Identity Management Best Practices with WSO2 Identity Server

Johann Dilantha Nallathamby

WSO2

Senior Software Engineer

The Computing Troika

Three disrupting forces of the new information age

MobileDesktopNotebooksTabletsSmart PhonesBYODMDM

SocialInternal usersPartnersCustomersProspectsLeadsBYOI

CloudPublicPrivateHybridOn Premise

Security

The Connected Business

● Extended Enterprise● Globalization● Agile business processes● Dynamic organizational policies● Economies of Scale● Innovation● Identity explosion

The Traditional Approach to Security

The Traditional Approach to Federation

FederationPartner 1Directory

FederationPartner 2Directory

FederationPartner 3Directory

ConsumerService 1

ConsumerService 2

ConsumerService 3

The New Approach to Federation

Identity as a Service model

FederationPartner 1Directory

FederationPartner 2Directory

FederationPartner 3Directory

ConsumerService 1

ConsumerService 2

ConsumerService 3

IdentityAsa

Service

Identity Management Tools and Practices

● Versatile authentication● Context based access management● Identity Provisioning● Identity Delegation● Identity Federation

Versatile Authentication

ConsumerServiceAuthentication

What you knowPasswords

Secret questions

What you areFingerprint

RetinaFace Recognition

What you haveTokensSAMLX509

KerberosOTP

Cards

Policy??

Context Based Access Control - XACML

● Policy based● Declarative● Externalized● Fine Grained

ConsumerServiceAuthorization

ContextSubjectResourceActionEnvironment

XACML

Auditing

ConsumerService

ContextSubjectResourceActionEnvironment

BusinessActivityMonitor

ComplexEvent

Processor

Audit

Log files

Enforcing AAA

● Factor out the authentication, authorization and auditing● Examples:

Axis2 handlers WSO2 ESB mediators Synapse handlers Java Servlet Filters

● Agents exist to be deployed

ConsumerServiceAuthorizationAuthentication Audit

ConsumerService

ConsumerService

Identity Provisioning

● Proprietary APIs are not going to work● SPML is kind of dead SCIM is widely adopted by major cloud vendors

- Simple RESTful interactions with JSON payload

Identity Delegation

● WS-Trust

Domain A

Domain B

WS-Trust Client

Security TokenService (STS)

ProtectedResource

1

2 3

4

Identity Delegation

● OAuth2

Identity Federation

“The agreements, standards and technologies that make Identity and Entitlements portable across autonomous domains”

- Burton Group

● OpenID● SAML2 Web SSO● WS-Federation Passive Requester Profile● WS-Trust● WS-Federation Active Requester Profile● Assertion Profiles for OAuth2● OpenIDConnect

Identity and Attribute Federation

● Identity Federation Account mapping Account linking Pseudonym

- Transient- Persistent

Out-of-band

● Attribute Federation Mapping user attributes names of one system to another Mapping user attribute values of one system to another

- E.g. role mappings between IdP roles and Shared roles for SaaS applications

Branding and customizing the User View – My Identity

●

Branding and customizing the User View – Login, Consent and Error pages

WSO2 Identity Server Reference Deployment Pattern 1

InternalUser

Directory

WSO2 IS

DMZ Green Zone

ApplicationServer

WSO2 IS

ExternalUser

Directory

ApplicationServer

WSO2 Identity Server Reference Deployment Pattern 2

UserDirectory

WSO2 IS

Yellow Zone

DMZ Green Zone

ApplicationServer

WSO2 IS

Thank You