Apache Syncope is a great solution for Identity Management. In this month I analyzed some use cases that led me to reflect about the flexibility of provisioning process to adapt to various (and sometimes very cumbersome) deployment scenarios.
The questions is: How well Syncope orchestrates the provisioning? The problem is that Syncope lacks of a provisioning manager: this component could allow an easy and fully customizable definition of provisioning control logic.
My proposal consists in a redefinition of the (user and role) controller concept, through the Apache Camel framework. Why this framework? I think that Camel fits the need of easy control logic definition. Moreover Camel supports a wide range of external components: it means that it can be easily integrated with existing frameworks, like Activiti.
Marel Q1 2024 Investor Presentation from May 8, 2024
Apache Syncope: an Apache Camel Integration Proposal
1. APACHE SYNCOPE:
An Apache Camel Integration
Proposal
Viale D'Annunzio, 267 - 65127 Pescara
Partita IVA 01974100685
N. REA 143460
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
info@tirasa.net
2. Apache Syncope: UserCreation Use Case
When user is created, Syncope works in this way:
1. Create user internally → start work-flow engine
2. Propagate to external resources
This use case is useful the most of times,
but not ever..
3. Apache Syncope: Problematic Use Case
What if we need to implement this use case ?
1. Create User on Active Directory (Primary Resource)
2. If step 1 is OK
✓ → create also internally
✓→
Otherwise
X
propagate to other external
resources
→ throw a general error
4. Apache Syncope: Problematic Use Case Solution
Generally, to solve the previous case, we do this:
1. Override UserController#create() method
2. Embed the desired fixed logic
… isn't there a better way to do this?
5. Apache Syncope: Possible Solution
We need a way that allows:
1. Easy configuration of IDM control strategies
2. Easy integration with existing component
Possible Solution ? CONTROLLER REDEFINITION with
6. Apache Camel.. What is?
Apache Camel™ is “a versatile open-source integration
framework based on known Enterprise Integration Patterns”
“Camel empowers you to define routing and mediation rules
in a variety of domain-specific languages ”
7. Apache Camel: Concepts
Camel is Message-oriented → Concept of Message
Communication in Camel takes places via Message
Message is included in Exchange
8. Apache Camel: Endpoint
Endpoint defines the communication port of an application.
ENDPOINT
Each component is identified by unique URI
10. Apache Camel: Route Definition
Apache camel provides different methods to express
routes: these are simply called DSL.
Java DSL
Spring XML DSL
from("direct:a")
.choice()
.when(header("foo").isEqualTo("bar"))
.to("direct:b")
.when(header("foo").isEqualTo("cheese"))
.to("direct:c")
.otherwise()
.to("direct:d");
<routeContext id="myCoolRoutes"
xmlns="http://camel.apache.org/schema/spring">
<!-- we can have a route -->
<route id="cool">
<from uri="direct:start"/>
<to uri="mock:result"/>
</route>
<!-- and another route, you can have as many you
like -->
</routeContext>
Example of two common DSL
11. Apache Camel.. Why?
Camel could represent a valid framework for the controller
orchestration.. why?
IDM Control Logic ~ Route
New component in Syncope → Provisioning Manager
Moreover, Camel offers large set of pluggable Components .
Example: the Activiti Component.
12. Provisioning Manager: Benefits
✔ Provisioning Manager embeds Ruote Definition
✔ Routes can be easily added at Runtime.
✔ Complex Behaviour Definition (i.e. rollback).
✔ Versioning of Routing Strategies
13. Apache Camel.. How?
The Provisioning Manager aims to redefine the controller
business logic.
16. Apache Camel Integration Proposal
Transfer IDM control logic into the Provisioning Manager
LOGIC
17. Provisioning Manager: Example
Provisioning Manager: how first use case can be modeled
Provisioning Manager
UserTo
.
.
from("vm:camel-create")
//we can do some check here
.to("activiti:camelProcess:Create”);
.
.
from(activiti:camelProcess:Created).
bean(PropagationBean, “propagateToExtResource”).
//continue with other operation
Process definition
.
.
<receiveTask id="Create" .. />
.
.
<serviceTask id="Created" .. />
18. Provisioning Manager: Example
How the problematic use case can be modelled
UserTo
Provisioning Manager
.
from("vm:camel-create")
//we can do some check here
.bean(PropagationBean, “propagateOnActiveDirectory”)
.on(PropagationException.class).to(“log:error”)
//otherwise, if step1 OK → activiti
.to("activiti:camelProcess:Create”);
.
.
from(activiti:camelProcess:Created).
bean(PropagationBean, “propagateToExtResource”).
//continue with other operation
Process definition
.
.
<receiveTask id="Create" .. />
.
.
<serviceTask id="Created" .. />
19. Provisioning Manager: Interaction
ec t
e D ir
User
Controller
ctiv
OnA
gate
ropa
P
t
esul
onR
gati
ropa
P
UserTo
Provisioning
Manager
ory
Activiti : Create
Propagate To Other Resource
20. Apache Camel: Existing Component
What about previous components?
We have to adapt them to messages!
UserController
.
.
template.send("vm:camel-create",user_exchange);
.
.
WorkflowResult created =
consumer.receiveBody("vm:controller-port");
UserTo
21. Replace Activiti with Apache Camel ?
Camel seems to behave like a workflow engine: can we replace
Activiti?
NO!
22. Apache Camel Integration Proposal
WHAT DO YOU THINK ABOUT THIS PROPOSAL ?
Join the discussion on dev@syncope.apache.org