Novinky

Více než 30 IDM realizací v České republice i zahraničí

AMI Praha MidPoint – next generation Identity Management
MidPoint – next generation Identity Management

MidPoint – next generation Identity Management

This is not because these systems cannot offer a great business functionality or shiny GUI, but because these systems are first generation IdM, with limitations in their architecture, usually built around different products initially not intended for Identity Management. Personally, we have firsthand experience with and a good knowledge about Evolveum midPoint, Sun IdM, Oracle IdM, NetIQ, CA IdM and Microsoft FIM/MIM. Bellow, you can find some reasons why we think midPoint is superior to other systems.

Open Source – after many years of coding in closed source IdM products, it feels delightful to have actual source codes of everything! From developer point of view it opens almost unlimited possibilities in customizations as well as perfect tuning and debugging of deployment. And all this without fear of breaking license policy. Openness of the system does not end with source codes, the main contributor and project organizer (Evolveum) registers all tickets and planned enhancements in their public ticketing system (Jira). And the best thing – midPoint has no license costs.

Relative Changes midPoint introduces novel and a quite revolutionary way of processing data in its own model/engine. Legacy IdMs work with absolute model that means changes inside IdM are propagated in old/new state fashion. MidPoint wiki documentation describes relative model as follows: It works with concepts such as „role X was added to user A“ instead of „user A has roles X, Y and Z now“. The biggest advantage of relative approach lies in parallel processing, where object locking is no longer necessary and simultaneous workflow requests will not cause data overwrite.

Data Model – midPoint is very flexible in data model. Unlike legacy IdM systems which were usually built around existing repositories of their respective vendors (e.g. NetIQ – LDAP, Oracle – DB, Microsoft – Active Directory), midPoint was designed from scratch. Many IdM systems are able to define custom user or role attributes, but what about having complex structures (like tables) on them? Legacy IdMs usually have possibility for user-role assignment time constraint, but what about having other custom attributes on these relationships (e.g. ticket number in assignment)? MidPoint is king of flexibility and can do it all!

Advanced Assignments – IdMs assume roles or accounts are assignable to users, some of legacy products may assign roles to organizations as well. As always, midPoint goes beyond this traditional concept. It allows accounts or entitlements to be owned not just by users, but also by roles and organizations! For instance, the AD group object is created because it had been assigned by the midPoint role. The very same midPoint role induces assignment of group to users. Then we have role that is responsible both for entitlement definition in endpoint as well as its assignment to users. This approach further increases consistency in role model.

Cloud Ready – managing accounts in cloud endpoints or those on premises from IdM is more or less the same. But how would IdM adapt to being deployed in public or private cloud provider? We have never even tried to deploy legacy IdMs to public cloud for fear of compatibility and license issues. To be fair, I need to say that some IdM vendors offer their own cloud solutions. But these services have usually reduced set of functionalities and offer different user experience compared to on premises IdM. On the other hand, since midPoint has clean architecture with many infrastructure compatibility options, it only takes minutes to deploy it to public cloud. The process is simple as this: Deploy Java WAR, set DB connection and Go. As proof of our continuous trust in the product AMI Praha offers unique midPoint service called SkyIdentity hosted in Microsoft Azure cloud.

 

Author: Martin Lízner