Securing the Perimeter: Deploying Identity and Access Management with Free Open Source Software

Mike Schwartz and Maciej Machulak have done an admirable job in creating a primer on identity management that can be used by both professionals who are new to the IAM field as well as those in other fields who just want to understand the IAM space better and/or to discern how IAM services interact with their own. The authors start with the most basic concepts of IAM and step the reader through to more complex subjects: LDAP to SAML to OAuth to OpenID Connect, etc.. Where this book differentiates itself from other works is its inclusion of Free Open Source Software (FOSS) that is available for each use case to allow the reader to build their own IAM systems to put the principles into practice. I also appreciate that the authors reached out to industry experts to review the more recent advances like FIDO, WebAuthN, and UMA. A great addition to any company’s library of material for new identity professionals.

This book is an excellent introduction to identity and access management (what Gartner refers to as IAM). Chapter 1 introduces the enduring notion of the PDP and PAP, which was developed by the pioneers of the Internet in the 1990 in the IETF. The chapter provides a brief introduction to the current standards in the IAM space (LDAP, SAML, OAuth, OpenID Connect, and UMA).Chapter 2 is devoted to LDAP (Lightweight Directory Access Protocol, RFC2251), which is the grand-daddy of what is called today Directory Services, first championed by Novell in the 1990s. If your company or organization is operating Windows Server (on-premise or in the cloud), then you are running a directory services product (namely Windows Active Directory). This chapter focuses on LDAP because LDAP is simple (compared to Active Directory) and sufficiently embodies the various concepts that will be built upon in later chapters. The chapter covers various aspects of LDAP that are relevant to the topic of identity management.Chapter 3 is devoted to the Security Assertions Markup Language (SAML). The SAML standard was the first to address the need for Web Single Sign-On (Web-SSO), notably when the end-user is connecting using only a Browser to a service provider, such as an online merchant. The SAML standard defines a number of constructs which are key to communicating the information or data regarding the individual (or organization) whose digital-identity is being assessed. The Chapter covers these in sufficient detail (e.g. Assertions, Query-Response Protocol, Bindings and use-case profiles such as the Web-SSO profile). Best of all, the chapter actually provides some “swim lane” diagrams that shows the protocol flows – something that is very relevant to developers who are seeking to understand better the SAML exchanges.With the emergence of mobile devices and social media platforms in the past decade, a new protocol called OAuth emerged that is today dominant in many of the new platforms. This is the subject of Chapter 4. Most of the popular developer APIs to access services offered by major social media platforms (e.g. Google, Facebook, Twitter, etc.) employ the OAuth 2.0 protocol and tokens in one form or another. The chapter discusses the entities in an OAuth 2.0 setup, OAuth 2.0 tokens, the various grant types and flows, and provides a good example of OAuth 2.0 in action using Google APIs.Developers who have played around with OAuth 2.0 realize that additional features are needed to make it more deployment-ready. The protocol that extends OAuth2.0 is the OpenID-Connect (OIDC) protocol, which is the subject of Chapter 5. This chapter is one of the nicest and easiest to read explanations of OpenID-Connect. It even discusses more recent additions to the protocol, such as Client Registration.Chapter 6 presents a discussion about proxy servers and proxying, which is something every developer needs to be aware of nowadays because it is a core part of the network topology of many (most) medium to large organizations.Chapter 7 provides an overview of One Time Passwords (OTP) as part of the need for strong authentication. The chapter provides useful background information about standards coming from the FIDO Alliance (an industry consortium focusing on strong authentication). Specifically, it presents a good high-level explanation of the FIDO Universal Authentication Framework (UAF).Chapter 8 discusses one of the major issues today with IAM systems and data privacy, namely consent by individuals for access to their data and files. The protocol that implements consent rules and the enforcement of these rules on the user’s data/files is the User Managed Access (UMA) architecture and protocol. The reader is advised to first read Chapter 4 and Chapter 5 before attempting to read Chapter 8. This chapter provides one of the more accessible material on the UMA protocol. These three chapters (4, 5 and 8) make this book worth every penny.Chapter 9 provides an overview of open source softwares/tools that helps deploy and manage IAM systems. The chapter provides an overview of the various tasks involved in identity management by an IT organization. Each of the open source tools are only briefly described, and the keen reader is encouraged to look up these tools.Chapter 10 addresses the issue of scaling up identity services, notably in the consumer space. The technical term used is Federation or Federated Identity Management. The main purpose of federation is for identity service providers (even competitors) to work together to provide a seamless single sign-on (SSO) login experience to users who need to be authenticated by a relying party (such as an online merchant). Ideally the user should need to login only once, regardless of the destination online merchant. However, since a user maybe registered at only one Identity Provider (which may not be directly associated with the online merchant), these identity providers need to federate with each other under a common legal trust framework and contract. Chapter 10 provides the reader with a very good introduction to the concepts and nuances of identity federation.All in all, this is a very good book for the reader who maybe new to the area of Identity and Access Management (IAM), or new to OAuth2.0 in the context of API access ti services. As mentioned before, the core value of this book is Chapters 4, 5 and 8. These chapters are well written by a seasoned practitioner, making the book accessible and unique among the books on identity management. Both authors are experts in the field, and have been actively involved in the IAM space for over a decade now.To give a balanced perspective, the only slightly negative aspect of the book is the use of the Gluu software for many of the examples. However, these code examples are very useful and necessary. As the primary developer of the Gluu software Mike Schwartz (first author) is very familiar with the code. As such, it makes sense for him to use his own code for illustrative examples throughout the book.

This book is excellent for those starting in the IAM (Identity and Access Management) world. For professionals already established in the field it also serves as a valuable reference document because it surveys the key topics and technologies involved in IAM solutions.Throughout its chapters, it covers the theory of relevant applicable standards as well as practical open source solutions to deploy an IAM infrastructure in your organization.Interestingly, conceptual background is usually presented in its historical context which helps better understand the shape of the current IAM landscape. On the other hand, the extent to which the examples are driven is very generous. Readers will get a good tech insight out of them.

Mike Schwartz and Maciej Machulak have written an excellent and comprehensive overview of identity and access management (IAM) as it exists circa 2019. Their book blends low-level product implementation and configuration details with just the right amount of background and "theory" about the underlying protocols and standards (OpenID Connect, OAuth, etc.) to give the reader a glimpse into how they work, without having to crack open the technical specs and slog through the messy details. It's a useful resource for anybody who works in IAM and wants to know more about this important and fast-evolving field.

This authoritative book serves as a resource as well as a learning platform. The world of identity, and IAM, is confusing, esoteric, and rife with conflicting opinions and interpretations. Most identity professionals are self taught, even if you are an expert, you have gaps. This book covers everything from OAuth to MFA. How is your identity IQ? If you are in IT, security, privacy, or any related field, this is a must read to round out your knowledge. If you enjoy hands-on learning, take the journey to use the open source Guu software. This book has something for everyone.

Mike and Maciej have put together a master piece of work. They explained Identity and Access Management inside out. The book is excellent for those who want to have some fundamental concepts about IAM. It is also a very good tool for those who want to deep dive into the area.Dave / Gamatech

Covers almost everything you may encounter in a practical identity and security implementation, although there are some reasonable lacks of coverage because identity is a big topic to be included in one single book!