Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial commit IDM, IAG, 2FA Portal #2873

Merged
merged 1 commit into from
Nov 7, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 35 additions & 1 deletion docs/admin/planning/identity-access-governance.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,41 @@
tags:
- administration
- planning
- IAG
- Identity Governance
---

This is a placeholder
Janssen is not a governance platform, so it does not do any of the following:

## Role Management

Role Based Access Control (RBAC) is a strategy used by many organizations to
authorize access to resources. However, RBAC has a dark side: if roles are used
to reference each unique access requirement the number of roles can grow
exponentially. In fact, some organizations have more roles than people! This is
known as "role explosion." Role Management is an enterprise
workforce governance practice which correlates roles across all applications to
reduce their number to the lowest common denominator of "enterprise roles".

## Access Certification

The role request and approval processes tend to result in a person accumulating
many roles over time. However, because removal of roles no-longer-needed is often
overlooked, it's important for organizations to regularly perform access
certification campaigns (i.e. "recertification" or "attestation"). For example,
once per year, managers may need to decide if the roles assigned to subordinate
employees are still needed.

Removal of a non-sensitive role is not an urgent matter. However, certain
situations might require faster action, for example if an employee is moved to a
different organizational unit with a different manager. The new manager assumes
responsibility for the employee's roles, and should execute an ad-hoc
recertification process for that specific user.

## Segregation of Duties

Sometimes an organization should prevent a person from having two roles
simultaneously. For example, there could be an account rule that a person can't
both sign and approve checks. Or a person can't perform both financial advisory
and equity trading. The governance platform may enable organizations to define
these Segregation of Duties to prevent such conflicts of interest.
48 changes: 47 additions & 1 deletion docs/admin/planning/identity-management.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,53 @@
tags:
- administration
- planning
- IDM
- Identity Management
- SCIM
---

This is a placeholder
# Identity Management

In Janssen docs, the term Identity Management or "IDM" is the process of
adding, editing and deleting data in various domain systems. Ideally, identity
data would exist in only one place. But this ideal is currently undesirable.
For performance, data joins, auditing, and many other reasons (for the
foreseeable future) identity data is sprinkled across many systems. So when we
update identity data, how do we keep all our infrastructure up-to-date? This
task has been the realm of IDM platforms, which enable organizations to define
workflows to update identity information, and through the use of "connectors",
to push this data to all disparate databases.

IDM platforms range in size and complexity. An admin could write a Python
script to automate adding new users to a domain. Or large enterprises may
implement a commercial IDM platform, like [Sailpoint](https://sailpoint.com) or
an open source IDM platform like [Evolveum Midpoint](https://evolveum.com).
Or you might have a human IDM--"Hey Bob, we hired a new person. Can you add
her?"

The Janssen platform does not include an IDM component. Fundamentally, Janssen
is a consumer of identity data. One of the most common ways for identity data
to make its way to the Janssen database is via the [SCIM](https://simplecloud.info)
interface. This is an API that has a `/users` endpoint, to which an IDM system
can send updates. For example, the IDM system may `POST` to the `/users`
endpoint to add a new user to the Janssen database, or `DELETE` to the `/users`
endpoint to remove a user.

With that said, sometimes organizations might encode IDM business logic in the
Janssen platform. This is particularly true for consumer-facing applications.
In general, it only works for relatively simple requirements, particularly when
the Janssen platform is the authoritative source of identity data. Using
the various interception scripts, it's possible to send identity data from
the Janssen platform to external systems. For example, let's say an organization
has only two silos of identity data: Jans Auth Server and a MongoDB database
record. In a case like this, when a person registers through a Person
Authn Interception Script or Agama flow, you could call an API which updates
the MongoDB database. It's also possible to implement approval workflows using
UMA. For example, an API might require an UMA access token (i.e. an RPT token),
and obtaining this token may require the consent of two different individuals.

But it is worth remembering that the Janssen Platform was not purpose built for
IDM, and therefore any implementation for such use cases should be tactical.
You may have to build many features yourself. Especially for enterprise
workforce applications, you should seriously consider using off-the-shelf
software before writing too much code in Janssen.
15 changes: 14 additions & 1 deletion docs/admin/planning/self-service-password-2fa.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,20 @@
tags:
- administration
- planning
- 2FA
- Account Recovery
---

This is a placeholder
If your domain offers two-factor authentication, it's a good idea to enable end
users to manage their various credentials. Google does a great job in this
regard. Check out [2-Step Verification](https://myaccount.google.com/security).
What's great about this page is that Google lets you manage all your different
credentials on one page.

You can build a page like Google on your own website. You need to be able to
list, add, and remove 2FA credentials for a given user's account. But another
good option is the Casa web application, which is an [open source project](https://github.com/GluuFederation/casa) from Gluu, licensed under Apache 2.0. Casa supports a number of
authentication mechanism that are already available in Jans Auth Server. See the
[Casa Receipe](https://docs.jans.io/head/admin/recipes/casa/) and the
[Casa Person Authn Script](https://docs.jans.io/head/script-catalog/person_authentication/casa/)
for more information.