leveraging federation capabilities of identity server for api gateway

Last Updated: July 2. 2014

Software EngineerPushpalanka Jaywardhana

Leveraging Federation Capabilities

of Identity Server for API Gateway

**

About the Presenter

๏ Pushpalanka Jayawardhana-Software Engineeremail:lanka@wso2.com

Pushpalanka is a member of WSO2 Identity Server team, focusing on security and integration. In addition to the development efforts, she has been involved in several consulting customer engagements, providing solutions for various requirements in different domains.

**

About WSO2๏ Global enterprise, founded in

2005 by acknowledged leaders in XML, web services technologies, standards and open source

๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments

๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.

๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C.

๏ Driven by Innovation

๏ Launched first open source API Management solution in 2012

๏ Launched App Factory in 2Q 2013

๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013

**

What WSO2 delivers

**

Outline

๏ Scenario๏ Deployment - IS as Key Manager for API Gateway

๏ Configuration Steps๏ Federation Capabilities of IS 5.0.0๏ Deployment - Extend to use an Existing IAM (Shibboleth IDP)๏ Expandability๏ Q&A

**

Scenario

Web AppsSAML SSO

Shibboleth® is a registered trademark of Internet2®.

**

Scenario

Web Apps

API Management(WSO2 API-M 1.7.0)

SAML SSOKey Manager

SAML SSO

**

Scenario

Web Apps

API Management(WSO2 API-M 1.7.0)

SAML SSOKey Manager

(WSO2 IS 5.0.0)

SAML SSO

OAuth 2.0

**

Scenario

Web Apps

API Management(WSO2 API-M 1.7.0)

SAML SSOKey Manager

(WSO2 IS 5.0.0)

SAML SSO

OAuth 2.0

**

Deployment - IS as Key Manager for API Gateway

**

Configuration Steps

Create the databases,

๏ WSO2REG_DB: keep the registry information

- use <IS_HOME>/dbscripts/<database_type>.sql

๏ WSO2UM_DB: store permissions and the internal roles

- use <IS_HOME>/dbscripts/<database_type>.sql

๏ WSO2AM_DB: keep the identity data and API-related data

- use

APIM_HOME>/dbscripts/apimgt/<database_type>.sql and

<IS_HOME>/dbscripts/identity/<database_type>.sql

**

Configuration Steps Ctd

In Identity Server,๏ Install the ‘key manager’ feature๏ Copy api-manager.xml from API-M 1.7.0

๏ Do configurations to point to Gateway๏ Configure JWT generation

๏ Add data sources in master-datasource.xml๏ Copy registry.xml from API-M 1.7.0

๏ Do the registry mounts๏ Add handler for XACML media type

๏ Point identity.xml to use datasource AM_DB๏ Point user-mgt.xml to use datasource UM_DB

**

Configuration Steps Ctd

In API Manager,๏ Add data sources in master-datasource.xml๏ Copy registry.xml from API-M 1.7.0

๏ Do the registry mounts๏ Point user-mgt.xml to use datasource UM_DB๏ In api-manager.xml

๏ Configure AuthManager and APIKey Manager๏ Point available default APIs to use IS endpoints

**

Scenario

Web Apps

API Management(WSO2 API-M 1.7.0)

SAML SSOKey Manager

(WSO2 IS 5.0.0)

SAML SSO

OAuth 2.0

**

Federation Capabilities of IS

๏ Federation between multiple heterogeneous identity providers

๏ SSO between heterogenous standards/protocols

๏ Out-of-the-box integration with Google Apps and Salesforce ๏ Home realm discovery - deriving user's home IDP from the

request

**

Scenario

Web Apps

API Management(WSO2 API-M 1.7.0)

SAML SSOKey Manager

(WSO2 IS 5.0.0)

SAML SSO

OAuth 2.0

**

Delegate Authentication to Shibboleth

๏ Configure Shibboleth IDP as a IDP in Identity Server๏ Configure default SP to use above configured IDP.

**

Expandability of Solution

Web Apps

API Management(WSO2 API-M 1.7.0)

SAML SSO

Key Manager(WSO2 IS 5.0.0)

SAML SSO

OAuth 2.0

SSO between heterogenous standards/protocols

SalesForce

LifeRayGoogleApps

Drupal

SAML SSO

SAML SSO

OpenID

OpenID

**

Expandability of Solution

Web Apps

SAML SSO

API Management(WSO2 API-M 1.7.0)

SAML SSO

Key Manager(WSO2 IS 5.0.0)

OAuth 2.0

Federation between multiple heterogeneous identity providers

Web Apps

OpenId

Google Apps FaceBookCustom-

---

SAML SSO

**

More Information !๏ Download WSO2 Identity Server (latest version 5.0.0) from, http:

//wso2.com/products/identity-server๏ Download WSO2 API Manager (latest version 1.7.0) from, http:

//wso2.com/products/api-manager/๏ Set up Identity Server 5.0.0 as Key Manager for API Manager 5.0.0 -

https://docs.wso2.com/display/CLUSTER420/Configuring+WSO2+Identity+Server+as+the+Key+Manager

๏ Identity Server 5.0.0 documentation - https://docs.wso2.com/display/IS500/WSO2+Identity+Server+Documentation

๏ Configure Shibboleth with WSO2 products - http://dulanja.blogspot.com/2013/09/saml2-sso-to-wso2-420-carbon-products.html

๏ Enterprise Directory of APIs and Service Bus (University of Michingan Use case)- https://spaces.internet2.

edu/display/itana/University+of+Michigan

**

Business Model

Contact us !