wso2con asia 2016: case study: identity in the wso2 ecosystem
TRANSCRIPT
![Page 1: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/1.jpg)
Case Study : Identity in the WSO2 Ecosystem
Dimuthu LeelarathneDirectorWSO2
![Page 2: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/2.jpg)
Story of Dogfooding WSO2 Identity Server!
![Page 3: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/3.jpg)
Identities in the WSO2 Ecosystem
• Employees
• Customers
• Open-source community
![Page 4: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/4.jpg)
Edgar joins WSO2 Engineering Team
• Infra provisioned him to all these systems– Google Apps– Internal LDAP
• Edgar self-sign up to – wso2.com → wso2.com, OT Jira
• Support manager provision him to– PMT and Support JIRA
![Page 5: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/5.jpg)
Deployment of Systems 2015 September
![Page 6: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/6.jpg)
Cathy is from WSO2 Open-source Community
• Cathy of abc.com self-sign up to wso2.com to test WSO2 IS. She gets → OT Jira
• abc.com becomes a customer
• She get invitation email → automatically provisioned to Support JIRA
![Page 7: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/7.jpg)
Deployment of Systems 2015 Q4
![Page 8: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/8.jpg)
• Use WSO2 IS for the best enterprise Identity Solution
• Centralized identity management– Provide Single Sign-On
– Manage user identity centrally, provision vs. syncing
• Define the concept of “one person”– A person’s attributes change
• Multi-factor authentication for GoogleApps
Redefine Identity in WSO2!
![Page 9: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/9.jpg)
WSO2 Identity Server
• APIs to integrate identity management to any application
• Multi-factor authentication
• Federation and Single Sign-On (SSO) via SAML2, OpenID Connect
• Delegation via OAuth, OAuth 2.0 and WS-Trust
• Many cloud connectors - https://store.wso2.com
![Page 10: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/10.jpg)
WSO2 Identity Server
• User and groups provisioning
• User and groups management
• Multiple user store support
• Password policies
• Account locking
• Entitlement - RBAC, XACML
![Page 11: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/11.jpg)
Single Sign-On
• Provide credentials once (to a 3rd party) and obtain access to many apps
• Reduce password exhaustion
• Central control of the identity
– Increased security
– Reduce redundancy
![Page 12: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/12.jpg)
SAML2.0 Web Profile
• Widely supported by many service providers
• OASIS open standard
• XML based assertions
![Page 13: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/13.jpg)
Customer Identity vs Employee Identity
• Scale
• Centrally controlled vs. Distribution
• Self-service and JIT
• Low assurance vs. high assurance
• Different focus areas - market driver, individual, UX
![Page 14: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/14.jpg)
Identity Server for SSO
![Page 15: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/15.jpg)
Attributes of a Person Changes
• A person can change email address and other attributes
• The person object must stay the same
• Given a set of unique attribute values we should be able to find the person
![Page 16: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/16.jpg)
Provisioning
• Auto-provisioning to – GoogleApps– Concur– External LDAP
• Auto deprovision
![Page 17: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/17.jpg)
SCIM Implementation
• Cross domain identity provisioning standard
• Adapted by many vendors and SaaS apps
• Supports user/group provisioning via REST/JSON API
• IS Supports SCIM 1.1
![Page 18: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/18.jpg)
Identity Server for Provisioning
![Page 19: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/19.jpg)
LDAP Syncing vs Provisioning to Systems
• LDAPs are replicated and synched with each other in batch mode periodically
• Provisioning work with “Callbacks” and then updating the user on remote system
• Modern systems work with trusted third parties
– No need keep credentials
– Provisioning via SCIM, other APIs or auto-provisioning
![Page 20: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/20.jpg)
Multi-factor authentication for GoogleApps
• Identity is
– Something you know
– Something you have
– Something you are
• Use two of the above mechanisms
• Can use SMSOTP, TOTP for GoogleApps → In case of phone misplace
![Page 21: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/21.jpg)
Lets look at Edgar again
• Every morning Edga logs into accounts.apps.wso2.com
• Each time Edga wants to login to OT JIRA/Support JIRA he has to sign in.
![Page 22: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/22.jpg)
Identity Across two Domains
![Page 23: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/23.jpg)
WSO2 Identity Server Architecture
![Page 24: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/24.jpg)
One-Click Operation to Add an IdP
![Page 25: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/25.jpg)
Use of Federation
• Identity Federation - Using same identity or mapping of identity across multiple applications
• SSO is a federation pattern
• We need to use same identity in applications across two different domains
![Page 26: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/26.jpg)
Identity Across two Domains
![Page 27: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/27.jpg)
Identity Server for Federation
![Page 28: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/28.jpg)
Federation in Identity Server
![Page 29: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/29.jpg)
Lets look at Edga again
• Every morning Edga logs into accounts.apps.wso2.com but OT JIRA requires to click on a link
![Page 30: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/30.jpg)
Extensibility of Identity Server
![Page 31: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/31.jpg)
Back Channel Authenticator
• Edgar writes a custom authenticator – Sets for cookie valid for both domains by internal IdP– Checks the cookie by external IdP
→ No more middle screen prompting
• Edgar’s authenticator is deployed!
![Page 32: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/32.jpg)
Cathy Leaves abc.com
• Removed from abc.com support account• Cathy joins WSO2
– Auto-provisioned into the systems
– Maintains open-source profile separately (Consumer identity vs. Employee identity)
![Page 33: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/33.jpg)
Current implementation of the Project
![Page 34: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/34.jpg)
Future
• Authorization for Apps
![Page 35: WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022051507/58779c9a1a28ab0f778b7237/html5/thumbnails/35.jpg)
Thank You