPassword$52
James.OrgadminORG ADMINPassword$52
steve.hrHuman Resource GeneralistPassword$52

The PoC VM has been preconfigured to work with a number of connectors.  These connectors are configured with a minimal amount of detail to allow for a proof of concept. The predefined configuration is *not*  designed to show all the capabilities of the connectors. That information can be found in our documentation or by reaching out to OpenIAM at sales@openiam.com

Connecting to Active Directory

OpenIAM offers two connectors to enable integration with Active Directory. One is  Powershell based and the other  is java based and can run on Linux. While the powershell connector allows you to implement virtually anything possible with Powershell, its requires a Windows Server. Since our objective is to make this PoC VM self-contained, we have defined a connection to AD using the Java LDAP connector.

This connector is pointing to our OpenIAM Test Active Directory.

The Java AD Connector requires that AD supports SSL.   The powershell connector does not require this.    This is a requirement from Microsoft where all non Microsoft technologies must communicate with AD over SSL to reset / change a users password.

To integrate with your own Active Directory, please follow the steps below:

  • Login to the Webconsole
  • Go to Provisioning → Managed System
  • Select POC ACTIVE DIRECTORY 
  • Update the highlighted sections shown below:



Field NameDescription
Host URLUpdate it to the host name or IP of you Active Directory
Login IdAD Service account which has the right to create, delete and update user, reset passwords, etc
PasswordPassword for the service account
Base DNPart of the AD tree under which the system will manage all users
Search Base DNPart of the AD tree that the system should search when looking up an object
  • After update the above fields click on save.
  • Then click on the Request Certificate Button and click on Save.
  • Click on Test Connection to confirm that you are connection is valid. It possible that you may need to restart JBoss after importing a new certificate.

Provisioning to Linux

The PoC VM includes a preconfigured Linux connector which can be used to provision users to Linux.  Since the objective is to have self contained VM, the linux connector has been configured to point to underlying Linux OS on the VM.   To update this configuration and to have it connect to another Linux server, follow the steps below to simplify the configuration:

  • Login to the Webconsole
  • Go to Provisioning → Managed System
  • Select POC VM Linux Server

Update the following fields to point your linux server

Field NameDescription
Host URLHost Name or IP address of your linux server
Login IdService account which is able to create, update, delete user accounts
PasswordPassword for the service account
  • Click on Save

You can test this functionality by create a user in the "Developer" role which is already entitled to the linux connector configuration.


Use Cases

The sections below describe common use cases that we have seen in often in real deployments. They have been simplified for use in POC, but they are complex enough to demonstrate how OpenIAM solves real world problems.   As part of the User Provisioning use cases, the following two concepts:

  • Organization Role - An organization role maps to your Organizational unit such as the company, department, division, etc.  Entitlements that are common to everyone in the organizational unit can be linked to these roles. For example, your AD path, group memberships, etc.
  • Job Profile Role - A Job Profile role could be linked to your job profile, title, etc. These roles provide entitlements based on a person's Job.

The CSV File Sync and the UI based user creation screen can be used to see how these roles can co-exist.  Changing a user's organizational role will cause the user to move to a different OU.   Changing a person's job profile we result in a person losing entitlements which are no longer needed.

Synchronize Users from a CSV Source File

Most identity management projects require that we provide automated user provisioning and de-provisioning based on changes occurring in a source system. To support this requirement, OpenIAM provides the capability to synchronize information from a number of sources including:

  • CSV File
  • LDAP or Active Directory
  • Database
  • Events being sent to OpenIAM
  • Custom adapter

For the PoC, a CSV file has been provided to simulate active synchronization from a source system.  The csv file can be found at:  /usr/local/OpenIAM/data/openiam/upload/sync/test-user-with-role.csv 

The columns are also shown below.  

FIRST_NAMELAST_NAMEEMAILPHONETITLESUPERVISORSTATUSEMPLOYEE_IDADDRESSCITYSTATEDIVISIONDEPTSTART_DATECOMPANY
DonaldDuckdonald@test.com914-11-23-456ACCOUNTS PAYABLE SPECIALISTA1111595123 MAIN STSMALLVILLEMANorth AmericaFINANCE1/10/17OpenIAM
MikeyMousemikey@test.comHUMAN RESOURCE GENERALISTA1111596123 MAIN STBOSTONMANorth AmericaHUMAN RESOURCES1/10/17OpenIAM

The run the synchronization, following the steps below:

  • Login to the Webconsole as the sysadmin
  • Select Provisioning → Synchronization
  • Select Synch from CSV (shown below)
  • Click on Synch Now


To check the user which have synchronized, follow the steps below:

  • Login to the Webconsole
  • Select User Admin → User
  • Search for Active Users

Click on any one of these users can see the details.  Some areas of interest in looking at the sync result should :

  • Data elements from the Synch are in OpenIAM
  • The identities tab shows that identities for OpenIAM and AD have been created
  • Role tab shows that a person's department membership is resulting in membership in an organizational role.
  • Active Directory shows that the user has been provisioned into the correct OUs.




To change or extend the processing of the business rules that are used for the synchronization activities use the scripts below:

  • Synchronization rules: /usr/local/OpenIAM/data/openiam/conf/iamscripts/sync/idmapps/csv/CSVTransformationScriptMod.groovy

  • Pre-process: /usr/local/OpenIAM/data/openiam/conf/iamscripts/prov-helper/PocProvisionServicePreProcessor.groovy

Synchronizing users from Active Directory

Most corporate identity management projects have to manage Active Directory.  Before we can manage it, we need to be able to synchronize the existing users and groups from Active Directory and bring them into OpenIAM so that we have a complete picture of the users and their entitlements across different systems.

To synchronize users from Active Directory, follow the steps below:

  • Login to the Webconsole as the sysadmin
  • Select Provisioning → Synchronization
  • Select Synch Users from AD (shown below)
  • Click on Synch Now

You can review the results in the same way as the synch from a CSV File.  To update the synchronization, we can update the scripts listed below:

 


  • Synchronization rules: /usr/local/OpenIAM/data/openiam/conf/iamscripts/sync/ValidateActiveDirRecord.groovy

  • Pre-process: /usr/local/OpenIAM/data/openiam/conf/iamscripts/prov-helper/PocProvisionServicePreProcessor.groovy

Creating a new user in Active Directory from the UI 

Both the Webconsole and Selfservice applications allow for authorized users to create new user.  Organizations will often have employees in their HR system and non-employees in another system.  In this case, we will show how a manager can request that a new user account be created for a contractor.  In this case the workflow will require that the request goes to the manager and upon approval their access will be created.  To review this functionality, follow the steps below:

  • Login selfservice as the sysadmin
  • Select Access Management → New User
  • Complete the form below


After submitting this form, the workflow will send a message to the Manager to review and approve the request.  

  • To view the request, login as the manager → Tom.Manager
  • View the inbox and then approve the request
  • Workflow will complete and the user will be provisioned into Active Directory based on the user membership in the End User role.

We can view the newly created user by logging into the webconsole as "sysadmin" and going to the user manager.

  • Login to the Webconsole
  • User Admin → User
  • Search for contractor

Self Registration

Self Registration in OpenIAM is workflow based which provides the following benefits:

  • Configurable to allow approval by a user
  • Workflow can be configured to auto-validate, but since it is a workflow, the system can carry out additional steps to validate that the user information is valid. These additional steps may include calling an internal or external service to validate information

The PoC VM has been configured to require approval by a person.  The field which are shown on the registration page are configurable through the Webconsole.  To validate this functionality, follow the steps outlined below:

  • Click on the Self Registration link on the login page
  • Complete the Self Registration form

Upon submitting the form, the workflow will route the request to approver. In this case the approver is the "sysadmin"

  • Login to the selfservice application as the sysadmin
  • Goto Request Approval → Inbox.
  • You will see your request in the box.  You can either view the details or click on the "Check" mark to approve the request

The workflow will complete and the user will be provisioned into both OpenIAM and the applications linked to the End User Role.

Delegated Administration for Service Providers

Delegated administration can be defined and configured in several ways.  However, for service providers, we often see a model where multiple organizations are using a common IAM platform, but admins in one organization can only see users in their organization.  This model has been implemented in the PoC VM.  To achieve this we have setup the following:

  • Created an organization called MyCorp
  • Defined a role called Org Admin which can only access Selfservice and the Manage User function in the Self-Service portal
  • Create a user call James.Orgadmin (defined above).  This user has MyCorp in his delegation filter.



  • When James.Orgadmin logs into selfservice and try's to search, he will only be able to see users in his filter.   To see more than one user, we can add other organizations to the filter.



Credentials

SystemLogin IdPassword
Linux VMrootopeniam
Maria DBrootopeniam
OpenIAM Applicationsysadminpasswd00


Application URLs