Identity as a Service

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

2 comments

Comments 1 - 2 of 2 previous next Post a comment

Post a comment
Embed Video
Edit your comment Cancel

3 Favorites

Identity as a Service - Presentation Transcript

  1. By Prabath Siriwardena, WSO2 Identity as a Service
  2.  
  3.  
    • IDENTITY goes hand in hand with TRUST
    • What makes my IDENTITY?
  4.  
    • My AGE is part of my IDENTITY
    • My PHONE NUMBER is part of my IDENTITY
    • My e-MAIL is part of my IDENTITY
    • My SSN is part of my IDENTITY
    • Who needs my IDENTITY?
    • My HR MANAGER
    • My FINANCE MANAGER
    • My PROJECT MANAGER
    • PARTNERS of my company
    • LAWS of IDENTITY
    Extending internet with an Identity Management Layer
    • LAWS of IDENTITY
    User control & consent
    • LAWS of IDENTITY
    User control & consent Technical Identity Systems must only reveal information identifying a user with the user’s consent.
    • LAWS of IDENTITY
    Minimal disclosure for a given use
    • LAWS of IDENTITY
    Minimal disclosure for a given use The solution which discloses the least amount of identifying Information and best limits its use is the most stable long term solution.
    • LAWS of IDENTITY
    Justifiable parties
    • LAWS of IDENTITY
    Justifiable parties Digital identity system must be designed so the disclosure of Identifying information is limited to parties having a necessary And justifiable place in a given identity relationship.
    • LAWS of IDENTITY
    Directed Identity
    • LAWS of IDENTITY
    Directed Identity A universal identity system must support both ‘ Omni-directional’ identifiers for use by public entities and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing un-necessary release of correlation handles.
    • LAWS of IDENTITY
    Pluralism of operators & technologies
    • LAWS of IDENTITY
    Pluralism of operators & technologies A universal identity system must channel and enable the Inter-working of ,multiple identity technologies run by Multiple identity providers.
    • LAWS of IDENTITY
    Human Integration
    • LAWS of IDENTITY
    Human Integration The universal Identity Meta-system must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against Identity attacks.
    • LAWS of IDENTITY
    Consistent experience across contexts
    • LAWS of IDENTITY
    Consistent experience across contexts The unifying identity meta-system must guarantee its Users a simple consistent experience while enabling Separation of contexts through multiple operators and technologies.
    • How do we share data related to IDENTITY ???
    • DIRECTORY SERVICES : LDAP/AD
    • DIRECTORY SERVICES : LDAP/AD
    IDENTITY attributes maintained in a central repo
    • DIRECTORY SERVICES : LDAP/AD
    IDENTITY attributes shared across multiple applications within the same domain
    • DIRECTORY SERVICES : LDAP/AD
    Enterprise SSO can be established within participating applications
    • DIRECTORY SERVICES : LDAP/AD
    Protocol incompatibilities could lead to silos
    • DIRECTORY SERVICES : LDAP/AD
    Directory awareness at the individual application level
  5. LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC EXTERNAL
  6. LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC
  7. LDAP/Active Directory HR FINANCE ERP Identity Service
  8. LDAP/Active Directory HR FINANCE ERP Identity Service EXTERNAL
    • IDENTITY as a SERVICE
    • IDENTITY as a SERVICE
    Integrates IDENTITY services into application development
    • IDENTITY as a SERVICE
    Decouples IDENTITY related logic from individual application business logic
    • IDENTITY as a SERVICE
    User, IDENTITY related data externalized from the applications themselves
    • IDENTITY as a SERVICE
    Adheres to SOA standards
    • IDENTITY SERVICES
    AUTHENTICATION AUTHORIZATION AUDIT IDENTITY PROVIDER PROVISIONING
    • IDENTITY PROVIDER
    Externalize IDENTITY attributes
    • IDENTITY PROVIDER
    Information Cards
    • IDENTITY PROVIDER
    OpenID
    • IDENTITY PROVIDER
    Identity Governance Framework [IGF]
    • AUTHENTICATION
    User Name/Password
    • AUTHENTICATION
    User centric identity : CardSpace/OpenID
    • AUTHORIZATION
    Manages authorization logic
    • AUTHORIZATION
    XACML
    • AUTHORIZATION - XACML
    A general purpose authorization policy language
    • AUTHORIZATION - XACML
    Policy Expressions
      • “ Anyone can use web servers between 12:00 AM and 4:00 AM”
      • “ Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve”
      • “ Anyone view their own 401K information, but nobody else’s”
      • “ The print formatting service can access printers and temporary storage on behalf of any user with the print attribute”
      • “ The primary physician can have any of her patients’ medical records sent to a specialist in the same”
    • AUTHORIZATION - XACML
    XACML Vs SAML Here comes another request…. Let me process the Auth’Z request… SAML XACML
    • PROVISIONING
    Supports administration of IDENTITY & ACCESS Management
    • PROVISIONING
    Provides centralized policy administration and controls
    • PROVISIONING
    SPML
    • PROVISIONING
    http://soa.sys-con.com/node/434383 Service Provisioning via SPML in SOA Simplifying identity and resource management for distributed services By: Manivannan Gopalan
    • AUDITING
    Audit all IDENTITY events
    • AUDITING -XDAS
    Distribute Audit Service
    • AUDITING -XDAS
    The principle of accountability
    • AUDITING -XDAS
    Detection of security policy violations
    • AUDITING -XDAS
    http://www.opengroup.org/pubs/catalog/p441.htm
    • IDENTITY SERVICES
    AUTHENTICATION [InforCards/OpenID] AUTHORIZATION [XACML] AUDIT [XDAS] IDENTITY PROVIDER [OpenID/InforCards] PROVISIONING [SPML]
    • USER CENTRIC IDENTITY
    User in control of identity interactions
  9. Service Provider/User/Identity Provider IDENTITY PROVIDER SERVICE PROVIDER
    • Information Cards
    • OpenID
    http://www.slideshare.net/prabathsiriwardena/understanding-openid/
    • BUILDING FEDERATED IDENTITY
    • WITH OPENID
    USER STORE OpenID PROVIDER REALM SERVICE PROVIDER
    • IDENTITY GOVERNANCE
    Establishing policies, controls & enforcement mechanisms
    • IDENTITY GOVERNANCE
    WHY? 1. A fragile and brittle SOA implementation 2. Services that cannot easily be reused because they are unknown to developers or because they were not designed with reuse in mind 3. Lack of trust and confidence in services as enterprise assets, which results in a “build it myself” mentality 4. Security breaches that cannot easily be traced 5. Unpredictable performance
    • IDENTITY GOVERNANCE
    IDENTITY GOVERNANCE FRAMEWORK 1. Identity attribute service - a service that supports access to many different identity sources and enforces administrative policy 2. CARML : declarative syntax using which clients may specify their attribute requirements 3. AAPML : declarative syntax which enables providers of identity-related data to express policy on the usage of information, 4. Multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes
    • WSO2 IDENTITY SOLUTION
    • Questions…
    • Thank you…!

+ prabathsiriwardenaprabathsiriwardena, 2 years ago

custom

2623 views, 3 favs, 13 embeds more stats

More info about this presentation

© All Rights Reserved

  • Total Views 2623
    • 2259 on SlideShare
    • 364 from embeds
  • Comments 2
  • Favorites 3
  • Downloads 77
Most viewed embeds
  • 179 views on http://wso2.org
  • 62 views on http://nandana83.blogspot.com
  • 24 views on http://jisi.dreamblog.jp
  • 24 views on http://blog.ruchith.org
  • 23 views on http://blog.odysen.com

more

All embeds
  • 179 views on http://wso2.org
  • 62 views on http://nandana83.blogspot.com
  • 24 views on http://jisi.dreamblog.jp
  • 24 views on http://blog.ruchith.org
  • 23 views on http://blog.odysen.com
  • 17 views on http://www.nandana.org
  • 17 views on http://blog.facilelogin.com
  • 11 views on http://sylvain-maret.blogspot.com
  • 3 views on https://wso2.org
  • 1 views on https://www.wso2.org
  • 1 views on http://www.citadelle-electronique.net
  • 1 views on http://192.168.10.100
  • 1 views on http://74.125.153.132

less

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

Cancel
File a copyright complaint
Having problems? Go to our helpdesk?

Categories