Identity as a Service

9,322 views
9,118 views

Published on

Published in: Technology
3 Comments
9 Likes
Statistics
Notes
No Downloads
Views
Total views
9,322
On SlideShare
0
From Embeds
0
Number of Embeds
1,197
Actions
Shares
0
Downloads
367
Comments
3
Likes
9
Embeds 0
No embeds

No notes for slide

Identity as a Service

  1. 1. By Prabath Siriwardena, WSO2 Identity as a Service
  2. 4. <ul><li>IDENTITY goes hand in hand with TRUST </li></ul>
  3. 5. <ul><li>What makes my IDENTITY? </li></ul>
  4. 7. <ul><li>My AGE is part of my IDENTITY </li></ul>
  5. 8. <ul><li>My PHONE NUMBER is part of my IDENTITY </li></ul>
  6. 9. <ul><li>My e-MAIL is part of my IDENTITY </li></ul>
  7. 10. <ul><li>My SSN is part of my IDENTITY </li></ul>
  8. 11. <ul><li>Who needs my IDENTITY? </li></ul>
  9. 12. <ul><li>My HR MANAGER </li></ul>
  10. 13. <ul><li>My FINANCE MANAGER </li></ul>
  11. 14. <ul><li>My PROJECT MANAGER </li></ul>
  12. 15. <ul><li>PARTNERS of my company </li></ul>
  13. 16. <ul><li>LAWS of IDENTITY </li></ul>Extending internet with an Identity Management Layer
  14. 17. <ul><li>LAWS of IDENTITY </li></ul>User control & consent
  15. 18. <ul><li>LAWS of IDENTITY </li></ul>User control & consent Technical Identity Systems must only reveal information identifying a user with the user’s consent.
  16. 19. <ul><li>LAWS of IDENTITY </li></ul>Minimal disclosure for a given use
  17. 20. <ul><li>LAWS of IDENTITY </li></ul>Minimal disclosure for a given use The solution which discloses the least amount of identifying Information and best limits its use is the most stable long term solution.
  18. 21. <ul><li>LAWS of IDENTITY </li></ul>Justifiable parties
  19. 22. <ul><li>LAWS of IDENTITY </li></ul>Justifiable parties Digital identity system must be designed so the disclosure of Identifying information is limited to parties having a necessary And justifiable place in a given identity relationship.
  20. 23. <ul><li>LAWS of IDENTITY </li></ul>Directed Identity
  21. 24. <ul><li>LAWS of IDENTITY </li></ul>Directed Identity A universal identity system must support both ‘ Omni-directional’ identifiers for use by public entities and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing un-necessary release of correlation handles.
  22. 25. <ul><li>LAWS of IDENTITY </li></ul>Pluralism of operators & technologies
  23. 26. <ul><li>LAWS of IDENTITY </li></ul>Pluralism of operators & technologies A universal identity system must channel and enable the Inter-working of ,multiple identity technologies run by Multiple identity providers.
  24. 27. <ul><li>LAWS of IDENTITY </li></ul>Human Integration
  25. 28. <ul><li>LAWS of IDENTITY </li></ul>Human Integration The universal Identity Meta-system must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against Identity attacks.
  26. 29. <ul><li>LAWS of IDENTITY </li></ul>Consistent experience across contexts
  27. 30. <ul><li>LAWS of IDENTITY </li></ul>Consistent experience across contexts The unifying identity meta-system must guarantee its Users a simple consistent experience while enabling Separation of contexts through multiple operators and technologies.
  28. 31. <ul><li>How do we share data related to IDENTITY ??? </li></ul>
  29. 32. <ul><li>DIRECTORY SERVICES : LDAP/AD </li></ul>
  30. 33. <ul><li>DIRECTORY SERVICES : LDAP/AD </li></ul>IDENTITY attributes maintained in a central repo
  31. 34. <ul><li>DIRECTORY SERVICES : LDAP/AD </li></ul>IDENTITY attributes shared across multiple applications within the same domain
  32. 35. <ul><li>DIRECTORY SERVICES : LDAP/AD </li></ul>Enterprise SSO can be established within participating applications
  33. 36. <ul><li>DIRECTORY SERVICES : LDAP/AD </li></ul>Protocol incompatibilities could lead to silos
  34. 37. <ul><li>DIRECTORY SERVICES : LDAP/AD </li></ul>Directory awareness at the individual application level
  35. 38. LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC EXTERNAL
  36. 39. LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC
  37. 40. LDAP/Active Directory HR FINANCE ERP Identity Service
  38. 41. LDAP/Active Directory HR FINANCE ERP Identity Service EXTERNAL
  39. 42. <ul><li>IDENTITY as a SERVICE </li></ul>
  40. 43. <ul><li>IDENTITY as a SERVICE </li></ul>Integrates IDENTITY services into application development
  41. 44. <ul><li>IDENTITY as a SERVICE </li></ul>Decouples IDENTITY related logic from individual application business logic
  42. 45. <ul><li>IDENTITY as a SERVICE </li></ul>User, IDENTITY related data externalized from the applications themselves
  43. 46. <ul><li>IDENTITY as a SERVICE </li></ul>Adheres to SOA standards
  44. 47. <ul><li>IDENTITY SERVICES </li></ul>AUTHENTICATION AUTHORIZATION AUDIT IDENTITY PROVIDER PROVISIONING
  45. 48. <ul><li>IDENTITY PROVIDER </li></ul>Externalize IDENTITY attributes
  46. 49. <ul><li>IDENTITY PROVIDER </li></ul>Information Cards
  47. 50. <ul><li>IDENTITY PROVIDER </li></ul>OpenID
  48. 51. <ul><li>IDENTITY PROVIDER </li></ul>Identity Governance Framework [IGF]
  49. 52. <ul><li>AUTHENTICATION </li></ul>User Name/Password
  50. 53. <ul><li>AUTHENTICATION </li></ul>User centric identity : CardSpace/OpenID
  51. 54. <ul><li>AUTHORIZATION </li></ul>Manages authorization logic
  52. 55. <ul><li>AUTHORIZATION </li></ul>XACML
  53. 56. <ul><li>AUTHORIZATION - XACML </li></ul>A general purpose authorization policy language
  54. 57. <ul><li>AUTHORIZATION - XACML </li></ul>Policy Expressions <ul><ul><li>“ Anyone can use web servers between 12:00 AM and 4:00 AM” </li></ul></ul><ul><ul><li>“ Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve” </li></ul></ul><ul><ul><li>“ Anyone view their own 401K information, but nobody else’s” </li></ul></ul><ul><ul><li>“ The print formatting service can access printers and temporary storage on behalf of any user with the print attribute” </li></ul></ul><ul><ul><li>“ The primary physician can have any of her patients’ medical records sent to a specialist in the same” </li></ul></ul>
  55. 58. <ul><li>AUTHORIZATION - XACML </li></ul>XACML Vs SAML Here comes another request…. Let me process the Auth’Z request… SAML XACML
  56. 59. <ul><li>PROVISIONING </li></ul>Supports administration of IDENTITY & ACCESS Management
  57. 60. <ul><li>PROVISIONING </li></ul>Provides centralized policy administration and controls
  58. 61. <ul><li>PROVISIONING </li></ul>SPML
  59. 62. <ul><li>PROVISIONING </li></ul>http://soa.sys-con.com/node/434383 Service Provisioning via SPML in SOA Simplifying identity and resource management for distributed services By: Manivannan Gopalan
  60. 63. <ul><li>AUDITING </li></ul>Audit all IDENTITY events
  61. 64. <ul><li>AUDITING -XDAS </li></ul>Distribute Audit Service
  62. 65. <ul><li>AUDITING -XDAS </li></ul>The principle of accountability
  63. 66. <ul><li>AUDITING -XDAS </li></ul>Detection of security policy violations
  64. 67. <ul><li>AUDITING -XDAS </li></ul>http://www.opengroup.org/pubs/catalog/p441.htm
  65. 68. <ul><li>IDENTITY SERVICES </li></ul>AUTHENTICATION [InforCards/OpenID] AUTHORIZATION [XACML] AUDIT [XDAS] IDENTITY PROVIDER [OpenID/InforCards] PROVISIONING [SPML]
  66. 69. <ul><li>USER CENTRIC IDENTITY </li></ul>User in control of identity interactions
  67. 70. Service Provider/User/Identity Provider IDENTITY PROVIDER SERVICE PROVIDER
  68. 71. <ul><li>Information Cards </li></ul>
  69. 72. <ul><li>OpenID </li></ul>http://www.slideshare.net/prabathsiriwardena/understanding-openid/
  70. 73. <ul><li>BUILDING FEDERATED IDENTITY </li></ul><ul><li>WITH OPENID </li></ul>USER STORE OpenID PROVIDER REALM SERVICE PROVIDER
  71. 74. <ul><li>IDENTITY GOVERNANCE </li></ul>Establishing policies, controls & enforcement mechanisms
  72. 75. <ul><li>IDENTITY GOVERNANCE </li></ul>WHY? 1. A fragile and brittle SOA implementation 2. Services that cannot easily be reused because they are unknown to developers or because they were not designed with reuse in mind 3. Lack of trust and confidence in services as enterprise assets, which results in a “build it myself” mentality 4. Security breaches that cannot easily be traced 5. Unpredictable performance
  73. 76. <ul><li>IDENTITY GOVERNANCE </li></ul>IDENTITY GOVERNANCE FRAMEWORK 1. Identity attribute service - a service that supports access to many different identity sources and enforces administrative policy 2. CARML : declarative syntax using which clients may specify their attribute requirements 3. AAPML : declarative syntax which enables providers of identity-related data to express policy on the usage of information, 4. Multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes
  74. 77. <ul><li>WSO2 IDENTITY SOLUTION </li></ul>
  75. 78. <ul><li>Questions… </li></ul><ul><li> Thank you…! </li></ul>

×