Once upon a time

Once upon a time there was an idea to manage more than the users and their accounts using midPoint. We moved beyond the boundaries of traditional old-fashioned identity managers introducing generic synchronization which allows to synchronize and manage organizations, organizational units, groups, group membership and everything related to identities. The constraints in relation to identities were made just because of the field we are operating in. But the architecture and design for generic synchronization was so generic that we wondered if we were able to manage more.

When we spoke about more we thought about managing services, platforms and projects. Why would we want this? I didn’t pay attention to it before, either. I heard about cloud management systems, project management systems or even tools for managing infrastructure a long time ago but frankly speaking I couldn’t imagine the purpose of integration. I concentrated all of my power on implementing midPoint. But after some time I understood this need during my career as an Identity Engineer. Since I have started with deployments for customers I have come into a contact with different requirements. Not only were the requirements different but so were the purposes for using identity management.

Some organizations have big fluctuations and so they need a reliable way to manage their employees. They need to be sure that the employees who leave will not be able to abuse sensitive information. Other organizations grow quickly therefore they need to be able to quickly assign permissions for new users and prevent the wasting of time because of insufficient access rights to important systems. Last but not least, there are organizations whose intention is to provide services for a wider population. This is the situation that made us think about managing more than identities – about managing services, projects, platforms or even infrastructure…

Nowadays it is not unusual that many companies move their infrastructure to the clouds. Clouds brought a lot of benefits, which I suppose I don’t need to mention. You can either use public clouds operated by different providers or you can choose to build your own private cloud. For our experiment we chose OpenStack. Our choice was a little bit influenced by the fact that some guys from the ‘team’ already had experience with it. Why did I write ‘team’? Members of this team were not from out company and we even started in the garage.


There was a group of enthusiastic people who agreed to have some fun during the weekend. We organized a couple of hackathons where we tried different technologies and options. After some tries we returned back to the original idea and decided that the best way for us is to go with midPoint and OpenStack. Sure, we know that OpenStack has its own identity management and that you need KeyStone to do this management. But from our point of view there were some deficiencies we wanted to improve.

Just to remind you, we are the company operating in the Identity Management field concentrating mostly in the organization environment. Therefore we looked at the whole situation from the point of view which an organization could have. Our aim wasn’t, isn’t and won’t be to be a replacement for OpenStack or other management systems. We are happy that such products exist and our aim is just to integrate with them and build the whole solution.

During one of the hackathons we started to implement an OpenStack Connector for midPoint. What is this connector? Well, since midPoint is compatible with either OpenICF or ConnID Framework and OpenStack has an REST API we decided to use an existing scripted-rest connector which dispensed us from wasting time with implementing common functionalities. Therefore the connector is just a few Groovy scripts making REST calls. The first most attractive thing for us was the management of virtual machines. If you guessed our first REST calls were for starting and stopping virtual machines, you were right! It was really exciting for us to see how easily we could start/stop VM from midPoint. As you may see, such satisfaction shifted us forward and we implemented more calls, such as calls for managing users, groups, projects.

After the very first version we tried full integration with midPoint. It was cool to see information not only about users but also about OpenStack’s projects which they participate in or even to see which virtual machines belong to which projects. However, for us it still wasn’t satisfactory. Why? Because these are common midPoint features we use everyday in almost each deployment in conjunction with other systems. So we wanted more, we wanted to prove that there is additional value if you decide to use midPoint for managing OpenStack. In such situations, I can fully recommend brainstorming.

Despite hackathons being exhausting, you’ll not attend one if you don’t have a passion to come up with something brilliant 🙂 . We were really tired and almost went mad without sleeping but despite this we sat down and put our heads together to think about what more we could do. The answer was easier than we expected. We would manage not only projects, virtual machines, users and their access rights for OpenStack but we would do the same for each virtual machine. That means the access rights inside concrete virtual machine! Since we already had a UNIX Connector as well it was the easiest part.

The tricky part for management inside virtual machines was the integration with midPoint. It doesn’t mean midPoint can’t do it, but we wanted an automatic way to generate resource definition for each virtual machine. Frankly speaking, we implemented an additional button to the midPoint GUI, but it is kind of a hardcoded thing. It’s needed to have correct configuration for it to work. But don’t be upset, we have an idea for improvement and I really hope we are able to do it in the near future. Or do you want to help us? All help is more than welcome! 🙂

At the end of the day, we had full integration between midPoint and OpenStack and what’s more, we also had integration for virtual machines running from OpenStack. We were proud of ourselves and wanted to share our zeal with other people. What is the most suitable place to do so? If you guessed a conference, you were right. I’m glad I was selected to be the one who could present not only our ideas but also our results and the real integration we did during these hackathons! I applied for the FOSDEM 2016 Conference and was accepted as a speaker with a 40 minute time slot. I took it very seriously and prepared myself for a long time as it was my first real talk at a real conference which was not in my native language.


After the presentation I felt something indescribable. It was a great feeling and I hope the audience liked my presentation as well. I cannot forget to mention that during my preparation for FOSDEM I started to communicate with one guy (Florin) from Mirantis who was trying to use midPoint for managing identities in OpenStack. His work was then presented at the OpenStack Summit 2016 taking place in Austin. Great work as well, guys!

Since everyone expects a summary at the end of the blog post or any article I’ll try to do it now as well. I know it was quite a long blog post but I hope it wasn’t too boring and you reached the end. So here it is.

Sometimes I feel like I’m living in another world than, for example, my schoolmates from university. I started to work for Evolveum 6 years ago. This whole time I have been still in the same Identity Management field solving the same kind of problems again and again. We use boring Java and Java technologies such as Apache Wicket, Spring, Hibernate, Apache CXF and not cool JavaScript Frameworks and BigData as others do.

However, my colleagues and me are trying to keep track of the modern world and new technologies. Even though it might seem we are conservative and can get stuck because we don’t follow the hype and supersexy JavaScript frameworks, it’s actually the contrary because we want to move forward. We just think in another way. We rather try to think about integration and usability of others products. We don’t say we are a panacea and we can replace any system. We rather say we can use what the world gives us and integrate with it. That’s the way we are thinking.

We always try to experiment to see if we satisfy modern concepts. So far, including this OpenStack integration, I think we have been successful and there hasn’t been a problem for us to adapt and integrate with other systems, platforms or even applications. I perceive integration with OpenStack as a great experience and cool story which made us think about moving forward – maybe to the Internet of Things? Can you just imagine how awesome it would be to manage the access right to different devices, sensors or whatever from the upcoming IoT? We took the very first step by the way. In midPoint 3.4 you can look forward to a new concept of Services!

Leave a Reply

Your email address will not be published.