Download - The Lanka Gate Initiative
![Page 1: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/1.jpg)
The LANKA GATE Initiative
Security Aspects
![Page 2: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/2.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 3: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/3.jpg)
Trends in user centric identities
• User in the middle of the identity transaction
• Governed by Seven Laws of Identity
• OpenID/Information Cards
![Page 4: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/4.jpg)
Trends in user centric identities -OpenID
• Decentralized Single Sign On +
• Single profile across different domains +
• Easy profile maintenance +
• Authenticates once at the OpenID Provider +
• Phishing ???
• Different user experience
• Requires HTTPS + user education
![Page 5: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/5.jpg)
Trends in user centric identities –Information Cards
• Phishing resistant authentication+
• Based on WS-* standards +
• Highly cryptographic solution+
• Authenticates only at the Identity Provider +
• Single user profile
• Different user experience
![Page 6: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/6.jpg)
Trends in user centric identities
It’s NOT OpenID vs. Information Cards, but –OpenID with Information Cards
![Page 7: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/7.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 8: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/8.jpg)
Lanka Gate Architecture
![Page 9: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/9.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 10: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/10.jpg)
Sri Lanka Country Portal
• Provides access to backend services through portlets [a single eService, several eServices from a specific project or transactional / mashup combination of eServices across several projects]
• Users log in to the country portal and authorized functionality will be available.
• How authentication takes place ???
• How authorization takes place ???
![Page 11: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/11.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 12: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/12.jpg)
Identity as a Service
• Integrates identity services into application development
• Decouples identity related logic from individual application business logic
• User, identity related data externalized from the applications themselves
• Breaks identity silos
![Page 13: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/13.jpg)
Identity as a Service
User Store
Identity Management Service
![Page 14: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/14.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 15: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/15.jpg)
IdMRealm
Securing Sri Lanka Country Portal -Authentication
User Store
Identity Management
Service
Identity Provider [WSO2 Identity
Solution]
Country Portal
![Page 16: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/16.jpg)
IdMRealm
Securing Sri Lanka Country Portal -Authentication
User Store
Identity Management
Service
Identity Provider [WSO2 Identity
Solution]
Country Portal
HTTPS
WS-Security
HTTPS
HTTPS
White/black listing OPs
![Page 17: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/17.jpg)
Securing Sri Lanka Country Portal -Authentication
Identity Provider [WSO2 Identity
Solution]
Username/password
Self-issued InfoCard
Client certificate
![Page 18: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/18.jpg)
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet
Driving License Management Portlet
EPF/ETF Management Portlet
![Page 19: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/19.jpg)
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Request Passport
Track Status
Request Driving License
Track Status
View EPF/ETF
Claim EPF/ETF
![Page 20: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/20.jpg)
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Issue Passport
Reject Passport Requests
Request Driving License
Track Status
View EPF/ETF
Claim EPF/ETF
List Pending Requests
![Page 21: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/21.jpg)
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Request Passport
Track Status
Issue Driving License
List Pending Requests
View EPF/ETF
Claim EPF/ETF
![Page 22: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/22.jpg)
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Request Passport
Track Status
Request Driving License
Track Status
List Pending Claims
![Page 23: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/23.jpg)
Securing Sri Lanka Country Portal -Authorization
• Authorization logic should be handled by the corresponding service(s) – behind the portlet. [or may be by the LIX]
Passport Management Service
getPortlet(user)
EPF/ETF Management Service
Driving License Management Service
getPortlet(user)
getPortlet(user)
![Page 24: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/24.jpg)
Securing Sri Lanka Country Portal –Summary
• User store will be managed centrally through Identity Management Service
• Country Portal will use OpenIDs for authentication with a white-listed OpenID Provider
• Once a user authenticated, his authorized functionality will be decided by evaluating authorization logic at the corresponding backend service.
![Page 25: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/25.jpg)
Securing Sri Lanka Country Portal –Handling Authorization
• Each backend service needs to evaluate user rights.
• Application specific authorization handling/ standard based authorization handling.
• Standard based authorization with XACML
![Page 26: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/26.jpg)
Securing Sri Lanka Country Portal –Authorization with XACML
• Defining policies
• “Passport service administrators can list all the pending passport requests”
Policy Administration Point/PAP
[WSO2 Identity Solution]
Policy Store[WSO2 Registry]
Define
![Page 27: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/27.jpg)
Securing Sri Lanka Country Portal –Authorization with XACML
• Evaluating policies
Policy Decision Point/PDP
[WSO2 Identity Solution]
Policy Store[WSO2 Registry]
Request
Policy Retrieval Point/PRP
[WSO2 Identity Solution]
Policy Information Point/PIP
[WSO2 Identity Solution]
Identity Management
Service
WS-Security
![Page 28: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/28.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 29: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/29.jpg)
Securing Backend Services
Passport Management
Service
EPF/ETF Management
Service
Driving License Management
Service
Lanka Interoperability Exchange
WS-Security
WS-Security
WS-Security
![Page 30: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/30.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 31: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/31.jpg)
Other security aspects
• Auditing
– Every authentication and authorization decision has to generate an audit event
– Identity Management Service / PDP
– Secure logging – audit trails should preserve integrity
– XDAS - OpenXDAS
![Page 32: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/32.jpg)
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
![Page 33: The Lanka Gate Initiative](https://reader033.vdocuments.net/reader033/viewer/2022060115/55756fc8d8b42a2e248b5044/html5/thumbnails/33.jpg)
Thoughts, Suggestions & Discussion…..
- Thank You…!