• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Identity as a Service
 

Identity as a Service

on

  • 10,704 views

 

Statistics

Views

Total Views
10,704
Views on SlideShare
9,636
Embed Views
1,068

Actions

Likes
6
Downloads
337
Comments
3

20 Embeds 1,068

http://www.nandana.org 354
http://wso2.org 328
http://blog.facilelogin.com 104
http://nandana83.blogspot.com 62
http://blog.ruchith.org 47
http://www.citadelle-electronique.net 38
http://wso2.com 30
http://www.slideshare.net 27
http://jisi.dreamblog.jp 25
http://blog.odysen.com 23
http://sylvain-maret.blogspot.com 11
https://www.wso2.org 5
http://cinderous12.yatopa.com 4
https://wso2.org 3
http://74.125.153.132 2
http://192.168.10.100 1
http://translate.googleusercontent.com 1
http://28662836_857ab1be259864d498f802fe7932d94d511fbcad.blogspot.com 1
http://translate.yandex.net 1
http://webcache.googleusercontent.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

13 of 3 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Identity as a Service Identity as a Service Presentation Transcript

    • By Prabath Siriwardena, WSO2 Identity as a Service
    •  
    •  
      • IDENTITY goes hand in hand with TRUST
      • What makes my IDENTITY?
    •  
      • My AGE is part of my IDENTITY
      • My PHONE NUMBER is part of my IDENTITY
      • My e-MAIL is part of my IDENTITY
      • My SSN is part of my IDENTITY
      • Who needs my IDENTITY?
      • My HR MANAGER
      • My FINANCE MANAGER
      • My PROJECT MANAGER
      • PARTNERS of my company
      • LAWS of IDENTITY
      Extending internet with an Identity Management Layer
      • LAWS of IDENTITY
      User control & consent
      • LAWS of IDENTITY
      User control & consent Technical Identity Systems must only reveal information identifying a user with the user’s consent.
      • LAWS of IDENTITY
      Minimal disclosure for a given use
      • LAWS of IDENTITY
      Minimal disclosure for a given use The solution which discloses the least amount of identifying Information and best limits its use is the most stable long term solution.
      • LAWS of IDENTITY
      Justifiable parties
      • LAWS of IDENTITY
      Justifiable parties Digital identity system must be designed so the disclosure of Identifying information is limited to parties having a necessary And justifiable place in a given identity relationship.
      • LAWS of IDENTITY
      Directed Identity
      • LAWS of IDENTITY
      Directed Identity A universal identity system must support both ‘ Omni-directional’ identifiers for use by public entities and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing un-necessary release of correlation handles.
      • LAWS of IDENTITY
      Pluralism of operators & technologies
      • LAWS of IDENTITY
      Pluralism of operators & technologies A universal identity system must channel and enable the Inter-working of ,multiple identity technologies run by Multiple identity providers.
      • LAWS of IDENTITY
      Human Integration
      • LAWS of IDENTITY
      Human Integration The universal Identity Meta-system must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against Identity attacks.
      • LAWS of IDENTITY
      Consistent experience across contexts
      • LAWS of IDENTITY
      Consistent experience across contexts The unifying identity meta-system must guarantee its Users a simple consistent experience while enabling Separation of contexts through multiple operators and technologies.
      • How do we share data related to IDENTITY ???
      • DIRECTORY SERVICES : LDAP/AD
      • DIRECTORY SERVICES : LDAP/AD
      IDENTITY attributes maintained in a central repo
      • DIRECTORY SERVICES : LDAP/AD
      IDENTITY attributes shared across multiple applications within the same domain
      • DIRECTORY SERVICES : LDAP/AD
      Enterprise SSO can be established within participating applications
      • DIRECTORY SERVICES : LDAP/AD
      Protocol incompatibilities could lead to silos
      • DIRECTORY SERVICES : LDAP/AD
      Directory awareness at the individual application level
    • LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC EXTERNAL
    • LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC
    • LDAP/Active Directory HR FINANCE ERP Identity Service
    • LDAP/Active Directory HR FINANCE ERP Identity Service EXTERNAL
      • IDENTITY as a SERVICE
      • IDENTITY as a SERVICE
      Integrates IDENTITY services into application development
      • IDENTITY as a SERVICE
      Decouples IDENTITY related logic from individual application business logic
      • IDENTITY as a SERVICE
      User, IDENTITY related data externalized from the applications themselves
      • IDENTITY as a SERVICE
      Adheres to SOA standards
      • IDENTITY SERVICES
      AUTHENTICATION AUTHORIZATION AUDIT IDENTITY PROVIDER PROVISIONING
      • IDENTITY PROVIDER
      Externalize IDENTITY attributes
      • IDENTITY PROVIDER
      Information Cards
      • IDENTITY PROVIDER
      OpenID
      • IDENTITY PROVIDER
      Identity Governance Framework [IGF]
      • AUTHENTICATION
      User Name/Password
      • AUTHENTICATION
      User centric identity : CardSpace/OpenID
      • AUTHORIZATION
      Manages authorization logic
      • AUTHORIZATION
      XACML
      • AUTHORIZATION - XACML
      A general purpose authorization policy language
      • AUTHORIZATION - XACML
      Policy Expressions
        • “ Anyone can use web servers between 12:00 AM and 4:00 AM”
        • “ Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve”
        • “ Anyone view their own 401K information, but nobody else’s”
        • “ The print formatting service can access printers and temporary storage on behalf of any user with the print attribute”
        • “ The primary physician can have any of her patients’ medical records sent to a specialist in the same”
      • AUTHORIZATION - XACML
      XACML Vs SAML Here comes another request…. Let me process the Auth’Z request… SAML XACML
      • PROVISIONING
      Supports administration of IDENTITY & ACCESS Management
      • PROVISIONING
      Provides centralized policy administration and controls
      • PROVISIONING
      SPML
      • PROVISIONING
      http://soa.sys-con.com/node/434383 Service Provisioning via SPML in SOA Simplifying identity and resource management for distributed services By: Manivannan Gopalan
      • AUDITING
      Audit all IDENTITY events
      • AUDITING -XDAS
      Distribute Audit Service
      • AUDITING -XDAS
      The principle of accountability
      • AUDITING -XDAS
      Detection of security policy violations
      • AUDITING -XDAS
      http://www.opengroup.org/pubs/catalog/p441.htm
      • IDENTITY SERVICES
      AUTHENTICATION [InforCards/OpenID] AUTHORIZATION [XACML] AUDIT [XDAS] IDENTITY PROVIDER [OpenID/InforCards] PROVISIONING [SPML]
      • USER CENTRIC IDENTITY
      User in control of identity interactions
    • Service Provider/User/Identity Provider IDENTITY PROVIDER SERVICE PROVIDER
      • Information Cards
      • OpenID
      http://www.slideshare.net/prabathsiriwardena/understanding-openid/
      • BUILDING FEDERATED IDENTITY
      • WITH OPENID
      USER STORE OpenID PROVIDER REALM SERVICE PROVIDER
      • IDENTITY GOVERNANCE
      Establishing policies, controls & enforcement mechanisms
      • IDENTITY GOVERNANCE
      WHY? 1. A fragile and brittle SOA implementation 2. Services that cannot easily be reused because they are unknown to developers or because they were not designed with reuse in mind 3. Lack of trust and confidence in services as enterprise assets, which results in a “build it myself” mentality 4. Security breaches that cannot easily be traced 5. Unpredictable performance
      • IDENTITY GOVERNANCE
      IDENTITY GOVERNANCE FRAMEWORK 1. Identity attribute service - a service that supports access to many different identity sources and enforces administrative policy 2. CARML : declarative syntax using which clients may specify their attribute requirements 3. AAPML : declarative syntax which enables providers of identity-related data to express policy on the usage of information, 4. Multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes
      • WSO2 IDENTITY SOLUTION
      • Questions…
      • Thank you…!