Role Manager and OpenSSO Integration
By webshesh on Jan 26, 2009
With the maturity of Role Management in medium and small Enterprises, we are now seeing a lot of requirements around an integrated Role Management, Provisioning and Access Management infrastructure.
Recently, I worked on a Proof-of-Concept for a customer where we implemented an end-to-end SRM-OpenSSO-IdM integration.
Here are some of the salient features of this integrated demo that was put in place.
- Role Manager (SRM) is the provisioning and management point for Business Roles and IT Roles
- Identity Manager is the provisioning and management point for Users.
- OpenSSO protects a few sample Web based applications.
- SRM is also the Policy Management point.
- OpenSSO Policy agents are the PEP and the OpenSSO Server is the PDP.
- OpenSSO Policies are Role based URL policies
- DSEE is configured as the OpenSSO User Store; IT Roles are provisioned on the DSEE Store.
- SRM creates Business Roles and IT Roles on IdM; creates IT Roles on the OpenSSO (DSEE) store using the IdRepo API.
- IdM assigns Business Roles "and" IT Roles to Users. Assigned IT Roles are as per the roles provisioned in DSEE.
- Policies created are based on IT Roles.
- Policies provisioned using SRM are exported as XML, in a format specific to OpenSSO policies
- OpenSSO imports these policies, using which AuthZ decisions are made.
Thanks to Anjan Shenoy for getting the Role provisioning on DSEE working and the Policy export from SRM.
This demo is available as a Virtual Box image and I would be more than happy to share this image and provide operational instructions on running this demo. More detailed documentation and white-papers are on the way!!