[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
Single sign on using WSO2 identity server
1. Single
sign-‐on
using
WSO2
Iden1ty
Server
S.Uthaiyashankar
shankar@wso2.com
VP,
Engineering
2. About
WSO2
• Providing
the
only
complete
open
source
componen=zed
cloud
pla?orm
– Dedicated
to
removing
all
the
stumbling
blocks
to
enterprise
agility
– Enabling
you
to
focus
on
business
logic
and
business
value
• Recognized
by
leading
analyst
firms
as
visionaries
and
leaders
– Gartner
cites
WSO2
as
visionaries
in
all
3
categories
of
applica=on
infrastructure
– Forrester
places
WSO2
in
top
2
for
API
Management
• Global
corpora=on
with
offices
in
USA,
UK
&
Sri
Lanka
– 200+
employees
and
growing
• Business
model
of
selling
comprehensive
support
&
maintenance
for
our
products
7. Problems…
• User
Perspec=ve:
– Different
username,
password
for
different
systems
• Preferred
username
is
already
taken
• Using
same
username/password
might
become
a
security
risk
– Too
many
username,
password
– Loosing
possible
collabora=ons
8. Problems…
• IT
Perspec=ve:
– Provisioning/De-‐provisioning
users
– Audi=ng
user
ac=vi=es
– No
single
view
of
user
– Deploying
new
applica=ons
11. Solu1on
• Federated
Iden=ty
and
Single
Sign-‐On
Authen1ca1on
Iden=ty
Provider
Trust
Service
Consump1on
Service
Providers
Service
Providers
Service
Providers
Service
Providers
13. Single
Sign-‐On
and
Federated
Iden1ty
• Single
Iden=ty
• Possibility
of
Collabora=on
between
applica=ons
• User
Convenience
• Login
only
once
and
can
access
any
services
• Easy
administra=on
– Provisioning,
de-‐provisioning,
forget
password
16. Key
Requirements
For
Iden1ty
Federa1on
Trust
Between
Domains
• Trust
– Pre-‐established
• Common
in
Enterprise
scenarios
– Established
only
when
accessing
the
service
• Common
in
web
scenarios
• Iden=ty
Provider
Discovery
17. Key
Requirements
For
Iden1ty
Federa1on
Iden1ty
and
ARribute
Mapping
• Mapping
user
iden=ty
of
one
system
to
another
– Username
– Out
of
Band
– Pseudonym
• Transient
• Persistent
• Mapping
aWribute
names
in
different
systems
• Mapping
aWribute
values
in
different
systems
18. Key
Requirements
For
Iden1ty
Federa1on
ARribute
Exchange
• One
system
reques=ng
addi=onal
aWributes
from
another
system
19. Protocols
and
Standards
•
•
•
•
OpenID
SAML2
Web
Browser
SSO
WS-‐Trust
&
WS-‐Federa=on
Kerberos
22. OpenID
7
1
vic
to
Ser
Access
Allow
e
Ope
Provid
4
e
2
Discover
Provider
(XRI
Resolu1on,
Yadis,
HTML
Based
Discovery)
Service
Provider
A
Relying
Party
nID
to
IdP
direct
ser
Re
Brow
3
Create
shared
secret
6
5
4
Iden=ty
Provider
Single
Sign-‐On
Service
24. SAML2
Web
Browser
SSO
7
1
vic
to
Ser
Access
Allow
e
Service
Provider
A
Asser=on
Consumer
Service
rvice
ess
Se
Acc
3
to
IdP
direct
ser
Re
Brow
6
2
Select
Iden1ty
Provider
Trust
5
4
Iden=ty
Provider
Single
Sign-‐On
Service
25. WS-‐Trust
1
.)
9/etc
e/x50
m
serna
on
(U
n1ca1
Authe
ken
rity
To
Secu
Iden=ty
Provider
Security
Token
Service
2
Trust
3
4
5
Verify
Token
(e.g.:
Check
signature)
Service
Provider
A
26. WS-‐Federa1on
1
Authen1ca1on
(Username/x509/etc.)
Security
Token
A
2
Iden=ty
Provider
A
Security
Token
Service
Trust
3
5
6
8
Domain
A
Domain
B
Iden=ty
Provider
B
Security
Token
Service
Trust
4
Verify
Token
A
(e.g.:
Check
signature)
Service
Provider
B
Verify
Token
B
7 (e.g.:
Check
signature)
34. Engage
with
WSO2
• Helping
you
get
the
most
out
of
your
deployments
• From
project
evalua=on
and
incep=on
to
development
and
going
into
produc=on,
WSO2
is
your
partner
in
ensuring
100%
project
success