Kermit Co. is upgrading its identity management system to address several problems: 1) employees need single sign-on across internal and cloud applications using different protocols; 2) strengthening security by adding multi-factor authentication; 3) managing external identities at scale including social logins and just-in-time provisioning; 4) exposing APIs securely and automating provisioning using rules. The WSO2 Identity Server provides an enterprise identity bus to federate identities across systems using various protocols while allowing management of internal and external identities at different assurance levels through APIs.

1. Enterprise Security
Requirements
Dimtuthu Leelarathne
Director, Solutions Architecture

2. A dozen solution patterns
for common identity problems
in an enterprise!

3. Enterprise Security Landscape
Borders across systems don’t work anymore

4. Why?
o Open up APIs
o Bring your own identity
o Identity maintained in one domain, accessed in other domains
o Social network identities
o Bring your own device
o Ecosystems
o Mergers/Acquisitions

5. An IAM System

6. WSO2 Identity Server
o 5th Generation Product
o Current version 5.1.0 (released 2015)
o Federated identity and entitlement is a key part of any distributed
architecture
o Internal security threats, Partnerships
o Mergers, De-mergers
o APIs, Cloud systems
o SSO is important but need to federate and bridge across SSOs
o Open Standards for Identity are changing the industry landscape
o Based on WSO2 Carbon platform, which provides support for
multi-tenancy, logging, clustering, and other common services

7. Identity Server Landscape

8. Enterprise Identity Bus

9. Enterprise Identity Bus (EIB)

10. 1
Enterprise Identity Bus

11. What Does an EIB Do ?
Bridges
Tokens
• OAuth/2
• OpenID/OpenID Connect
• SAML2
• WS-Federation
• Kerberos, etc
Claims & Claim
Dialects
• Email Addresses
• Phone Numbers
• Names, etc
User Stores
• SPML, SCIM, Salesforce,
Google, etc
• Just in Time provisioning,
inbound, outbound

12. A Story
o Kermit Co is an open-source product
development company
o It has employees, customers, open-source
community
o It has some internal systems used by
employees and some external systems
o Kermit Co is going to upgrade their identity

13. Kermit Cooperation

14. Kermit Co has some internal Applications
o Employees use several systems
o Office 365
o Redmine
o Salesforce
o Star Accounts
o Employee LDAP in Kermit Datacenter cannot be
synched to Cloud

15. Problem
o Employees need to access cloud-based and on premise
systems
o De-centralized Identities
o Password exhaustion, re-login each time
à When the employee login to one system he should login
to the rest
o Different systems use different protocols – SAML 2.0,
WS-Federation

16. SSO for Heterogeneous Systems using
different Federation Protocols

17. Problem
o Ginger is from finance team
o Her account is hacked
o All finance data is leaked
à Need to implement Multi-Factor
Authentication (MFA)
o Something you know, Something you have,
Something you are
o Add FIDO and SMSOTP

18. MFA in Multi-Steps

19. Problem
o Customers need to authenticate to several system
o Website for product downloads
o JIRA for issue reporting
o Certification portal
o Partner portal
o All customers are in a different LDAP

20. Handling Different Types of Identities
o Technically can add to the existing WSO2 IS, but
customer identities are,
o Scale is massive
o Control is not within the organization
o Self-service registration should be there
o Social identities & JIT provisioning
o Identity is low assured
o Delegated administration
o User experience must be excellent and distributed

21. Managing Internal/External Identities

22. Problem
o Need to provide social sign-up/sign-in capabilities to the
website
o Facebook, Google
o When users sign up via social media Kermit wants to
add the user to the External Users DB
à Do just in time provisioning to the External Users DB

23. Identity Federation and JIT
first_name
FirstName
given_name

24. Problem
o How are the external users
going to manage their
profile?
o All external users need to
manage their own profiles by
logging into the website
o Make website do direct LDAP
calls?
o Use APIs in WSO2IS
o SCIM – System for Cross-domain Identity
Management
o User information recover service
o User management Service
I can use REST/
SOAP calls to do
user management

25. Identity Management APIs
External
Users

26. Problem
o Kermit employees need to login to external systems –
JIRA, Website & Certificate Portal
o Kermit employees are not in the external IdP
à Kermit employee identities should be federated from
internal IdP to external IdP and SPs

27. Identity Federation – Custom Authenticator

28. Problem
o Matrix is a marketing analytics company that does lead
identification for Kermit Co
o It is file based batch process that update Kermit’s
Salesforce
o Kermit Co wants to automate the process by exposing
APIs
o addSQLead, getRawLeads, getUsers

29. Expose OAuth Protected APIs

30. Problem
o Kermit Infra team wants to automate provisioning
o Provisioning users to Apps
o LDAP synching + LDAP groups give same end result as
provisioning
o Per-app roles needs to be managed in central LDAP. Can be quite large
o WSO2IS adaptors can be used for rule-based provisioning
o Same Control Domain à Can use either (automated
provisioning and LDAP Synching)
o Different Control Domain à Use provisioning

31. Rule-Based User Provisioning

32. Problem
o Kermit HCI expert wants to avoid showing
login screen on the IdP
o He wants the Login choices to be
displayed on web site itself
à Home Realm Identifier

33. Federation Hub

34. Kermit Co has a pretty decent Identity
Infrastructure!

36. Gonzo Group of Companies
o Group of companies with 3 main companies
o Problem – Require centralized, highly controlled IAM
program for it’s external users

37. Multi-tenant Identity Server

38. Problem
o Gonzo the group of companies wants centralized fine-
grained authorization policies
o Render menu items on web site using centralized
authorizations
o All internally-developed-apps should comply to
centralized policy registry

39. Fine-grained Centralized Authorization

40. Problem
o Gonzo wants all distributor registrations through
their website to go through an approval process

41. Workflows

42. Other Advanced Patterns
https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-
identity-server-16f9fd0c0389

44. CONTACT US !