Identity Lab seeks to provide an automated, standardized way in which to explore Identity and Access Management (IAM) topics, procedures, and products.
When exploring Identity and Access Management concepts and software, one of the big challenges is trying to experiment with realistic scenarios and data while protecting the production environments that you want to ultimately protect.
This lab seeks to allow the user to explore Identity and Access Management (IAM) concepts, ideas, practices, and products, using the most common infrastructure and endpoint types. Providing a hands-on approach instead of a theoretical one has always worked better for me, and I hope it does for you too.
The IAM server includes scripts to install and configure the following IAM products:
- WSO2 Identity Server (also on GitHub)
- Aerobase
- Apache Syncope - identity lifecycle management, identity storage, provisioning engines, and access management
- Central Authentication Services (CAS)
- FreeIPA - centralized authentication and authorization for Linux systems. This is the "Identity Server" role previously bundled with Red Hat Enterprise Linux / CentOS.
- MidPoint - identity management and identity governance
- OpenIAM - single sign-on, user and group management, flexible authentication, and automated provisioning. An Identity Governance product is also available.
- Shibboleth Consortium - web single sign-on, authentication, and user data aggregation. Can perform policy enforcement on authentication requests.
- Soffid - single sign-on and identity management through identity provisioning, workflow features, reporting, and a unified directory.
Through my job, I have access to commercial, closed-source IAM products that I like to kick around in this space from time to time. I would like to include rudimentary, skeletal support for these, but they will not be fully supported. If you want to try your hand at them, be my guest, but you have to provide your own install packages.
- Sailpoint IdentityIQ
- Symantec Identity Manager - formerly known as CA Identity Manager
NOTE: This lab is deliberately designed to be insecure. No attempt is made to secure passwords or other secrets, especially in the Docker configurations. It has not been hardened and runs with default vagrant credentials. Its primary purpose is to provide visibility into each application, host, and resource. Please do not connect or bridge it to any networks you care about.
Identity Lab is currently in heavy development and not yet in a turnkey-usable state. I try to regularly incorporate updates from the upstream Detection Lab project, but I can't make promises as to timeliness. See the Roadmap below for priorities and progress.
- 2 Jan 2023 : Life got busy and I stopped work on this project for a time. I'm back to work on it, but my first few updates will likely be just refreshing the current state and merging changes from upstream.
- 23 June 2021: I recently lost my home lab, including my Hyper-V and LibVirt servers. I have a good lead on a replacement LibVirt server, but the other Vagrant providers will likely have to wait.
Current Version: 0.0 (pre-release)
- Improve reliability of VM provisioning (VirtualBox). (In progress)
- Complete the "iam" VM with a basic set of Docker configurations to get most of the IAM products running in containers from a single install shell script.
- Complete the "iam" VM that provides the WSO2 Identity Server. (VirtualBox)
- Complete the "web" VM that incorporates the WSO2 Sample Applications for demonstration of inventory, provisioning, and SSO. (Project 1.0 milestone, first turnkey version.) (VirtualBox)
- Decision point: Complete the 1.0 milestone for other Vagrant providers (e.g., LibVirt) or proceed to 2.0 under VirtualBox?
Naturally, this is all subject to change. Under each major version is the same minor version release schedule, based on the Vagrant providers. Providers that require a financial commitment (e.g., AWS, Azure, Hyper-V) will be delayed depending on how my finances are going, and unless I discover a way to run ESXi on the cheap, it probably won't ever be supported. My job is beginning to do some work with Azure, so it will likely be the first viable cloud platform.
Bug fix releases will be reflected in the build version number (e.g., x.x.1, x.x.2).
The order of these products is currently listed alphabetically, but will almost certainly shuffle as I learn which are more complicated and which are less.
- Version 1.0: WSO2 Identity Server under VirtualBox
Version 1.1: WSO2 Identity Server under LibVirtVersion 1.2: WSO2 Identity Server under Hyper-V- Version 1.3: WSO2 Identity Server under Azure (depends on financial resources)
- Version 1.4: WSO2 Identity Server under AWS (depends on financial resources)
- Version 1.5: WSO2 Identity Server under Oracle Cloud (depends on financial resources)
- Version 2.0: Aerobase
- Version 3.0: Apache Syncope
- Version 4.0 Central Authentication Services (CAS)
- Version 5.0 FreeIPA
- Version 6.0 MidPoint
- Version 7.0 OpenIAM
- Version 8.0 Shibboleth
- Version 9.0 Soffid
Identity Lab incorporates Chris Long's excellent Detection Lab project. Detection Lab demonstrated how to automated the building of a Windows Domain Controller, a task that had previously seemed too massive to tackle. Once I cleared that hurdle, the rest of the path became clear. Read more about Detection Lab on the project web site or on GitHub or on Medium. By incorporating the Detection Lab project, Identity Lab is able to provide a Windows domain with security tools and consolidated system logging, enabling easier review of the impact of IAM products and procedures.
Identity Lab also incorporates the BadBlood toolkit, populating the lab's Active Directory domain with test data. This can aid in IAM experiments that target Active Directory and Windows. You can get more information on the project web site or on GitHub.
Caution: BadBlood makes irrevocable changes to the AD domain against which it runs.
The sample applications are mostly from the WSO2 Sample Applications project. You can read more in the WSO2 Tutorial or check out the GitHub repo.
If you only want to run hosts, you only need a valid, working Vagrant environment with sufficient resources to run the machine images. If you want to customize the machine images used in Identity Lab, you will need additional tools and resources.
Identity Lab was developed on Elementary Linux using Vagrant 2.x with an Oracle VirtualBox provider. Vagrant supports other host OSes and providers, and while those should work fine, they have not been tested. At this time, I cannot provide assistance with other providers.
- 55GB+ of free disk space
- 16GB+ of RAM highly recommended (for reference, my test machine has 32GB and 48GB, respectively)
- Vagrant 2.2.9+
- Oracle VM VirtualBox 6.1.16+
Note: I encountered a bug in VirtualBox 6.1.14 that caused Vagrant machine builds to fail. This bug was fixed in 6.1.16. While this isn't a very big deal in these VirtualBox 7.x days, I mention it because you never know...
If you want to customize the machine images by building your own Vagrant boxes, you will also need the following resources:
- Packer 1.6.0+
Incorporating the Detection Lab project means Identity Lab has many of the same requirements. You should also check the Detection Lab requirements as described on the project web site. These resources may provide enough information to get Identity Lab running on a different Vagrant provider, such as LibVirt or AWS.
In progress.
Currently, the architecture is a bit of a mess as I refactor from single VMs to a container architecture.
- dc.windomain.local - Windows Server 2016, Active Directory, domain controller - an AD endpoint for identity provisioning
- iam - Ubuntu 20.04 - the IAM host server for whichever IAM solution you are exploring
- logger - Ubuntu 18.04 - log consolidation for AD and provisioning
- web - Ubuntu 20.04 - the web server for the sample web applications - testing web and API provisioning
- win10 - Windows 10 - an AD client for testing provisioning and local client identity discovery
- dc.windomain.local - Windows Server 2016, Active Directory, domain controller - an AD endpoint for identity provisioning
- container1 - Ubuntu - container server 1 - hosts containers that provide IAM server, sample web applications, database provisioning targets, and more
- container2 - Ubuntu - container server 2 - hosts containers that provide IAM server, sample web applications, database provisioning targets, and more
- win10 - Windows 10 - an AD client for testing provisioning and local client identity discovery
Do you have an IAM solution or package that you would like to see included in Identity Lab? Open an issue and let's discuss it!
If you want to contribute code, please do all of your development in a feature branch on your own fork of Identity Lab. Contribution guidelines can be found here: CONTRIBUTING.md