The Lanka Gate Initiative

The LANKA GATE Initiative Security Aspects

Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion

Trends in user centric identities • User in the middle of the identity transaction • Governed by Seven Laws of Identity • OpenID/Information Cards

Trends in user centric identities - OpenID • Decentralized Single Sign On + • Single profile across different domains + • Easy profile maintenance + • Authenticates once at the OpenID Provider + • Phishing ??? • Different user experience • Requires HTTPS + user education

Trends in user centric identities – Information Cards • Phishing resistant authentication+ • Based on WS-* standards + • Highly cryptographic solution+ • Authenticates only at the Identity Provider + • Single user profile • Different user experience

Trends in user centric identities It’s NOT OpenID vs. Information Cards, but – OpenID with Information Cards

Lanka Gate Architecture

Sri Lanka Country Portal • Provides access to backend services through portlets [a single eService, several eServices from a specific project or transactional / mashup combination of eServices across several projects] • Users log in to the country portal and authorized functionality will be available. • How authentication takes place ??? • How authorization takes place ???

Identity as a Service • Integrates identity services into application development • Decouples identity related logic from individual application business logic • User, identity related data externalized from the applications themselves • Breaks identity silos

Identity as a Service Identity Management Service User Store

Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion

Securing Sri Lanka Country Portal - Authentication Identity Provider [WSO2 Identity Solution] Identity Management IdMRealm Service Country Portal User Store

Securing Sri Lanka Country Portal - Authentication Identity Provider WS- [WSO2 Identity Security Solution] Identity HTTPS Management IdMRealm Service HTTPS Country Portal User Store HTTPS White/black listing OPs

Securing Sri Lanka Country Portal - Authentication Username/password Identity Provider Self-issued InfoCard [WSO2 Identity Solution] Client certificate

Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Portlet Passport management Portlet EPF/ETF Management Portlet

Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Request Passport Track Status Track Status EPF/ETF Management Portlet View EPF/ETF Claim EPF/ETF

Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Issue Passport Track Status Reject Passport Requests EPF/ETF Management Portlet List Pending Requests View EPF/ETF Claim EPF/ETF

Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Issue Driving License Request Passport List Pending Requests Track Status EPF/ETF Management Portlet View EPF/ETF Claim EPF/ETF

Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Request Passport Track Status Track Status EPF/ETF Management Portlet List Pending Claims

Securing Sri Lanka Country Portal - Authorization • Authorization logic should be handled by the corresponding service(s) – behind the portlet. [or may be by the LIX] Driving License Management Service Passport Management Service getPortlet(user) getPortlet(user) EPF/ETF Management Service getPortlet(user)

Securing Sri Lanka Country Portal – Summary • User store will be managed centrally through Identity Management Service • Country Portal will use OpenIDs for authentication with a white-listed OpenID Provider • Once a user authenticated, his authorized functionality will be decided by evaluating authorization logic at the corresponding backend service.

Securing Sri Lanka Country Portal – Handling Authorization • Each backend service needs to evaluate user rights. • Application specific authorization handling/ standard based authorization handling. • Standard based authorization with XACML

Securing Sri Lanka Country Portal – Authorization with XACML • Defining policies • “Passport service administrators can list all the pending passport requests” Policy Administration Point/PAP Define [WSO2 Identity Solution] Policy Store [WSO2 Registry]

Securing Sri Lanka Country Portal – Authorization with XACML WS- Security • Evaluating policies Identity Policy Information Management Point/PIP Service [WSO2 Identity Solution] Policy Decision Policy Retrieval Point/PDP Point/PRP Request [WSO2 Identity [WSO2 Identity Solution] Solution] Policy Store [WSO2 Registry]

Securing Backend Services Lanka Interoperability Exchange WS- WS- WS- Security Security Security EPF/ETF Passport Driving License Management Management Management Service Service Service

Other security aspects • Auditing – Every authentication and authorization decision has to generate an audit event – Identity Management Service / PDP – Secure logging – audit trails should preserve integrity – XDAS - OpenXDAS

Thoughts, Suggestions & Discussion….. - Thank You…!

The Lanka Gate Initiative

0 comments

Notes on slide 1

Favorites, Groups & Events