CHOReVOLUTION Console and Identity Manager

Table of content

Introduction

The Identity Management (IdM) is the joint result of business process and IT to manage user data on systems and applications. It involves technologies, policies, and procedures that will take care of the
identity life-cycle management in order to enable organizations to facilitate and, at the same time, to control user access to critical data and applications. The Identity Manager is a software solution supporting Identity Management process.

CHOReVOLUTION Identity Manager is based on Apache Syncope 2.0.X and ConnId connector framework.
Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license.

CHOReVOLUTION Identity Manager is responsible for:

  • Service Inventory management;
  • service provider and consumer identities life-cycle management;
  • concrete service and choreography remote management.

Interaction with CHOReVOLUTION IdM is available through

  • REST API - for invocation by Synthesis processor and Enactment Engine;
  • web administration console - for administering concrete services and choreographies;
  • web end-user console - for end-users self-registration, self-management and mobile applications enrollment;
  • CHOReVOLUTION console - embedded into the administration console, provides specific feature to monitor and manage choreographies and concrete services.

The CHOReVOLUTION IdM also exploits suitable connectors for identity management that enable the communication with external resource such as concrete services (through Security Filter instances) and Federation Server. The CHOReVOLUTION IdM is Open Source and released under the terms of Apache License 2.0.

The following sections provide a quick guide to install CHOReVOLUTION Identity Manager and use it from end-users point of view.

Installation guide

Requirements

The hardware requirements depend greatly on the given deployment, in particular the total number of managed entities (users, groups and any objects), their attributes and resources.

  • CPU: dual core, 2 GHz (minimum)
  • RAM: 2 GB (minimum)
  • Disk: 250 MB (minimum)

The software requirements can be summarized as:

  • Latest Oracle JDK or OpenJDK 8 available is recommended, latest Oracle JDK 7 or OpenJDK 7 available is also supported;
  • Latest Apache Tomcat 8 available;
  • PostgreSQL 9.4.

Essentially any 64bit operating system capable of running the JDK and PostgreSQL (as enlisted above) is supported, with preference for Debian GNU / Linux and Ubuntu Server LTS.

Download information

From the Download section of the CHOReVOLUTION project website some packages are available:

  1. CHOReVOLUTION IdM Core
    For SNAPSHOT release http://repository.ow2.org/nexus/content/repositories/snapshots/eu/chorevolution/idm/core/1.0.1-SNAPSHOT/core-1.0.1-<latest>.war
    For official releases please refer to http://download.forge.ow2.org/chorevolution/identity-manager/
  2. CHOReVOLUTION IdM Console
    For SNAPSHOT release http://repository.ow2.org/nexus/content/repositories/snapshots/eu/chorevolution/idm/console/1.0.1-SNAPSHOT/console-1.0.1-<latest>.war
    For official releases please refer to http://download.forge.ow2.org/chorevolution/identity-manager/
  3. CHOReVOLUTION IdM Enduser
    For SNAPSHOT release http://repository.ow2.org/nexus/content/repositories/snapshots/eu/chorevolution/idm/enduser/1.0.1-SNAPSHOT/enduser-1.0.1-<latest>.war
    For official releases please refer to http://download.forge.ow2.org/chorevolution/identity-manager/
  4. CHOReVOLUTION IdM ConnId Federation Server Bundle
    For SNAPSHOT release http://repository.ow2.org/nexus/content/repositories/snapshots/eu/chorevolution/idm/connid-federation-server/1.0.1-SNAPSHOT/connid-federation-server-1.0.1-<latest>-bundle.jar
    For official releases please refer to http://download.forge.ow2.org/chorevolution/identity-manager/

The first three packages are available as WAR files and need to be deployed into Apache Tomcat. Please note, rename WAR files as follow before deployment:

  1. core war file -> syncope.war
  2. console war file -> syncope-console.war
  3. enduser war file -> syncope-enduser.war

Installation steps

Microsoft Windows

The downloadable bundles cannot be installed on a Microsoft Windows system.

Installation on Windows require several different steps and it can be done by starting from Maven artifacts only.

Other systems

  1. Create the Syncope directory (SYNCOPE_DIR):
    mkdir /opt/syncope
    cd /opt/syncope
    • Create subdirectories SYNCOPE_DIR/bundles, log & conf.
  2. Download in the bundles subdirectory.
  3. Copy the bundle just downloaded into /opt/syncope/bundles
  4. Create these config files in conf subdirectory :
    • enduser.properties
      enduser.directory=/opt/syncope/conf

      version=2.0.3
      site=http://syncope.apache.org/syncope/
      license=http://www.apache.org/licenses/LICENSE-2.0.txt

      anonymousUser=anonymous
      anonymousKey=sasdsadsadsadsadsad
      adminUser=admin
      useGZIPCompression=true

      scheme=http
      host=localhost
      port=8080
      rootPath=/syncope/rest/

      captcha=true
      xsrf=true
    • Change version, host and port properties into enduser.properties file
    • console.properties
      console.directory=/opt/syncope/conf

      version=2.0.3
      site=http://syncope.apache.org/syncope/
      license=http://www.apache.org/licenses/LICENSE-2.0.txt

      anonymousUser=anonymous
      anonymousKey=sasdsadsadsadsadsad

      scheme=http
      host=localhost
      port=8080
      rootPath=/syncope/rest/
      useGZIPCompression=true

      activitiModelerDirectory=/opt/Projects/CHOReVOLUTION/syncope/console/target/activiti-modeler

      reconciliationReportKey=c3520ad9-179f-49e7-b315-d684d216dd97

      page.dashboard=org.apache.syncope.client.console.pages.Dashboard
      page.realms=org.apache.syncope.client.console.pages.Realms
      page.topology=org.apache.syncope.client.console.topology.Topology
      page.reports=org.apache.syncope.client.console.pages.Reports
      page.workflow=org.apache.syncope.client.console.pages.Workflow
      page.audit=org.apache.syncope.client.console.pages.Audit
      page.logs=org.apache.syncope.client.console.pages.Logs
      page.securityquestions=org.apache.syncope.client.console.pages.SecurityQuestions
      page.types=org.apache.syncope.client.console.pages.Types
      page.roles=org.apache.syncope.client.console.pages.Roles
      page.policies=org.apache.syncope.client.console.pages.Policies
      page.notifications=org.apache.syncope.client.console.pages.Notifications
      page.parameters=org.apache.syncope.client.console.pages.Parameters
    • Change version, host and port properties into console.properties file
  5. Create a PostgreSQL database instance and grant all rights to a given user
    • Edit file /etc/postgresql/9.5/main/pg_hba.conf and update config as follows: "local all postgres trust" "localhost all all trust"
    • Create user syncope providing a good password
    • Create database syncope
    • Copy the Postgres JDBC jar https://jdbc.postgresql.org/download.html to $CATALINA_HOME/lib
  6. Configure an appropriate data source for Tomcat, for accessing the database instance just created; more information at https://tomcat.apache.org/tomcat-8.0-doc/jndi-datasource-examples-howto.html
    • add the following to $CATALINA_HOME/conf/context.xml:
      <Resource name="jdbc/MasterDataSource" auth="Container" type="javax.sql.DataSource"
                  factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" testWhileIdle="true"
                  testOnBorrow="true" testOnReturn="true" validationQuery="SELECT 1" validationInterval="30000"
                  maxActive="100" minIdle="2" maxWait="10000" initialSize="2" removeAbandonedTimeout="20000"
                  removeAbandoned="true" logAbandoned="true" suspectTimeout="20000"
                  timeBetweenEvictionRunsMillis="5000" minEvictableIdleTimeMillis="5000"
                  jdbcInterceptors="org.apache.tomcat.jdbc.pool.interceptor.ConnectionState; org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer"
                  username="syncope" password="<the password given at the previous step>" driverClassName="org.postgresql.Driver"
                  url="jdbc:postgresql://localhost:5432/syncope?characterEncoding=UTF-8"/>
    • Update JAVA_OPTS by editing <TOMCAT_HOME>/bin/setenv.sh
      • JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server -Xms1536m -Xmx1536m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:PermSize=256m -XX:MaxPermSize=256m -XX:+DisableExplicitGC"
  7. See http://syncope.apache.org/docs/reference-guide.html
  8. Rename the 3 WAR files and put them in /var/lib/tomcat8/webapps :
  9. Restart Apache Tomcat.
    • /etc/init.d/tomcat8 restart

In order to complete the installation, references to Federation Server and default Enactment Engine must be correctly configured via administration console.

  • Go to Topology > Edit Federation Server connector, click next, specify the right URL, click Finish.
  • Go to Realm > Enactment Engine > Click Plus icon (bottom-right side) > provide EE basic information by taking care to specify the right URL of the default Enactment Engine and username/password as admin/admin.

See below for the User guide to access the administration console.

Apache Tomcat can be tuned for every specific deployment’s requirements; a good starting point can be found at https://www.mulesoft.com/tcat/tomcat-performance.

Unix and Linux

No specific step is required.

OS X

No specific step is required.

Uninstalling steps

CHOReVOLUTION Identiy Manager can be completely undeployed by following the steps below:

  1. Undeploy WAR files from Apache Tomcat
  2. Remove the following directories
    • /opt/syncope/bundles
    • /opt/syncope/conf
    • /opt/syncope/log
  3. Drop PostgreSQL database if required.

Microsoft Windows

Take care to remove the right directories; no specific step is required.

Unix and Linux

No specific step is required.

OS X

No specific step is required.

User guide

Users can exploit features provided by CHOReVOLUTION Identity Manager by using available Web APIs:

  • Administration console can be accessed to

    http://identity_manager_host:port/syncope-console

  • End-User console can be accessed to

    http://identity_manager_host:port/syncope-enduser

  • REASTful interface endpoint

    http://identity_manager_host:port/syncope/rest

The CHOReVOLUTION Identity Manager can be fully configured via administration console (see above for the endpoint). Default administrator credentials are admin/password.

Platform Administrators, by accessing the administration web console provided by the IdM, can monitor the global status of the platform, manage domain administrator and choreography operator accounts and provide ordinary platform maintenance.

Domain Administrators, by accessing the administration web console provided by the IdM, can monitor the status of a specific domain, manage end-user accounts and retrieve compliance data for business. Domain Administrator can also perform approval operations to set which self-operations of consumers and providers (such as self-registration and authorization requests) should be accepted or rejected.

Choreography Operators, by accessing the CHOReVOLUTION console provided by the administration console, can manage services and roles, monitor services status, provide maintenance (maybe enforcing application contexts) and take care of rescue management.

Service Providers, by accessing the administration console, can publish services in the Service Inventory.

CHOReVOLUTION Identity Manager end-user console is also available for Service Provider and End user self-registrations (and self-management operations).

Identity Manager administration console

The Identity Manager (based on Apache Syncope) provides a user friendly administration console permitting to manage users, users roles, choreographies, services and service roles. It also includes monitoring information based on collected data about running choreography instances.

Different users access to the administration console with different aims and different capabilities. They are:

  • Platform Administrators. By using a web console provided by the Identity Manager, the platform administrator is in charge of monitoring the global status of the platform, managing domain administrator accounts and providing ordinary platform maintenance.
  • Domain Administrators. By using the above web console, the domain administrator has the responsibility of monitoring the status of a specific domain, managing end-user accounts (in terms of consumers, service providers and approvers) and retrieving compliance data for business. The domain administrator can also act as an “approver” to set which consumers and providers self-operations (such as self-registration and authorization requests) should be accepted or rejected.
  • Choreography Operators. An operator is an actor who has the responsibility of launching the synthesized choreography. The operator can also deploy, enable or disable a specific choreography. Besides this, by using the web console provided by the Identity Manager, an operator is responsible for managing services and roles, monitoring services status, providing maintenance (maybe forcing application contexts) and taking care of the rescue management.
  • Service Providers. A service provider is responsible for publishing services in the Service Inventory. 
  • Identity & Access Management Engineers. The Identity & Access Management Engineer is responsible for identifying, designing, integrating and maintaining the identity and access management platform for CHOReVOLUTION. This is a senior security engineer that has direct experience in instituting and maintaining a centralized identity management and a data-centric access management system.

The administration console can be logged-in by accessing the URL

  http(s):host.domain:port/syncope-console

See below the login form.

 

After the login, the dashboard (below) is the first page to be shown.

 

The administration console can be browsed by using the left side menu.

The availability of menu items and operations covered in the related sections will be based on the identity roles owned by the logged in user.

Apache Syncope administration console offer a wide number of functionalities. Below, we are going to highlight just the main ones with regards to the specific aims of CHOReVOLUTION project. Please, take a look at Apache Syncope project documentation for further details.

Types management

CHOReVOLUTION Identity Manager permits to manage the life-cycle of some specific objects: choreographies, services, service roles, users, user roles and enactment engines.

All these kind of objects are defined into the section Types as shown in the picture below.

 

Users, services, service roles and enactment engines are defined as what in Apache Syncope are called ANY_OBJECT(s). The profile of a given ANY_OBJECT is specified by an assigned set of classes called AnyTypeClass(es). Every AnyTypeClass is a collection attribute schemas. Attributes given to a certain AnyTypeClass are indirectly given to the ANY_OBJECT the AnyTypeClass is assigned to.

Choreographies, instead, are defined as GROUPs of ANY_OBJECTs. A specific AnyTypeClass has been defined to be assigned to each choreography as auxiliary class. This specific auxiliary class assigned to the groups representing choreographies permits to extend choreography member profiles with all the attributes specified by the class itself. In particular, this class will be used to provide choreography related service deployment information which will be available if and only if the specific service is assigned to a that choreography.

Identity Manager actors

Another important section is what can be reached by clicking on the menu-item Roles.
In this section can be created and managed all the Identity Manager actor roles.

 

Create/Update role wizard permits to specify entitlements to be given to the role itself.

Entitlements given to the role will define the capabilities that a user owning that role will have on the administration console.

 

A role can be assigned to a user by exploiting the Realms section discussed below.

Identities management

The life-cycle of the objects involved by CHOReVOLUTION can be managed by accessing to the section Realms.

Service Role management

Service roles can be created and managed from Realms section into the Service Role tab.

 

Service management

Services can be created and managed from Realms section into the Service tab.

Service are created by Service Providers by using the wizard available from the administration console or by using CHOReVOLUTION Studio.

By using the wizard, the main given steps are reported below.

First of all, the name of the service has to be provided. 

 

Auxiliary classes can be specified if required.

 

Services can be grouped by exploiting the wizard step shown in the picture below.

 

The next step is related to the profile.

At this point several attribute values describing the service have to be provided.

 

Another important step related to the assignment of service roles. By exploiting the step shown in the picture below it is possible to create relationships between the service and one or more service role in order to define the role that the service can play in a certain choreography.

 

By clicking on Finish button the new service will be provisioned and it will be available in the Service Inventory, ready to be taken by the Studio to define a choreography participant.

By clicking on Extension item, a new sub menu will appear with two items: Choreographies and Enactment Engine. The new items allow the manager to manage running Choreographies, Enactment Engines and Synthesis Processors.

Choreographies

 

Click Choreographies

 

In the new page, you can see information on deployed and enacted choreographies, i.e., key id, Name, Description, Enactment Engine, Synthesis Processor and Status and you can manage them by applying some actions, see Figure 15.

 

You can disable (enable) the choreographies, by clicking on the icon shown in the Figure 15 and 16, which you can modify the value of the Status field.

 

 

You can freeze (unfreze) the choreographies, by clicking on the icon shown in the Figure 17. After click, the choreography status changes and also the related icon (see Figure 18).

 

 

You can delete a choreography by using the icon shown in Figure 19.

 

 

Click Ok.

 

The resize action allows the user to change the resources assigned to the choreography selected. See Figure 22 and 23.

 

 

The edit action allows the user to modify the description of the choreography selected. See Figure 24 and 25.

 

 

The last action concerns showing details about the selected choreography. Click show details icon, see Figures 26 and 27.

 

 

The new page show four selectable Tabs: Overview (default view), EE Resources, Instances, and Services:

  • the Overview tab shows a BPMN2 choreography diagram (i.e., WP5 case study), see Figure 27;
  • the EE Resource (Enactment Engine Resource) tab shows the information about the hardware and software configuration that the Enactment Engine manages, see Figure 28. 

 

The colored squares (see top of Figure 28), show the current resources consumption. In particular, they show the number of Virtual Machines used, CPU utilization, RAM utilization, and the current Storage occupancy. In addition, there are buttons to perform the action of Start, Stop, Freeze and Resize of the Choreography as already described. The Virtual Machines table (Figure 28) provides specific information on virtual machines configuration where the related choreography is deployed.

  • the Instances tab shows a table with information about running choreography instance(s), see Figure 29. 

 

  • the Services tab shows a table with information about concrete service available, see Figure 30. The information are the name and the URL where the service is located.

 

Enactment Engines

The second item from Extensions menu is the Enactment Engines menu. Click Enactment Engines item, see Figure 31.

 

The EE dashboard provides information about EE Base URL. Furthermore, the manager can obtain information about Enactment Engines by clicking the Show Details icon, see Figure 32.

 

 
Again, the manger can edit or delete EE by clicking Edit or Delete icons, see Figure 33 and 34 respectively.

 

 

By a add icon, the manager can add a new Enactment Engine, see Figure 35.

 

Choreographies are created dynamically by synchronizing the ChorSpec generated by CHOReVOLUTION Studio.

Though choreographies are represented as groups inside the Identity Manager, they cannot be managed in GROUP tab in the Realms section but into the CHOReVOLUTION console, inside Choreography section.

Synthesis Processors

The third item from Extensions menu is the Synthesis Processors menu. Click Synthesis Processors item, see Figure 36.

 

The Synthesis Processors dashboard provides information about Synthesis Processors Base URL. Furthermore, the manager can obtain information about Synthesis Processors by clicking the Show Details icon, see Figure 37. Actually, this feature is Not allowed.

 

Manager can edit or delete Synthesis Processors by clicking Edit or Delete icons, see Figure 38 and 39 respectively.

 

 

By a add icon, the manager can add a new Synthesis Processor, see Figure 40. The port number defined in the service processor url depends on where the
synthesis-processor.war was deployed. 

 

Identity Manager end-user console

The end-user console is mainly used by the users in order to register and manage their own profile. They also can use it to subscribe choreographies.

The end-user console can be logged-in by accessing the URL

  http(s):host.domain:port/syncope-enduser

The end-user console is usually customized based on the specific requirements of the domain for which it is going to deploy. In fact, whereas we can share the administration console among each domain, we expect to dedicate a specific end-user console per each domain.

Within our development we provided a customization example which we are going to use to show the main idea at the basis of this console.

See below the login form.

 

If a user is already registered to the system, he can provide credentials to log-in in order to manage his own data or to subscribe/unsubscribe one or more choreographies.
Alternatively, if he want to reset the password he can click on "Password Reset" link.

In case of a user does not exist in a certain domain but he wants to use choreographies provided by this one, then he has to perform a new registration of his profile for that domain.
By clicking on the link "Self registration" the self-registration process can be started.

During this process the first information to be provided is the type of the profile we are going to register.

Let's assume that in a certain domain end-users and service providers would be able to self register their own profiles to the platform as shown in the following picture.

 

After having chosen for the profile type, the next step requires the specification of the main user credentials in terms of username and password.

 

For our specific purpose we assume that during the self registration an end-user or a service provider can specify security groups to be joined.
This is not a good practice in general: security entitlements self-assignment are usually subjected to approval mechanisms.

 

With the next step a user can subscribe one or more choreographies.

 

Before to close the self-registration operation the user has to provide several profile attribute values.
For each subscribed choreography involving services requiring specific user credentials, the user performing the subscription has to provide his own credentials for each one.

 

The last step is to confirm the registration.

 

In our example, the user will be created if and only if an end-user approver will approve his registration request.

Please note that the operations of self management available after the login go through exactly the same steps.