Apache Syncope Offers Open Source Single Sign-On Identity Management
The Swiss organization SWITCH, which manages educational networks among universities and research facilities, is developing a secure digital identity for university members that will provide single sign-on capabilities and connections with other services.
For Swiss universities, the digital identity service is an evolution from current authentication and authorization infrastructures.
The organization recently selected Apache Syncope as the leading technology under consideration for the project beating contenders including CA, Dell, IBM, Microsoft, Oracle, SAP; niche players such as Sailpoint, Okta, OneLogin, ForgeRock, OpenIAM; and even open source Evolveum.
“Apache Syncope provides a well-developed and configurable workflow engine as well as a documented API for extensions. It allows starting in a small configuration that can be gradually extended over time,” SWITCH concluded in a report on response to its Request For Information (RFI). It noted Syncope’s integration with open source technologies as Shibboleth, among the key factors in its decision to go forward with a prototype built with Syncope.
Implemented in Java EE technology, Apache Syncope is designed to keep enterprise identity data consistent and synchronized across repositories, data formats, and models.
Among the new features:
- Native support managing workstations, printers, folders, sensors, services and more, which should be a boon for Internet of Things management.
- Multitenancy with physical separation of all data of different tenant into different database instance for cloud-based deployments.
- A redesigned admin and end user UI, including a self-service web application in which users can edit only their own information.
- New “getting started” and reference guides. Chicchiriccò calls documentation the most common missing feature in many open source projects.
Syncope connects through a JAX-RS 2.0 RESTful interface to third-party applications written in any programming language. Its pluggable design means every deployment can be designated from a provided list or customized. The provisioning layer relies on ConnId. It uses the Spring Framework for storage.
Roots in Italy
“Single accounts’ data are typically dispersed on various applications. In a typical organization, everyone has e-mail, time-tracking, ERP, CRM and so on. Normally, this works out just fine whenever someone joins the organization but becomes troublesome in case of promotion or [when someone] leaves. That could set some serious security threats,” Chicchiriccò explained in an interview.
Apache Syncope can create a virtual representation of the information to let administrators deal with it. It also provides powerful reporting and extraction tools are for business executives, he said.
Chicchiriccò and the project’s other founders were instructors of Sun Microsystems technology in Italy and worked for a service integrator there when Oracle acquired Sun in 2010. Alarmed at the prospect that Oracle would make Sun’s technology proprietary, they set out to build their own open source identity management solution from scratch.
Syncope entered the Apache Incubator in February 2012 and became a top-level project in November 2012.
It’s vital that open source projects are not solely the work of a single company, Chicchiriccò said, and being under the purview of the Apache Software Foundation adds to its legitimacy with customers.
“When some prospective customer challenges me with, ‘Shall I trust that Tirasa will still be in business in five years?’, I can frankly answer ‘Possibly. Remember that six years ago no one thought that Sun Microsystems could be acquired. Anyway, I bet that the Apache Software Foundation will still be around for longer.”
Tirasa also is contributing to the middleware and to the integration of security services in the CHOReVOLUTION platform. Funded by the European Union’s Horizon 2020 research and innovation program, it’s focused on developing technologies for distributed coordination of services for the Internet of the future.
Going forward, the project will further address support for well-established standards such as OAuth 2.0, OpenID Connect and SAML 2.0 to allow tighter integration with mobile devices and real-time customization of system core components to add more deployment flexibility.