Identity and access management with OpenIAM

Authorization Center

Self-Service Portal

Users already provisioned can request access to additional systems or extensions of their rights on existing systems in the user interface. For this purpose, OpenIAM provides a service catalog from which users can select the desired systems and authorizations.

One interesting feature is the ability to limit the access rights requested in this way, which is particularly useful if an employee only needs temporary access to certain services for a project. The procedure also includes an approval process. If the OK for the request comes from one or more approvers, the software in turn automatically ensures that the user is provisioned to the system and receives the necessary rights. Figure 2 shows the complete provisioning process.

Figure 2: OpenIAM provides accounts on the desired target systems. © OpenIAM [3]

Web Access Manager

In addition to Identity Governance, Web Access Manager is the second integral component within the OpenIAM framework. As the name suggests, this component authorizes users after they have gained access to a system. As well as access controls, it provides other services and features, such as single sign-on, multifactor authentication, and session management and integrates these into Access Management.

One central component of Web Access Manager is single sign-on with federated user identities. In this case, OpenIAM serves as an identity provider and ensures that access to service providers, such as Salesforce or Oracle, takes place transparently for the user through the use of state-of-the-art protocols like OpenID Connect or SAML2. For this purpose, a position of trust between different security domains must be established in the configuration.

In practical terms, a redirect to the OpenIAM framework occurs when one of these applications is accessed. For example, the user authenticates against OpenIAM with OAuth 2.0 and, if successful, is issued a JSON web token (JWT) that then serves as an ID token to log on to the service provider. Users can also call an application from a remote security domain directly from the OpenIAM interface (Figure 3).

Figure 3: With OpenID Connect or SAML2, users can access applications in remote security domains with single sign-on.

The authentication process is completely transparent to users, who can also use the ID token to log on to other systems. Another interesting feature is that OpenIAM provides a reverse proxy for applications that do not support the federation protocols used, which means that legacy applications can also benefit from single sign-on.

Testing OpenIAM

If you are interested in trying out OpenIAM, you have two possibilities: the Community and Enterprise versions. The Community version is available for free download on the OpenIAM website [4]. The Enterprise Edition offers two subscription models that provide access to additional resources and support beyond the software itself. The current 4.2.0.1 version (at press time) supports Red Hat Enterprise Linux 8 and CentOS 8, but earlier versions of the RPM package before 4.1.6 only run on Red Hat Enterprise Linux 7 or CentOS 7.

It is somewhat unusual that the RPM only packages the OpenIAM sources as a tarball, which it then simply unpacks under /usr/local/OpenIAM/ when installing the package. But at least the package makes sure that these files disappear when you uninstall the software. As an alternative to installing the RPM file, you can also obtain a container image of the software and then run it with a container runtime. Only Docker is officially supported, but the container image should work with the Podman runtime without any problems; I did not try this out when writing this article.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus