SlideShare une entreprise Scribd logo

eSCIMo - User Provisioning over Web

LDAPCon
LDAPCon
Technologie
1  sur  24
Télécharger pour lire hors ligne
User Provisioning Over Web Kiran Ayyagari
Kiran Ayyagari PMC ApacheDS project Consulting & Support on ApacheDS Started project eSCIMo kayyagari@keydap.com, kayyagari@apache.org 2
What Is SCIM   System for Cross-domain Identity Management A standard for provisioning 3
SCIM Schema A collection of attribute definitions e.g. { } "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... 4
SCIM Schema...  Simple Attribute e.g. userName – a user's name  Complex Attribute e.g. name – a collection of firstName, lastName etc.  Multi-valued Attribute e.g. emails – a collection of all emails  Sub-attribute e.g. familyName – a user's family name 5
SCIM Schema...  Platform neutral  JSON format  URN as a ID 6
SCIM Data Model User Name : Naveen S UID : naveens Last Name : Sivashankar First Name : Naveen { } "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"naveens@example.com"},{"ns@mymail.com"}], … 7
SCIM Data Model... e.g. Extended user User Enterprise User Name : Naveen S UID : naveens Employee No : 11011 Cost Center : 007 { "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … } }
SCIM Data Model... Group Name : Administrators Members : naveens { "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875", "display": "naveens" } ] } 9
SCIM API  Uses REST  Supports  CRUD operations  Bulk modification  Paged search
What Is eSCIMo  An implementation of SCIM v2.0  Supports LDAP as a backend by default  Can work with any LDAP server  Embeddable in ApacheDS 11
Running eSCIMo Scenario 1 App Server/ Container eSCIMo eSCIMo LDAP Server 12
Running eSCIMo... Scenario 2 ApacheDS Jetty eSCIMo eSCIMo 13
Architecture of eSCIMo Security Filter REST API Resource Provider Interface  LDAP Resource Provider  RDBMS Resource Provider  ???? Resource Provider Implemented  Not Implemented LDAP RDBMS 14 ???
How Does It Work? Attribute mapping Mapping a simple attribute - e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875" "userName": "naveens" <attribute name="id" mappedTo="entryUUID" /> <attribute name="userName" mappedTo="uid" /> 15
How Does It Work... Attribute mapping contd... Mapping a complex attribute e.g. "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" } <complex-attribute name="name"> <at-group> <attribute name="familyName" mappedTo="sn" /> <attribute name="givenName" mappedTo="cn" /> </at-group> </complex-attribute> 16
How Does It Work... Attribute mapping contd... Mapping a multi-valued attribute e.g. "emails" : [{"naveens@example.com"},{"ns@mymail.com"}] <multival-attribute name="emails"> <at-group> <attribute name="value" mappedTo="mail" /> </at-group> </multival-attribute> 17
How Does It Work... Attribute mapping contd... e.x "groups": [ { "id": "484fbc39-ae09-427b-896f-d469d28895ad", "$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad", "display": "Administrators" }] "id" - How can we fetch the ID of the member entry? "$ref" - How do we build a URL dynamically? 18
How Does It Work... Attribute Handlers Handler Implementation public class GroupsAttributeHandler extends LdapAttributeHandler { public void read(); public void write(); public void patch(); } Handler definition <handler name="groupsHandler" class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" /> Handler mapping <multival-attribute name="groups" baseDn="ou=system" filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" /> 19
eSCIMo Json2Java  Is a Maven plugin  Generates Java classes from SCIM schemas 20
eSCIMo Client  Works with the generated model classes e.x. Adding a User resource User user = new User(); user.setUserName( "naveens" ); user.setDisplayName( "Naveen Sivashankar" ); user.setPassword( "secret" ); Name name = new Name(); name.setFamilyName( "Sivashankar" ); name.setGivenName( "Naveen" ); user.setName( name ); EscimoResult result = client.addUser( user ); 21
Demo 22
Questions ? 23
Thank you!

Recommandé

Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
Petros Demetrakopoulos
 
Azure Resource Manager (ARM) Template - Beginner's Guide
Azure Resource Manager (ARM) Template - Beginner's GuideAzure Resource Manager (ARM) Template - Beginner's Guide
Azure Resource Manager (ARM) Template - Beginner's Guide
Juv Chan
 
MongoDB-Beginner tutorial explaining basic operation via mongo shell
MongoDB-Beginner tutorial explaining basic operation via mongo shellMongoDB-Beginner tutorial explaining basic operation via mongo shell
MongoDB-Beginner tutorial explaining basic operation via mongo shell
Priti Solanki
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
Running Production MongoDB Lightning Talk
Running Production MongoDB Lightning TalkRunning Production MongoDB Lightning Talk
Running Production MongoDB Lightning Talk
chrisckchang
 
Require js and Magento2
Require js and Magento2Require js and Magento2
Require js and Magento2
Irene Iaccio
 
Mongodb index 讀書心得
Mongodb index 讀書心得Mongodb index 讀書心得
Mongodb index 讀書心得
cc liu
 

Recommandé

Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
Petros Demetrakopoulos
 
Azure Resource Manager (ARM) Template - Beginner's Guide
Azure Resource Manager (ARM) Template - Beginner's GuideAzure Resource Manager (ARM) Template - Beginner's Guide
Azure Resource Manager (ARM) Template - Beginner's Guide
Juv Chan
 
MongoDB-Beginner tutorial explaining basic operation via mongo shell
MongoDB-Beginner tutorial explaining basic operation via mongo shellMongoDB-Beginner tutorial explaining basic operation via mongo shell
MongoDB-Beginner tutorial explaining basic operation via mongo shell
Priti Solanki
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
Running Production MongoDB Lightning Talk
Running Production MongoDB Lightning TalkRunning Production MongoDB Lightning Talk
Running Production MongoDB Lightning Talk
chrisckchang
 
Require js and Magento2
Require js and Magento2Require js and Magento2
Require js and Magento2
Irene Iaccio
 
Mongodb index 讀書心得
Mongodb index 讀書心得Mongodb index 讀書心得
Mongodb index 讀書心得
cc liu
 
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
Amazon Web Services Korea
 
Building and Deploying Application to Apache Mesos
Building and Deploying Application to Apache MesosBuilding and Deploying Application to Apache Mesos
Building and Deploying Application to Apache Mesos
Joe Stein
 
Understanding OpenStack Deployments - PuppetConf 2014
Understanding OpenStack Deployments - PuppetConf 2014Understanding OpenStack Deployments - PuppetConf 2014
Understanding OpenStack Deployments - PuppetConf 2014
Puppet
 
Apache Kafka, HDFS, Accumulo and more on Mesos
Apache Kafka, HDFS, Accumulo and more on MesosApache Kafka, HDFS, Accumulo and more on Mesos
Apache Kafka, HDFS, Accumulo and more on Mesos
Joe Stein
 
Ruby on rails security guide
Ruby on rails security guide Ruby on rails security guide
Ruby on rails security guide
Randall Valenciano Fallas
 
Programando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormationProgramando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormation
Amazon Web Services LATAM
 
Creating real life serverless solutions with Azure Functions - dotNet Amsterd...
Creating real life serverless solutions with Azure Functions - dotNet Amsterd...Creating real life serverless solutions with Azure Functions - dotNet Amsterd...
Creating real life serverless solutions with Azure Functions - dotNet Amsterd...
Jan de Vries
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
Teri Radichel
 
Oak Lucene Indexes
Oak Lucene IndexesOak Lucene Indexes
Oak Lucene Indexes
Chetan Mehrotra
 
AEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene Indexes
AdobeMarketingCloud
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache Ambari
Alejandro Fernandez
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Invenire Aude
 
MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883
Kwaye Kant
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services Security
Jason Chan
 
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
Amazon Web Services
 
CloudFormation Best Practices
CloudFormation Best PracticesCloudFormation Best Practices
CloudFormation Best Practices
Amazon Web Services
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
David Paluy
 
Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 

Contenu connexe

Similaire à eSCIMo - User Provisioning over Web

대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
Amazon Web Services Korea
 
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
Amazon Web Services
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
David Paluy
 

Similaire à eSCIMo - User Provisioning over Web (20)

대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
 
Building and Deploying Application to Apache Mesos
Building and Deploying Application to Apache MesosBuilding and Deploying Application to Apache Mesos
Building and Deploying Application to Apache Mesos
 
Understanding OpenStack Deployments - PuppetConf 2014
Understanding OpenStack Deployments - PuppetConf 2014Understanding OpenStack Deployments - PuppetConf 2014
Understanding OpenStack Deployments - PuppetConf 2014
 
Apache Kafka, HDFS, Accumulo and more on Mesos
Apache Kafka, HDFS, Accumulo and more on MesosApache Kafka, HDFS, Accumulo and more on Mesos
Apache Kafka, HDFS, Accumulo and more on Mesos
 
Ruby on rails security guide
Ruby on rails security guide Ruby on rails security guide
Ruby on rails security guide
 
Programando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormationProgramando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormation
 
Creating real life serverless solutions with Azure Functions - dotNet Amsterd...
Creating real life serverless solutions with Azure Functions - dotNet Amsterd...Creating real life serverless solutions with Azure Functions - dotNet Amsterd...
Creating real life serverless solutions with Azure Functions - dotNet Amsterd...
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Oak Lucene Indexes
Oak Lucene IndexesOak Lucene Indexes
Oak Lucene Indexes
 
AEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene Indexes
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache Ambari
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
 
MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services Security
 
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
(APP313) NEW LAUNCH: Amazon EC2 Container Service in Action | AWS re:Invent 2014
 
CloudFormation Best Practices
CloudFormation Best PracticesCloudFormation Best Practices
CloudFormation Best Practices
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 

Plus de LDAPCon

Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
LDAPCon
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
LDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
LDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
LDAPCon
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
LDAPCon
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
LDAPCon
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
LDAPCon
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
LDAPCon
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
LDAPCon
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
LDAPCon
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
LDAPCon
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
LDAPCon
 

Plus de LDAPCon (20)

Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
 

Dernier

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

eSCIMo - User Provisioning over Web

  • 1. User Provisioning Over Web Kiran Ayyagari
  • 2. Kiran Ayyagari PMC ApacheDS project Consulting & Support on ApacheDS Started project eSCIMo kayyagari@keydap.com, kayyagari@apache.org 2
  • 3. What Is SCIM   System for Cross-domain Identity Management A standard for provisioning 3
  • 4. SCIM Schema A collection of attribute definitions e.g. { } "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... 4
  • 5. SCIM Schema...  Simple Attribute e.g. userName – a user's name  Complex Attribute e.g. name – a collection of firstName, lastName etc.  Multi-valued Attribute e.g. emails – a collection of all emails  Sub-attribute e.g. familyName – a user's family name 5
  • 7. SCIM Data Model User Name : Naveen S UID : naveens Last Name : Sivashankar First Name : Naveen { } "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"naveens@example.com"},{"ns@mymail.com"}], … 7
  • 8. SCIM Data Model... e.g. Extended user User Enterprise User Name : Naveen S UID : naveens Employee No : 11011 Cost Center : 007 { "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … } }
  • 9. SCIM Data Model... Group Name : Administrators Members : naveens { "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875", "display": "naveens" } ] } 9
  • 10. SCIM API  Uses REST  Supports  CRUD operations  Bulk modification  Paged search
  • 11. What Is eSCIMo  An implementation of SCIM v2.0  Supports LDAP as a backend by default  Can work with any LDAP server  Embeddable in ApacheDS 11
  • 12. Running eSCIMo Scenario 1 App Server/ Container eSCIMo eSCIMo LDAP Server 12
  • 14. Architecture of eSCIMo Security Filter REST API Resource Provider Interface  LDAP Resource Provider  RDBMS Resource Provider  ???? Resource Provider Implemented  Not Implemented LDAP RDBMS 14 ???
  • 15. How Does It Work? Attribute mapping Mapping a simple attribute - e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875" "userName": "naveens" <attribute name="id" mappedTo="entryUUID" /> <attribute name="userName" mappedTo="uid" /> 15
  • 16. How Does It Work... Attribute mapping contd... Mapping a complex attribute e.g. "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" } <complex-attribute name="name"> <at-group> <attribute name="familyName" mappedTo="sn" /> <attribute name="givenName" mappedTo="cn" /> </at-group> </complex-attribute> 16
  • 17. How Does It Work... Attribute mapping contd... Mapping a multi-valued attribute e.g. "emails" : [{"naveens@example.com"},{"ns@mymail.com"}] <multival-attribute name="emails"> <at-group> <attribute name="value" mappedTo="mail" /> </at-group> </multival-attribute> 17
  • 18. How Does It Work... Attribute mapping contd... e.x "groups": [ { "id": "484fbc39-ae09-427b-896f-d469d28895ad", "$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad", "display": "Administrators" }] "id" - How can we fetch the ID of the member entry? "$ref" - How do we build a URL dynamically? 18
  • 19. How Does It Work... Attribute Handlers Handler Implementation public class GroupsAttributeHandler extends LdapAttributeHandler { public void read(); public void write(); public void patch(); } Handler definition <handler name="groupsHandler" class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" /> Handler mapping <multival-attribute name="groups" baseDn="ou=system" filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" /> 19
  • 20. eSCIMo Json2Java  Is a Maven plugin  Generates Java classes from SCIM schemas 20
  • 21. eSCIMo Client  Works with the generated model classes e.x. Adding a User resource User user = new User(); user.setUserName( "naveens" ); user.setDisplayName( "Naveen Sivashankar" ); user.setPassword( "secret" ); Name name = new Name(); name.setFamilyName( "Sivashankar" ); name.setGivenName( "Naveen" ); user.setName( name ); EscimoResult result = client.addUser( user ); 21