1. An open source
Identity and Entitlement Management Server
Prabath Siriwardena, Director of Security Architecture
Johann Nallathamby, Product Lead – Identity Server
5. Authentication
Single Sign On
An open source Identity & Entitlement
management server
SAML2 Kerberos WS-Fed Passive
6. Decentralized Single Sign On
Single user profile
Widely used for community &
collaboration aspects
Multifactor Authentication
[Infocard, XMPP]
OpenID relying party components
7. Single Sign On / Single Logout
Widely used *aaS providers
[Google Apps, Salesforce]
SAML2 Web SSO Profile
SAML2 Attribute Profile
Distributed Federated SAML2 IdPs
Used in WSO2 StratosLive
18. Domain A
Provisioning
Service Provider
Domain B
One way provisioning
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
19. Domain A
Provisioning
Service Provider
Domain B
One way provisioning with broker mode
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
20. Domain A
Provisioning
Service Provider
Domain B
Bi-directional provisioning
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
21. Domain A
Provisioning
Service Provider
Domain B
Multi-directional provisioning with a centralized PSP
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning
Service Provider
22. Domain A
Provisioning
Service Provider
Domain B
3
Just-in-time provisioning with SAML2
SAML2 IdP
1
2
4
23. Domain A
Provisioning
Service Provider
Domain B
3
Just-in-time provisioning with SAML2
SAML2 IdP
1
2
5
4
67. • Introducing a new service provider is extremely easy.
• Removing an existing service provider is extremely easy.
• Introducing an new identity provider is extremely easy.
• Removing an existing identity provider is extremely easy. You only need to remove
the identity provider from the identity bus.
• Enforcing new authentication protocols is extremely easy.
• Claim transformations.
• Role mapping.
• Just-in-time provisioning.
• Centralized monitoring and auditing.
• Introducing a new federation protocol needs minimal changes.
68. Role Based Access Control
An open source Identity & Entitlement
management server
69. Role Based Access Control
An open source Identity & Entitlement
management server
Attribute Based Access Control
70. Role Based Access Control
An open source Identity & Entitlement
management server
Attribute Based Access Control
Policy Based Access Control
XACML
71. Role Based Access Control
An open source Identity & Entitlement
management server
Attribute Based Access Control
Policy Based Access Control
SOAP
XACML / WS-XACML
72. Role Based Access Control
An open source Identity & Entitlement
management server
Attribute Based Access Control
Policy Based Access Control
SOAP
REST
XACML
73. The de-facto standard for authorization
XACML 3.0
Support for multiple PIPs
Policy distribution
Decision / Attribute caching
UI wizard for defining policies
Notifications on policy updates
TryIt tool
74. EntitlementService EntitlementPolicyAdminService
Policy Decision Point
Policy Cache
Decision
Cache
XACML
Engine
Extensions
Policy
Administration
Point
Attribute Finder
Extensions
Attribute Cache
Default Finder
LDAP
SOAP/Thrift/WS-XACML
SOAP
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87. User stores with LDAP/AD/JDBC
Multiple user stores
OpenID
SAML2
Kerberos
Integrated Windows Authentication
Information Cards
XACML 2.0/3.0
OAuth 1.0a/2.0
Security Token Service with WS-Trust
SCIM 1.1
WS-XACML
WS-Fed Passive