WSO2 produces open source identity and access management software. Through Google Summer of Code, WSO2 has mentored 11 projects implementing key identity standards like UMA, SAML, and OAuth. These standards, developed by organizations like OASIS and IETF, provide frameworks for identity federation, SSO, provisioning, and access control. Formats include SAML for SSO, SCIM for provisioning using REST, and XACML for fine-grained authorization control. WSO2 contributes implementations of these standards to help users manage identity and access securely across domains.

1. Open Standards
in
Identity Management
Prabath Siriwardena
prabath@apache.org | prabath@wso2.com
GSoC Mentor Summit 2016

2. Pillars of Identity and Access Management
● Identity Federation and Single Sign on
● User Administration and Provisioning
● Identity and Access Governance

3. GSoC and WSO2
● WSO2 produces a set of open source software to address different
aspects in the connected business.
● All WSO2 products are released under the most business friendly open
source license, Apache 2.0.
● GSoC mentor organization since 2014
● 11 GSoC projects successfully completed in 2016
● Identity standards implemented under GSoC (mentored by WSO2)
○ UMA (User Managed Access)
○ XACML JSON profile
○ XACML REST profile
○ SAML 2.0 Assertion Query/Request Profile

4. Identity and Access Management (IAM) is the
security discipline that enables the right individuals
to access the right resources at the right times for the
right reasons.

5. Standard Bodies for Identity and Access Management
● OASIS
● IETF
● OpenID Foundation
● W3C
● Kantara Initiative
● FIDO Alliance

6. OAuth 2.0
● An authorization framework developed by IETF and documented under
RFC 5849.
● Enables a third-party application to obtain limited access to an HTTP
service, either on behalf of a resource owner or by allowing the
third-party application to obtain access on its own behalf.
● Access delegation
● OAuth 1.0 vs. OAuth 2.0

7. OAuth 2.0

8. OAuth 2.0 (Authorization Code Grant Type)

9. OAuth 2.0 (Implicit Grant Type)

10. OAuth 2.0 (Client Credentials Grant Type)

11. OAuth 2.0 (Password Grant Type)

12. OpenID Connect
● A standard developed by the OpenID Foundation.
● Built on top of OAuth 2.0
● Uses JWT standard developed by the IETF JOSE working group
● Uses JWT to transport user identity from the identity provider to the
service provider

13. OpenID Connect

14. OpenID Connect

15. SAML 2.0
● An XML-based standard for exchanging authentication and
authorization data between entities which is a product of the OASIS
Security Services Technical Committee.
● History
○ SAML 1.0 was adopted as an OASIS standard in Nov 2002
○ SAML 1.1 was ratified as an OASIS standard in Sept 2003
○ SAML 2.0 became an OASIS standard in Mar 2005
● Components
○ Assertions: Authentication, Attribute and Authorization information
○ Protocol: Request and Response elements for packaging assertions
○ Bindings: How SAML Protocols map onto standard messaging or
communication protocols
○ Profiles: How SAML protocols, bindings and assertions combine to
support a defined use case
● SAML Assertion Query/Request Profile (GSoC 2016 open source
implementation)

16. SAML 2.0 Web SSO (HTTP Redirect Binding)

17. SAML 2.0 Web SSO vs. OpenID Connect
● Both can be used to facilitate Identity Federation and SSO
● SAML 2.0 Web SSO is based on XML while OIDC is based on JSON
● SAML 2.0 Web SSO is based on SAML while OIDC is based on JWT
● SAML 2.0 is has many bindings (SOAP, HTTP) while the only binding
OIDC has is the HTTP.
● OpenID Connect is preferred standard for Mobile Apps and SPAs.

18. SPML (Service Provisioning Markup Language)
● OASIS Technical Committee for Service Provisioning was formed in
2001 to define an XML-based framework for exchanging user, resource,
and service provisioning information.
● XML based
● Two bindings
○ SOAP
○ File
● SPML v2.0 is the latest version.
● Too bulky - like the UDDI specification in the SOAP world.

19. SCIM (System for Cross-domain Identity Management)
● SCIM is purely RESTful.
● The initial version supported both JSON and XML - now JSON only.
● Introduced a REST API for provisioning and also a core schema (which
also can be extended) for provisioning objects.
● SCIM 1.1 was finalized in 2012 - and then it was donated to the IETF.
● Once in IETF, it has to change the definition of SCIM to System for
Cross-domain Identity Management and it's no more supporting XML -
only JSON.
● SCIM 2.0 was released as the RFC 7644 in Sept 2015 under IETF

20. The Evolution of Provisioning Standards

21. ● An OASIS standard for fine-grained access control.
● Components
○ Architecture (PAP, PDP, PEP, PIP)
○ Request-Response protocol
○ Policy language (XML-based)
● JSON profile XACML 3.0 (GSoC 2016 - open source implementation)
● REST API for XACML (GSoC 2016 - open source implementation)
XACML (eXtensible Access Control Markup Language)

22. XACML (eXtensible Access Control Markup Language)

23. Contact us !