wso2con us 2013 - identity management best practices with wso2 identity server
DESCRIPTION
TRANSCRIPT
Identity Management Best Practices with WSO2 Identity Server
Johann Dilantha Nallathamby
WSO2
Senior Software Engineer
The Computing Troika
Three disrupting forces of the new information age
MobileDesktopNotebooksTabletsSmart PhonesBYODMDM
SocialInternal usersPartnersCustomersProspectsLeadsBYOI
CloudPublicPrivateHybridOn Premise
Security
The Connected Business
● Extended Enterprise● Globalization● Agile business processes● Dynamic organizational policies● Economies of Scale● Innovation● Identity explosion
The Traditional Approach to Security
The Traditional Approach to Federation
FederationPartner 1Directory
FederationPartner 2Directory
FederationPartner 3Directory
ConsumerService 1
ConsumerService 2
ConsumerService 3
The New Approach to Federation
Identity as a Service model
FederationPartner 1Directory
FederationPartner 2Directory
FederationPartner 3Directory
ConsumerService 1
ConsumerService 2
ConsumerService 3
IdentityAsa
Service
Identity Management Tools and Practices
● Versatile authentication● Context based access management● Identity Provisioning● Identity Delegation● Identity Federation
Versatile Authentication
ConsumerServiceAuthentication
What you knowPasswords
Secret questions
What you areFingerprint
RetinaFace Recognition
What you haveTokensSAMLX509
KerberosOTP
Cards
Policy??
Context Based Access Control - XACML
● Policy based● Declarative● Externalized● Fine Grained
ConsumerServiceAuthorization
ContextSubjectResourceActionEnvironment
XACML
Auditing
ConsumerService
ContextSubjectResourceActionEnvironment
BusinessActivityMonitor
ComplexEvent
Processor
Audit
Log files
Enforcing AAA
● Factor out the authentication, authorization and auditing● Examples:
Axis2 handlers WSO2 ESB mediators Synapse handlers Java Servlet Filters
● Agents exist to be deployed
ConsumerServiceAuthorizationAuthentication Audit
ConsumerService
ConsumerService
Identity Provisioning
● Proprietary APIs are not going to work● SPML is kind of dead SCIM is widely adopted by major cloud vendors
- Simple RESTful interactions with JSON payload
Identity Delegation
● WS-Trust
Domain A
Domain B
WS-Trust Client
Security TokenService (STS)
ProtectedResource
1
2 3
4
Identity Delegation
● OAuth2
Identity Federation
“The agreements, standards and technologies that make Identity and Entitlements portable across autonomous domains”
- Burton Group
● OpenID● SAML2 Web SSO● WS-Federation Passive Requester Profile● WS-Trust● WS-Federation Active Requester Profile● Assertion Profiles for OAuth2● OpenIDConnect
Identity and Attribute Federation
● Identity Federation Account mapping Account linking Pseudonym
- Transient- Persistent
Out-of-band
● Attribute Federation Mapping user attributes names of one system to another Mapping user attribute values of one system to another
- E.g. role mappings between IdP roles and Shared roles for SaaS applications
Branding and customizing the User View – My Identity
●
Branding and customizing the User View – Login, Consent and Error pages
WSO2 Identity Server Reference Deployment Pattern 1
InternalUser
Directory
WSO2 IS
DMZ Green Zone
ApplicationServer
WSO2 IS
ExternalUser
Directory
ApplicationServer
WSO2 Identity Server Reference Deployment Pattern 2
UserDirectory
WSO2 IS
Yellow Zone
DMZ Green Zone
ApplicationServer
WSO2 IS
Thank You