Identity and Access Management (IAM)

Misc References

• Linux LDAP How To
• Image: History of LDAP-related RFCs
• http://coewww.rutgers.edu/www1/linuxclass2003/lessons/lecture8.html

OpenID

• OpenId Explained
• OpenId for non SuperUsers
• Run Your Own Identity Servers
• Janrain OPX Groups

LDAP

• Introduction to LDAP (ed: excellent detail with lots of source code)
• LDAP Tutorial: Deploying OpenLDAP
• LDAP Tutorial: OpenLDAP password protection, security and authentication
• IBM Redbook on LDAP

Wikipedia

• Active Directory
• Remote Authentication Dial In User Service (RADIUS)
• Kerberos protocol

Products

• Novell ZENworks configuration management
• Oracle Fusion
• Kuali Identity Management (KIM)

Roadmaps

• Enterprise Authentication Implementation Roadmap by nmi-edit (website)
• Enterprise Authentication Implementation Roadmap by nmi-edit (complete PDF)

Diagrams

• http://carlos-trigoso.com/wp-content/uploads/IAM-CORE-PATTERNS.png
• Oracle Sun OpenSSO Architecture Overview

Queue

• http://sqltech.cl/doc/oas10gR2/idmanage.1012/b14082/intro.htm
• http://www.resonant.org/node/16
• http://ubuntuforums.org/archive/index.php/t-206202.html
• http://blog.whats-your.name/post/2010/04/18/
• http://ignore-your.tv/2005/03/02/ldap-sucks/
• http://www.reddit.com/r/programming/comments/bskw9/if_you_wondered_why_ldap_isnt_more_widely_used/#c0ocx9a
• http://linux.slashdot.org/story/06/09/03/1733233/LDAP-Authentication-in-Linux
• http://tech.slashdot.org/story/09/01/19/0210219/Active-Directory-Comes-To-Linux-With-Samba-4?art_pos=5
• http://linux.slashdot.org/article.pl?sid=02/01/07/1946250&mode=thread
• How to turn your blog into an OpenID
• http://middleware.internet2.edu/MACE/
• Internet2 Confluence - Signup
• Internet2 Confluence - Login
• http://www.educause.edu/iam
• http://www.nmi-edit.org/releases/index.cfm
• http://www.nmi-edit.org/context/index.cfm
• https://wikis.mit.edu/confluence/display/PERMIT/perMIT-drivers
• http://middleware.internet2.edu/dir/
• https://spaces.internet2.edu/display/macepaccman/Use+Cases
• http://net.educause.edu/camp091
• http://iam.uconn.edu/html/Resources/
• https://spaces.internet2.edu/download/attachments/1540598/Internet2+Privilege+Management+Survey+Final+Report.pdf?version=1
• Hirsch Electronics - Identity & Access Management System - Intro Video
• Identity Control Blog
• Wordpress Blogs Tagged: Identity Access Management
• Evaluating Your Identity and Access Management Options, Part 1
• Evaluating Your Identity and Access Management Options, Part 2
• http://en.wikipedia.org/wiki/Identity_management

Ruby LDAP

• http://www.codeodor.com/index.cfm/2009/6/30/Ruby-LDAP/3022
• http://www.tutorialspoint.com/ruby/ruby_ldap.htm
• http://geekdamana.blogspot.com/2008/10/ruby-ldap.html

Stakeholders

	Intranet Applications	Internet Applications
Private (Employees)	Zimbra CS	SilkRoad Aetna
Protected (Partners)	n/a	Basecamp Google Docs
Public (Anyone)	n/a	www.wested.org www.simscientists.com

---

Questions

OpenId Issues

Can an Active Directory be used as a OpenID provider?

From http://stackoverflow.com/questions/2453769/active-directory-as-openid-provider Yes, you can. Just host an ASP.NET web site that itself uses Active Directory authentication, and exposes an OpenID Provider using DotNetOpenAuth.

Can Active Directory interoperate with Unix?

http://en.wikipedia.org/wiki/Active_Directory

Varying levels of interoperability are possible:

• Using standards compliant LDAP clients (but these systems may lack some features of AD).
• Third-party vendors who offer Active Directory integration for Unix platforms, include Centrify (DirectControl), Computer Associates (UNAB), CyberSafe Limited (TrustBroker), Likewise Software (Open or Enterprise), Quest Software (Authentication Services) and Thursby Software Systems (ADmitMac).
• Open source Samba software provides a way to interface with Active Directory and join the AD domain to provide authentication and authorization
• Microsoft Windows Services for UNIX product.
• Peer-to-Peer using 389 Directory Server (formerly Fedora Directory Server) or Java System Directory Server, which can perform a two-way synchronization with Active Directory and thus provide a "deflected" integration with Active Directory as Unix and Linux clients will authenticate to FDS and Windows Clients will authenticate to Active Directory.

Redirection vs. Cookies

http://stackoverflow.com/questions/22015/openid-as-a-single-sign-on-option

Seamlessly logging in with OpenID requires automatic (unverified) redirection between domains.

That makes the OpenID server a 3rd party. This can cause cookies for the OpenID server to be rejected if you turn off 3rd party cookies and your browser strictly follows the Unverifiable Transactions rule in 3.3.6 of RFC2965.

An example of this is Opera. If you turn off 3rd party cookies (by setting the global to "Accept only cookies from the site I visit"), you can't log in with OpenID because the server script you submit to automatically (without your interaction to approve it) redirects you to the OpenID server and the OpenID server does the same to get you back.

But, you get lucky in Firefox, IE and Safari with their corresponding blocking of 3rd party cookies because they violate RFC2965 in multiple situations.

Having to use OpenID in this case does a disservice to more compliant clients.

As a workaround, in Opera, besides accepting all cookeis, you can goto tools -> preferences -> advanced -> Network and turn off Automatic Redirection. Then, you'll be able to verify and click each link you're redirected to and the cookies won't be rejected because the transactions are verified.

It should also work if you keep Automatic Redirection on and both servers generate a page with a link for you to click on so you can verify the transaction. But, there can't be any automatic redirects anywhere.

Logging in with just a username and password where you're only dealing with first party cookies would be much better in this case.

OpenID is still cool though and I guess Opera just needs an option to allow unverifiable transactions between SO and your OpenID server so that you can use "Accept only cookies from the sit

OpenId Outsource Providers

From http://openidexplained.com/get

Name	Ease of use	Security	Remembers information	Multiple profiles	Anti-phishing measures	Password protected
AOL/AIM	3	4				Yes
Blogger	9	4				Yes
ClaimID	9	4	Yes			Yes
GetOpenID	7	4				Yes
Google	7	4	Yes			Yes
LiveJournal	9	1				Yes
MyOpenID	8	9	Yes	Yes	Yes	Yes
MySpace	6	1				Yes
Sxipper	7	8	Yes	Yes	Yes	Yes
VeriSign	7	7	Yes		Yes	Yes
Vidoop	8	4	Yes	Yes	Yes
WordPress	5	1	Yes		Yes	Yes
Yahoo!	10	4			Yes	Yes

---

SixArm • http://sixarm.com • Copyright © 2011 • All Rights Reserved