Bridge SPE: An Introduction
description
Transcript of Bridge SPE: An Introduction
![Page 1: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/1.jpg)
IRM Summit 2014
Bridge SPE
Matthias Tristl
![Page 2: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/2.jpg)
2IRM Summit 2014
The Challenge• User has a local account• User needs access to a Cloud Service Governments
SaaS
Local AD or LDAP
![Page 3: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/3.jpg)
3IRM Summit 2014
Solution
![Page 4: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/4.jpg)
4IRM Summit 2014
What customers expect:
■ Local Action:– Create user locally– Give user a role / group membership
■ Results in the Cloud:– Automatic provisioning– Giving users the exact entitlement they need
Automatic Provisioning into SaaS platforms
![Page 5: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/5.jpg)
5IRM Summit 2014
What customers expect:
■ Local changes of users are reflected:– Change attributes, entitlements or profiles– Deactivate user– Reactivate user
■ Process Requirements– “One catch all” process (i.e. for initial load) for full sync– Changes are synchronized in “near real time” like incremental sync
User Live Cycle
![Page 6: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/6.jpg)
6IRM Summit 2014
Delegated Admin
What customers expect:
• Give a subset of administrators admin rights on CC for:• Configuration• Maintenance• Monitoring
• Privileges are given by local group membership
![Page 7: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/7.jpg)
7IRM Summit 2014
■ Authentication strategies:– SSO vs. Password Sync
■ SSO Challenge:– Multi domain SSO
■ Even more comfort:– Integrated Windows Authentication (IWA)
SSO: Local and Cloud
![Page 8: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/8.jpg)
8IRM Summit 2014
■ CC Server
■ CC Configuration UI
■ AD/LDAP connector
■ Cloud connector
■ Configuration DB: in process or remote
■ Scheduler
CC Components
![Page 9: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/9.jpg)
9IRM Summit 2014
Cloud Connect Architecture
OSGIConfiguration Wizard
OpenIDM
Business Logic (Javascript, Groovy, Java)
Authentication JASPI (AD and IWA)
Jetty Web Server
Salesforce and LDAP
OAuth
Sa
lesf
orc
eL
DA
P
Co
nne
cto
r
Federation
ForgeRock UI Framework
Reporting and Recon
![Page 10: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/10.jpg)
10IRM Summit 2014
■ A new User is created locally
■ CC checks against “ignored users rule”
■ CC checks for an existing association
■ CC eventually tries to find a target by an Association Rule
■ If none found, user will be created
■ After create, accounts will be associated
User Synchronization
![Page 11: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/11.jpg)
11IRM Summit 2014
■ Rich client
■ Runs in browser
■ Connects over REST to CC
■ Is JavaScript based (plus jquery…)
The CC Configuration UI
![Page 12: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/12.jpg)
12IRM Summit 2014
UI: Top Screen
![Page 13: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/13.jpg)
13IRM Summit 2014
UI: Local connection I
![Page 14: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/14.jpg)
14IRM Summit 2014
■ Base Context
■ User Filter– LDAP filter– user objectclasses
■ Group Filter– LDAP filter– group objectclasses
UI: Local Connection II
![Page 15: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/15.jpg)
15IRM Summit 2014
■ Protocol– Uses REST– Eventually OAuth 2
■ Requirements (for Salesforce)– Connected App on SF with AuthZs:
■ Access your basic information
■ Access and manage your data
■ Perform requests on your behalf at any time
– SF Domain (for SSO)– Enable Multiple SAML configurations (for automatic SSO setup)
UI: Cloud Connection
![Page 16: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/16.jpg)
16IRM Summit 2014
UI: Mapping Attributes I
![Page 17: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/17.jpg)
17IRM Summit 2014
UI: Mapping Attributes II
![Page 18: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/18.jpg)
18IRM Summit 2014
■ Situation: sync engine gets a list of the user’s AD group memberships in memberOf
■ AD groups map to SF Profiles
■ If the result would be more than one SF Profile, based on the AD group membership, the one with the highest precedence is used.
UI: Mapping Groups
![Page 19: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/19.jpg)
19IRM Summit 2014
Change Default Association Rules in the UI:
User Association Rules
![Page 20: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/20.jpg)
20IRM Summit 2014
■ Analyze Associations NowFull sync but without actions: creates statistics only
■ Sync Now: Full UpdatesUsually on a daily base or even less frequent
■ Schedule Updates (configure update interval):Same action as “Sync Now”
■ Live Updates (scheduled every 5 sec.)– Like an incremental sync– Only changed accounts are synced– Close to real time schedule
Full vs. Incremental Sync
![Page 21: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/21.jpg)
21IRM Summit 2014
Sync Reports
![Page 22: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/22.jpg)
22IRM Summit 2014
■ Based on SAML
■ Requires Domain on Salesforce
■ If automatic is available, then it is a one click configuration in Identity Connect!
■ Needs some configuration in the SF Domain
The CC SSO Mechanism
![Page 23: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/23.jpg)
23IRM Summit 2014
IWA Authentication Architecture
Assumption: Client and KDC are in the same domain
![Page 24: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/24.jpg)
24IRM Summit 2014
IC Cluster architecture
RepositoryIC
File system
IC
File system
Browser
![Page 25: Bridge SPE: An Introduction](https://reader033.fdocuments.in/reader033/viewer/2022061300/54c75b0d4a795972738b4598/html5/thumbnails/25.jpg)
25IRM Summit 2014
Cloud Connect SPE vs. EE Packaged as software
appliance with Admin UI
Synchronization from Enterprise to multiple SaaS
Reconciliation and reporting
SAML2 and OAuth2
SSO / IWA
End User Dashboard
Runs With Any SSO Product
ICF