So, we're going to start our next talk.
It's going to be so as to explain what we do and we'll be doing this so that I tell
you fusion I am a full open source identity access management solution.
Bonjour, je suis français but I will speak in English, okay? No problem. Yes.
So, some words about me. So Clément Wido, I work in a French company which is called Vortex
and I'm doing a lot of stuff about identity management of course because I'm here to talk about it.
I'm also doing other things like music. If you want to listen to French music, open source music,
it is a creative commons, you can go on my website and I'm also doing a theater and other things.
Very quick about Vortex, we are a service company and we provide many solutions like collaborative tools,
containers and of course identity access management and I will talk about this thing.
And if you want to not play music but work on open source, you can apply on our website.
So, for the topic today, I will talk about the fusion I am project, explain why we created this project
and which open source component we use to try to build this big solution.
So, we decided to create this with Benoit Martier which is the leader of fusion directory.
I don't know if you know fusion directory product, who knows it? Okay, but many people.
So, it's cool that you come here so you will know about it today and Vortex.
So, we are both people working on open source product around directories and identity management.
The goal was to offer a complete identity and access management solution
because you know that in the propriety solutions, when you buy one, you get all the components of identity and access management.
But if you are using open source tools, most of the times you only get one piece of the full picture
and you need to install them and connect them.
So, our opinion was to say, okay, we know that in open source, each product must do one thing and do it good.
But if we want to be able to go to companies and say we are doing identity and access management,
we must provide a full solution integrity.
So, that's why the reflection.
And we are today working on this project in Vortex with David Coutador and myself.
So, who knows OW2? Okay.
It's normal because it's a French consortium like Eclipse, but you know Eclipse, but you don't know OW2.
So, today you know OW2.
There are a lot of products inside OW2, Blumain, GLPI, and Lemanelda, et cetera.
And so, we are an official project of OW2.
So, one solution when you want to do a new open source software is say, okay, all that exists is mess.
So, I will write everything, but of course, I have a family, so I don't have the time to write everything from scratch.
So, we took all the open source projects that we know and we tried to combine them together.
The one you may know is this one, OpenLDAP.
Who knows OpenLDAP? Okay, yes, one.
Of course, we are not the developers of the OpenLDAP software.
It's something that is managed by a Siamese company and OW2, which is the leader of OpenLDAP.
But we are very implied in the community and we work a lot with OpenLDAP.
So, our choice for the directory server, which is clearly the base of the identity management, is OpenLDAP.
And then, we put a lot of products.
So, Le Mans-Haldap-NG, who knows?
Ah, yes.
And we have the founder of Le Mans-Haldap-NG, which is Xavier Guimard here.
So, we have some of the community here in Fosdame about Le Mans-Haldap-NG.
I will explain all this fusion directory.
So, I said, Haldap Toolbox.
Okay, LSC.
Okay, it's normal because it's the products that I created.
So, okay, it's normal.
Okay, so, these are all community projects, open source projects.
Of course, you know only this one, but you will see how we try to combine them.
Our approach was to say, okay, we can be as IBM, HP, et cetera,
and we can go in your company and say, we have all the components.
So, access management, access manager, the directory server, the directory manager,
synchronization, the connectors, and two other components, white pages,
and service desk, I will present them.
So, that's a typical big proprietary IIM solution, which is, okay.
But we put all the open source software behind the same.
Okay, so, of course, the directory server is open-end app,
but we added some tools in Haldap Toolbox project to better manage open-end app,
to do backups, et cetera.
The directory manager is a fusion directory,
connectors LSC, the access manager is Le Mans-Haldap-NG,
and other tools are some part of the Haldap Toolbox project.
Of course, I will present them, but I know that you know other software to do that.
Typically here, the most open source tool known to be the access manager is Kiklok,
who knows Kiklok?
Of course, everyone knows Kiklok, but I will explain why we do this one.
We have another choice to have a single sign-in product, and this is Le Mans-Haldap.
And for this, of course, Evolvm midpoint, that we just saw before,
is another possibility here for the directory manager, et cetera, et cetera.
So, everyone can choose which technical components it will bring in identity access management.
We did this choice because we are clearly developers of a lot of these components,
so we can act on the roadmaps of these components, and we know how to make them work together.
So, if you choose Fusion IAM, you will take the choice we have done.
If you do not agree, you just can fork and replace the components if you don't like them.
On a technical point of view, if you already install Kiklok and a directory server,
you know that it's quite simple.
All components are linked to the directory server because that's where you have your users,
passwords, groups, et cetera.
And here you have the connectors to be able to synchronize from a database,
from an active directory, for example.
So, it will go into the Haldap server.
These are tools to manage the data.
So, to white pages, just to display the photo, et cetera.
Here is to be able to reset the passwords.
Here is to create icons, et cetera.
And the access manager will also be connected to the directory server to do the authentication.
All these are Haldap, HaldapS flows.
You have just one database used for the access manager to be able to store the configurations
on all the sessions, but the other tools did not need any database.
All the tools are only using the directory server.
And of course, you have here the access manager.
So, a user, the end user will only see the access manager part to be able to access all the data here
and to access also all the components.
So, some explanation on the software.
The first one, everyone knows.
So, like Tynitero said, it's simply the best.
I hope you all have the song now in the head.
It's the best Haldap server in terms of performance of standard,
because the people coding on Haldap have also written a part of the RFC of the Haldap protocol.
So, we're sure that this component is respecting the Haldap standard.
And if you manage your Haldap by yourself, you know that you can add a lot of features with overlays,
like password policy, which is very important in identity and access management
to be able to expire your account, to lock your account, et cetera, et cetera.
And we will see that we bring other tools to be able to manage the open Haldap password policy.
And in the Haldap Toolbox project, we provide some package to be able to install open Haldap
on a different distribution.
You may know, are there people from Red Hat here?
Okay, it's not a problem.
But you may know that Red Hat has chosen to push away open Haldap from the distribution
to be able to use the Red Hat directory server as the main directory server.
So, if you want to install open Haldap with a package on a center-est, et cetera,
you can use the Siamas package or the Haldap Toolbox package.
And of course, we also provide package for Debian Ubuntu, et cetera.
Okay, so the directory is okay.
The directory manager, so we choose a fusion directory.
It's a PHP application.
It's not like PHP Haldap admin, which is a very technical tool in which you browse the tree, et cetera.
Here, you have a functional view of all the objects that are in your Haldap directory.
So, of course, users, groups, but you can also modelize the service icons, applications, et cetera, et cetera.
So, it's a very functional view of this.
And it includes administration delegation.
So, you can say a people is connected to this interface, but it can only manage the people in the service, et cetera, et cetera.
So, it's like the midpoint or all those software like this.
It's just to offer user interface to people to read or edit and illustrate data depending on their why.
The connector, no UI.
It's just a command line, but it's a very powerful tool written in Java.
And it talks with RISTPI.
It talks with databases.
It talks with Active Directory.
So, we are able to easily synchronize Open Haldap and Active Directory with the store.
So, very efficient.
And Lema Haldap ng.
So, the key clock killer.
No, I know it's not, but okay.
It's like key clock, but we provide an application menu.
We manage all the access control.
White pages is an easy way to display the data of your directory for end users to search for phone number or email address.
So, these are only Haldap data.
So, I created an Haldap directory with Star Wars data.
And you can display them, search for the umpires, the Jedi, et cetera, et cetera.
But there is no database.
It's only an Haldap directory.
And ServiceDef is a little tool for the support team because you're able to see first one.
You can see all the password policy data from Open Haldap.
If you work a little with Open Haldap password policy, you know that it's very technical to understand how all the state of the password is managed.
So, here you have all the dates, et cetera.
Here, and you can test the current password.
Of course, you can reset the password.
And you can see if the account is locked, you can unlock the account.
You can see the password is expired, et cetera.
So, it's very easy for a support team to know if an account is expired, it's locked to unlock it, et cetera.
So, moving to the cloud, because that's how we need to work now.
Why? Because before, and we still do it for customers, we have virtual machines and we deploy all the package and we configure all the package.
And we say, okay, Haldap directory is here and you need to connect to this web server, et cetera, et cetera.
And when you want to put the logo of the customer, you need to put the logo in every product.
So, the customer say, okay, it's integrated.
Okay, it's integrated.
But, okay, this still works, but it's a lot of work indeed to reproduce this by every customer.
You need to write that.
And the cloud approach is to say we will move from package to containers, images, and we will try to configure all the images, all the containers through variables.
And indeed, we saw that Haldap server is the same for each component we need to connect to the Haldap server.
So, I only need one parameter, which is Haldap URL for all components.
So, I configure it once and then I can have the full solution.
Of course, you do cloud.
Okay, it's a mess.
Okay.
We need to have pods.
We need to have volumes, et cetera, et cetera.
So, you see that what was a little easy with some bricks and some components is not easy with the cloud because you need to identify which volumes you need to run the containers.
And when you split, you usually split the web application between the front end and the PHP, FPM, or the past Haldap server.
But it's better because we can run all these images and we can have, so, of course, for Haldap, we have a volume for the data, a volume for the configuration.
And also for the certificates, KN certificates.
And so, we identified in the FusionIM project, we identified all of this and we created all of these images and volumes.
So, you just need to do make, run, and it's running.
We have a container registry.
So, it's open source.
It's available.
You can just pick the images and you can run with a Docker podman or a Docker compose.
So, it's very easy to test.
And you can also download the Git and run the Mac, run all with a Mac file and it works.
The only thing you need to do is to initialize the volumes and, of course, put some configuration for your domain, et cetera, et cetera.
But you just have to do this and you will have the full stack of identity and accept management running and configured.
So, it's very easy.
In Vertex, we choose to create a new offer which is called with us, identity as a service.
And we put FusionIM inside of our, in our cloud for our customers.
So, we can run for each customer.
We run one FusionIM project.
And so, a customer don't have any directory, don't have anything, but he can connect all this application through SAML or OpenID Connect.
He has all the applications to manage the data inside the enterprise directory which is inside the cloud.
And we, of course, have a lot of RISC API.
So, we have RISC API for provisioning to create accounts, to create groups, et cetera.
So, you can do all this with RISC API.
And we also have some RISC API here to be able to create a new OpenID client or a new SAML client.
So, you can provision the users, the groups, and you can also provision through RISC API the applications.
And, okay, I know I have five minutes.
Yeah, I can do a demonstration.
Okay.
Ta-da-da!
So, it's not a screenshot, okay?
It's a real, it's a real interface.
So, it's hosted by Vortex.
It's running on OpenShift, which is Kubernetes from Red Hat.
And so, this is the login form.
And so, you see, it's the access manager component, so, LemoneldapNG.
And inside, we plugged all the IIM components.
So, this one is for configuring LemoneldapNG.
So, just the administrative interface.
And, okay, so you get all the parameters.
And here, you have the other components.
So, why?
Of course, it's a demo.
Yes.
Yes.
Yes.
Okay.
So, this is how we manage the users.
So, what you can see is that you can work with departments and branches in the end-up directory.
And we can create, so, I create, for example, a codecobain because, okay, it's 30 years ago.
It dies this year.
So, it's a simple account, okay?
But if I want to, so, I'm an administrator, I have this view, okay?
But if I want to browse the directory, I can see it.
So, I'm an end user, and I want to see the information of codecobain.
So, I can browse it through web pages.
But this is clearly the same.
You see that you can also browse the groups, so, with Brittany.
And this tool is wonderful because we can dynamically use the postal address inside the end-up directory to display people on the map, okay?
So, it's a nice feature for an intranet, for example, when you are all in a remote location,
you just put the postal address of people and you can see them on the map.
It's quite nice.
And, of course, you can click on and see, okay, this one.
And if you are in the support, okay, Brittany Spears has lost his password, okay?
So, Brittany.
Okay, I can reset the password.
I'll say, okay.
Baby, one more time, okay?
And, okay, the password was changed.
We activate the flag, so, she must change the password as the next connection.
All this is managed by the open-end-up password policy.
But, of course, when she will connect through all the components,
the component will respect the password policy and she will be forced to change the password at next level.
Okay, that's all for the demonstration.
Thank you.
Some questions, maybe?
Yes?
Can you change actually directory passwords from this?
It's a feature that we did not implement.
Can we use this component?
This component is an adaptive box service desk to change the passwords on active directory, not yet.
But, all people are saying, okay, this is wonderful, but I don't have open-end-up.
I have active directory and I want to use it.
So, it's in the roadmap, but it's still not available.
But, for information, this one has some hooks, so you can reset the password in open-end-up
and also hook it to a change at the same time in active directory.
If you have both directories, open-end-up and active directory,
you can use the hook to push the password on active directory.
But, if you only have active directory, you can, for the moment, not use it.
But, it will be the case maybe next year.
Maybe next year.
Yes?
Do you support private ACME servers for the certificates for these web services?
Sorry, private, what?
ACME.
ACME.
Let's encrypt.
Do we support ACME or let's encrypt?
Of course, yes, because you just have to run it in the container, yes?
How do you handle applications which cannot use OpenID or Sample?
Okay.
And, where do you use the host headers and authentication?
Yeah, so how we manage applications that are not modern applications
which use either Sample or either OpenID Connect to do single sign-in.
Lemana Lab is also compatible with the CAS protocol.
So, we can also use CAS, but in the cloud, we say that CAS is not secure enough to do the cloud.
And, of course, we can have a component in Lemana Lab.
We have a component called the Angular, which is an agent that you can install remotely on your infrastructure system
and can communicate through REST with the portal in the cloud.
So, you can secure it, some local application with an agent on your side
and let the agent deals with the session, et cetera, through REST API in Lemana Lab.
So, we can do a mixed mode between the cloud and your local applications.
It's over?
Last question.
Last question, a very good question, so.
Can we authenticate users using certificates, personal certificates?
Yes, you can use.
The question is, can we authenticate users with certificates?
Yes, Lemana LAPNG can use certificates, Kiberos.
We are compatible with second factor authentication, WebOTAN, et cetera.
So, we have a lot of methods.
It's like K-Club, but it's French.
Time's up.
Okay, thank you.
Thank you.