SlideShare a Scribd company logo

WSO2Con USA 2014 - Identity Server Tutorial

Download as PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena

WSO2Con USA 2014 - Identity Server Tutorial

Education
1 of 88
An open source Identity and Entitlement Management Server Prabath Siriwardena, Director of Security Architecture Johann Nallathamby, Product Lead – Identity Server
An open source Identity & Entitlement management server
Authentication An open source Identity & Entitlement management server LDAP AD JDBC
Authentication Single Sign On An open source Identity & Entitlement management server SAML2 Kerberos WS-Fed Passive
 Decentralized Single Sign On  Single user profile  Widely used for community & collaboration aspects  Multifactor Authentication [Infocard, XMPP]  OpenID relying party components
 Single Sign On / Single Logout  Widely used *aaS providers [Google Apps, Salesforce]  SAML2 Web SSO Profile  SAML2 Attribute Profile  Distributed Federated SAML2 IdPs  Used in WSO2 StratosLive
SharePoint
Authentication Single Sign On Provisioning An open source Identity & Entitlement management server SPML SCIM
2003 : SPML 1.0 2006 : SPML 2.0 2003 : WS-Provisioning 2001 : OASIS PS TC 2011 : SCIM 1.0 2012 : SCIM 1.1 2011 : RESTPML 2010 : SCIM community
SCIM Service Provider /Users SCIM Consumer /Groups
add-user.json { "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”prabath@yahoo.com","type":"home"}, {"value":”prabath@wso2.com","type":"work"}] } curl command curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
add-group.json { "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext", } curl command curl -v -k --user admin:admin -d @add-group.json --header "Content- Type:application/json" https://localhost:9443/wso2/scim/Groups
Domain A Provisioning Service Provider Domain B One way provisioning Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer
Domain A Provisioning Service Provider Domain B One way provisioning with broker mode Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer
Domain A Provisioning Service Provider Domain B Bi-directional provisioning Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer SCIM Consumer SCIM Consumer
Domain A Provisioning Service Provider Domain B Multi-directional provisioning with a centralized PSP Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer SCIM Consumer SCIM Consumer Provisioning Service Provider
Domain A Provisioning Service Provider Domain B 3 Just-in-time provisioning with SAML2 SAML2 IdP 1 2 4
Domain A Provisioning Service Provider Domain B 3 Just-in-time provisioning with SAML2 SAML2 IdP 1 2 5 4
Provisioning Service Provider SCIM Consumer (wso2.com) SCIM Consumer (facilelogin.com) wso2.com facilelogin.com
Authentication Single Sign On Provisioning An open source Identity & Entitlement management server Auditing Delegation WS-TRUST
 Identity Delegation  Securing RESTful services  2-legged & 3-legged OAuth 1.01  XACML integration with OAuth  OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials
Authentication Single Sign On Provisioning An open source Identity & Entitlement management server Federation Auditing Delegation SAML2 WS-TRUST
Federation
 Supports WS-Trust 1.3/1.4  SAML 1.0/1.1/2.0 token profiles  Claim management
Security Token Service Consumer App Resource Domain A Domain B Cross Domain Authentication with WS-Trust
Cross Domain Authentication with Kerberos and WS-Trust
Decentralized Federated SAML2 IdPs
Decentralized Federated SAML2 IdPs
Decentralized Federated SAML2 IdPs
Operators Service Providers
Operators Service Providers SAML 2.0 OpenID Connect / SAML 2.0 OpenID Connect OpenID Connect
SAML 2.0 OpenID Connect / SAML 2.0
SAML 2.0 SAML 2.0 SAML 2.0 SAML 2.0
Operators Service Providers
1 Scenario - 1 http://ebuy.federationdemo.com:9766/ebuy/
2 OpenID Connect Request Scenario - 1 1502808989
3 OpenID Connect Request Scenario - 1
4 < credentials > Scenario - 1 User : tom_imobile Password: tom_imobile
4 Scenario - 1
5 OpenID Connect Response Scenario - 1
6 OpenID Connect Response Scenario - 1
7 Scenario - 1
1 Scenario - 2 http://azone.federationdemo.com:9766/azone/ 9477808989
2 OpenID Connect Request Scenario - 2
3 SAML2.0 Request Scenario - 2
3 OAuth 2.0 Scenario - 2
4 < credentials > Scenario - 2
4 OAuth 2.0 response Scenario - 2
5 SAML2 Response Scenario - 2
6 OpenID Connect Response Scenario - 2
7 Scenario - 2
• Introducing a new service provider is extremely easy. • Removing an existing service provider is extremely easy. • Introducing an new identity provider is extremely easy. • Removing an existing identity provider is extremely easy. You only need to remove the identity provider from the identity bus. • Enforcing new authentication protocols is extremely easy. • Claim transformations. • Role mapping. • Just-in-time provisioning. • Centralized monitoring and auditing. • Introducing a new federation protocol needs minimal changes.
Role Based Access Control An open source Identity & Entitlement management server
Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control
Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control Policy Based Access Control XACML
Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control Policy Based Access Control SOAP XACML / WS-XACML
Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control Policy Based Access Control SOAP REST XACML
 The de-facto standard for authorization  XACML 3.0  Support for multiple PIPs  Policy distribution  Decision / Attribute caching  UI wizard for defining policies  Notifications on policy updates  TryIt tool
EntitlementService EntitlementPolicyAdminService Policy Decision Point Policy Cache Decision Cache XACML Engine Extensions Policy Administration Point Attribute Finder Extensions Attribute Cache Default Finder LDAP SOAP/Thrift/WS-XACML SOAP
 User stores with LDAP/AD/JDBC  Multiple user stores  OpenID  SAML2  Kerberos  Integrated Windows Authentication  Information Cards  XACML 2.0/3.0  OAuth 1.0a/2.0  Security Token Service with WS-Trust  SCIM 1.1  WS-XACML  WS-Fed Passive
WSO2Con USA 2014 - Identity Server Tutorial

Recommended

Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
Prabath Siriwardena
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity server
WSO2
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
WSO2
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice Architecture
WSO2
 
Bring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity ServerBring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity Server
WSO2
 

Recommended

Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
Prabath Siriwardena
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2
 
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0
WSO2
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity server
WSO2
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
WSO2
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice Architecture
WSO2
 
Bring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity ServerBring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity Server
WSO2
 
OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An Introduction
ForgeRock
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
Clément OUDOT
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
Microservices Manchester: Serverless Architectures By Rafal Gancarz
Microservices Manchester: Serverless Architectures By Rafal GancarzMicroservices Manchester: Serverless Architectures By Rafal Gancarz
Microservices Manchester: Serverless Architectures By Rafal Gancarz
OpenCredo
 
Deep Dive into dockerized Microservices
Deep Dive into dockerized MicroservicesDeep Dive into dockerized Microservices
Deep Dive into dockerized Microservices
inovex GmbH
 
Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API Security
Ganesh Ghag
 
OpenIDM - An Introduction
OpenIDM - An IntroductionOpenIDM - An Introduction
OpenIDM - An Introduction
ForgeRock
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
South Tyrol Free Software Conference
 
WSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product OverviewWSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product Overview
WSO2
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
Hannes Tschofenig
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
Mayank Sharma
 
Microservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFMicroservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCF
VMware Tanzu
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OpenIDFoundation
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
MikeLeszcz
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
Ismaeel Enjreny
 
OpenDJ - An Introduction
OpenDJ - An IntroductionOpenDJ - An Introduction
OpenDJ - An Introduction
ForgeRock
 
WSO2 Identity Server 2.0 Introduction
WSO2 Identity Server 2.0 IntroductionWSO2 Identity Server 2.0 Introduction
WSO2 Identity Server 2.0 Introduction
Prabath Siriwardena
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet Identity
Prabath Siriwardena
 

More Related Content

What's hot

OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An Introduction
ForgeRock
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Microservices Manchester: Serverless Architectures By Rafal Gancarz
Microservices Manchester: Serverless Architectures By Rafal GancarzMicroservices Manchester: Serverless Architectures By Rafal Gancarz
Microservices Manchester: Serverless Architectures By Rafal Gancarz
OpenCredo
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
Mayank Sharma
 

What's hot (20)

OpenIDM: An Introduction
OpenIDM: An IntroductionOpenIDM: An Introduction
OpenIDM: An Introduction
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
Microservices Manchester: Serverless Architectures By Rafal Gancarz
Microservices Manchester: Serverless Architectures By Rafal GancarzMicroservices Manchester: Serverless Architectures By Rafal Gancarz
Microservices Manchester: Serverless Architectures By Rafal Gancarz
 
Deep Dive into dockerized Microservices
Deep Dive into dockerized MicroservicesDeep Dive into dockerized Microservices
Deep Dive into dockerized Microservices
 
Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API Security
 
OpenIDM - An Introduction
OpenIDM - An IntroductionOpenIDM - An Introduction
OpenIDM - An Introduction
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
WSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product OverviewWSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product Overview
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
Microservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFMicroservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCF
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
 
OpenDJ - An Introduction
OpenDJ - An IntroductionOpenDJ - An Introduction
OpenDJ - An Introduction
 

Viewers also liked

Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
Prabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 

Viewers also liked (19)

WSO2 Identity Server 2.0 Introduction
WSO2 Identity Server 2.0 IntroductionWSO2 Identity Server 2.0 Introduction
WSO2 Identity Server 2.0 Introduction
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet Identity
 
Securing the Insecure
Securing the InsecureSecuring the Insecure
Securing the Insecure
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
XML Signature
XML SignatureXML Signature
XML Signature
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
WSO2 Identity Server
WSO2 Identity ServerWSO2 Identity Server
WSO2 Identity Server
 
Role of integration in Digital Transformation
Role of integration in Digital TransformationRole of integration in Digital Transformation
Role of integration in Digital Transformation
 
Preparing for Tomorrow
Preparing for TomorrowPreparing for Tomorrow
Preparing for Tomorrow
 

Similar to WSO2Con USA 2014 - Identity Server Tutorial

Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
CA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - VasuCA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - Vasu
Vasu Surabhi
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 

Similar to WSO2Con USA 2014 - Identity Server Tutorial (20)

Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Net Services
Net ServicesNet Services
Net Services
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Vpn
VpnVpn
Vpn
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
 
Cisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private cloudsCisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private clouds
 
Incredible Edible Identity
Incredible Edible IdentityIncredible Edible Identity
Incredible Edible Identity
 
Power of ONE Automation through Web Services
Power of ONE Automation through Web ServicesPower of ONE Automation through Web Services
Power of ONE Automation through Web Services
 
CA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - VasuCA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - Vasu
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCFMigrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
 

More from Prabath Siriwardena

More from Prabath Siriwardena (12)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Advanced API Security
Advanced API SecurityAdvanced API Security
Advanced API Security
 
WS-Trust
WS-TrustWS-Trust
WS-Trust
 

Recently uploaded

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Recently uploaded (20)

Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 

WSO2Con USA 2014 - Identity Server Tutorial

  • 1. An open source Identity and Entitlement Management Server Prabath Siriwardena, Director of Security Architecture Johann Nallathamby, Product Lead – Identity Server
  • 2. An open source Identity & Entitlement management server
  • 3. Authentication An open source Identity & Entitlement management server LDAP AD JDBC
  • 4.
  • 5. Authentication Single Sign On An open source Identity & Entitlement management server SAML2 Kerberos WS-Fed Passive
  • 6.  Decentralized Single Sign On  Single user profile  Widely used for community & collaboration aspects  Multifactor Authentication [Infocard, XMPP]  OpenID relying party components
  • 7.  Single Sign On / Single Logout  Widely used *aaS providers [Google Apps, Salesforce]  SAML2 Web SSO Profile  SAML2 Attribute Profile  Distributed Federated SAML2 IdPs  Used in WSO2 StratosLive
  • 9. Authentication Single Sign On Provisioning An open source Identity & Entitlement management server SPML SCIM
  • 10.
  • 11.
  • 12. 2003 : SPML 1.0 2006 : SPML 2.0 2003 : WS-Provisioning 2001 : OASIS PS TC 2011 : SCIM 1.0 2012 : SCIM 1.1 2011 : RESTPML 2010 : SCIM community
  • 13.
  • 14. SCIM Service Provider /Users SCIM Consumer /Groups
  • 15. add-user.json { "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”prabath@yahoo.com","type":"home"}, {"value":”prabath@wso2.com","type":"work"}] } curl command curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
  • 16. add-group.json { "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext", } curl command curl -v -k --user admin:admin -d @add-group.json --header "Content- Type:application/json" https://localhost:9443/wso2/scim/Groups
  • 17.
  • 18. Domain A Provisioning Service Provider Domain B One way provisioning Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer
  • 19. Domain A Provisioning Service Provider Domain B One way provisioning with broker mode Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer
  • 20. Domain A Provisioning Service Provider Domain B Bi-directional provisioning Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer SCIM Consumer SCIM Consumer
  • 21. Domain A Provisioning Service Provider Domain B Multi-directional provisioning with a centralized PSP Provisioning Service Provider Provisioning Service Provider Domain C SCIM Consumer SCIM Consumer SCIM Consumer Provisioning Service Provider
  • 22. Domain A Provisioning Service Provider Domain B 3 Just-in-time provisioning with SAML2 SAML2 IdP 1 2 4
  • 23. Domain A Provisioning Service Provider Domain B 3 Just-in-time provisioning with SAML2 SAML2 IdP 1 2 5 4
  • 24. Provisioning Service Provider SCIM Consumer (wso2.com) SCIM Consumer (facilelogin.com) wso2.com facilelogin.com
  • 25.
  • 26. Authentication Single Sign On Provisioning An open source Identity & Entitlement management server Auditing Delegation WS-TRUST
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.  Identity Delegation  Securing RESTful services  2-legged & 3-legged OAuth 1.01  XACML integration with OAuth  OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials
  • 33. Authentication Single Sign On Provisioning An open source Identity & Entitlement management server Federation Auditing Delegation SAML2 WS-TRUST
  • 35.  Supports WS-Trust 1.3/1.4  SAML 1.0/1.1/2.0 token profiles  Claim management
  • 36. Security Token Service Consumer App Resource Domain A Domain B Cross Domain Authentication with WS-Trust
  • 37. Cross Domain Authentication with Kerberos and WS-Trust
  • 41.
  • 43. Operators Service Providers SAML 2.0 OpenID Connect / SAML 2.0 OpenID Connect OpenID Connect
  • 44. SAML 2.0 OpenID Connect / SAML 2.0
  • 45. SAML 2.0 SAML 2.0 SAML 2.0 SAML 2.0
  • 47. 1 Scenario - 1 http://ebuy.federationdemo.com:9766/ebuy/
  • 48. 2 OpenID Connect Request Scenario - 1 1502808989
  • 49. 3 OpenID Connect Request Scenario - 1
  • 50. 4 < credentials > Scenario - 1 User : tom_imobile Password: tom_imobile
  • 52. 5 OpenID Connect Response Scenario - 1
  • 53. 6 OpenID Connect Response Scenario - 1
  • 55. 1 Scenario - 2 http://azone.federationdemo.com:9766/azone/ 9477808989
  • 56. 2 OpenID Connect Request Scenario - 2
  • 57. 3 SAML2.0 Request Scenario - 2
  • 58. 3 OAuth 2.0 Scenario - 2
  • 59. 4 < credentials > Scenario - 2
  • 60. 4 OAuth 2.0 response Scenario - 2
  • 61. 5 SAML2 Response Scenario - 2
  • 62. 6 OpenID Connect Response Scenario - 2
  • 64.
  • 65.
  • 66.
  • 67. • Introducing a new service provider is extremely easy. • Removing an existing service provider is extremely easy. • Introducing an new identity provider is extremely easy. • Removing an existing identity provider is extremely easy. You only need to remove the identity provider from the identity bus. • Enforcing new authentication protocols is extremely easy. • Claim transformations. • Role mapping. • Just-in-time provisioning. • Centralized monitoring and auditing. • Introducing a new federation protocol needs minimal changes.
  • 68. Role Based Access Control An open source Identity & Entitlement management server
  • 69. Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control
  • 70. Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control Policy Based Access Control XACML
  • 71. Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control Policy Based Access Control SOAP XACML / WS-XACML
  • 72. Role Based Access Control An open source Identity & Entitlement management server Attribute Based Access Control Policy Based Access Control SOAP REST XACML
  • 73.  The de-facto standard for authorization  XACML 3.0  Support for multiple PIPs  Policy distribution  Decision / Attribute caching  UI wizard for defining policies  Notifications on policy updates  TryIt tool
  • 74. EntitlementService EntitlementPolicyAdminService Policy Decision Point Policy Cache Decision Cache XACML Engine Extensions Policy Administration Point Attribute Finder Extensions Attribute Cache Default Finder LDAP SOAP/Thrift/WS-XACML SOAP
  • 75.
  • 76.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.
  • 82.
  • 83.
  • 84.
  • 85.
  • 86.
  • 87.  User stores with LDAP/AD/JDBC  Multiple user stores  OpenID  SAML2  Kerberos  Integrated Windows Authentication  Information Cards  XACML 2.0/3.0  OAuth 1.0a/2.0  Security Token Service with WS-Trust  SCIM 1.1  WS-XACML  WS-Fed Passive