The document provides an agenda for a WSO2 Italy Club event. It lists dates from March to July and speakers who will present on topics related to APIs, identity management, and interoperability between organizations. Matteo Bordin is featured as a speaker for March and will cover new features of WSO2 IS and APIM. Other topics included are identity federation, adaptive authentication, API security, user provisioning, and privacy consent management. The main use cases for WSO2 Identity Server are listed as identity federation, identity bridging, adaptive authentication, API security, access management, and identity analytics.
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
1. QUANDO CHI COSA
1 marzo Gabriele Gianoglio
weModI e Interoperabilità delle PA: da un Comune all'Europa
è solo questione di API
15 marzo Matteo Bordin Novità WSO2 APIM
29 marzo Matteo Bordin Novità WSO2 IS
19 aprile
Stefano Negri
(WSO2)
TELCO success story
3 maggio Leo Antonaccio
Apification: opportunità delle organizzaioni moderne nella
post-digitalizzazione
17 maggio Gabriele Gianoglio
Autenticazione user centric: costruzione dell'identità dal punto
di vista architetturale oppure verso un modello passwordless
31 maggio Danilo Massaglia API Asincrone
14 giugno Gabriele Gianoglio Come installare WSO2 in AWS: tips and tricks
28 giugno Daniele Dal Farra Un Caso reale: Interoperabilità nelle Utility
12 luglio Daniele Dal Farra Un Caso reale: API exposition nel mondo Finance
26 luglio Leo Antonaccio Un Caso reale: Identity Management integrato con SPID
4. Lo speaker di oggi…
Lui si definisce:
Perfezionista, curioso, coerente
Noi lo definiamo
Onesto, geniale, mai banale
Il nostro motto
« chiedi a Matteo!»
Matteo Bordin
6. WSO2 IS New Feature
6
❖ Integration with TypingDNA
❖ Integration with ELK for identity analytics
❖ Multi-attribute login support
❖ Device flow support
❖ PBKDF2 hashing for user passwords
❖ Java 17 Runtime compatibility
❖ Authentication SDKs
❖ Password less authentication with Magic Link
❖ FIDO attestation validations
❖ Federated IDP Initiated OIDC Back-Channel Logout
❖ Support for rotating symmetric encryption key
❖ Remove the dependency on cookies for OIDC flows when extending the IdP session
❖ Auto login after self-registration
❖ Enhanced login portal and my account
❖ reCAPTCHA v3 and invisible reCAPTCHA v2 support
❖ Google One Tap authentication
❖ Accessibility
7. Integration with TypingDNA
7
TypingDNAis a behavioral biometrics vendorand a pioneerin delivering
typing biometrics technology as an API for user-friendly authentication to
businesses across cybersecurity, finance, education, and retail.
The vendorleverages typing biometricsto provide customers with a
seamless, user-friendly,risk-based authentication (RBA) experience to
enhance security and fraud detection.
Typing DNA uses AI-based technology to authenticate users
according to the way they type.
You can integrate typingDNA with WSO2 Identity Server to provide
risk-based adaptive authentication for users.
Scenario¶
Consider a scenario where you want to prompt an additional
authentication step if the typing pattern of the user trying to log in
does not match the typing pattern registered in the user's account.
Then the log in flow of the user should be stepped up as follows:
1.Basic authentication (username and password)
2.TOTP
var onLoginRequest = function(context) {
executeStep(1, {
onSuccess: function (context) {
verifyUserWithTypingDNA(context, {
onSuccess: function(context,data){
// Change the definition here as required.
var userVerified = data.result;
// data.isTypingPatternReceived indicates whether a
typing pattern is received from the login portal.
if (data.isTypingPatternReceived && !userVerified){
executeStep(2);
}
},
onFail: function(context,data){
executeStep(2);
}
});
}
});
};
8. Integration with ELK for identity analytics
8
ELK-based Analytics provides three types of dashboards:
•Auth Dashboard : The latest version of WSO2 Identity Server Analytics
allows you to view and analyze statistics of login attempts made through
the authentication framework of WSO2 Identity Server.
•Session Dashboard : Includes statistics related to specific sessions that
get created for differentapplicationsaccessed viathe WSO2 Identity
Server. A session is the duration between a successful log on and the
subsequentlog off by a specific user.
•Alert Dashboard : Facilitates alerting so that you can be informed about
abnormal behavior related to authentication operations carried out by the
WSO2 Identity Server.
The ELK based on-premise analytics architecture has 4 main
components.
1.Filebeat monitors the log file locations that you specify,
collects log events, and forwards them to logstash.
2.Logstash is a server-side data processing pipeline that
ingests data from multiple sources, transforms it, and then
sends it to Elasticsearch.
3.Elasticsearch is the central component of the Elastic stack
and it is a distributed, RESTful search and analytics engine
which can be used to store, search, and analyze big volumes of
data quickly and in near real time.
4.Kibana is a visualization layer that works on top of
Elasticsearch, providing users with the ability to analyze and
visualize the data.
9. Multi-attribute login support
9
WSO2 Identity Server lets you configure multiple attributes as the login identifier.
While username is the defaultlogin identifier, users can have the option to enter a
mobile number, email address or any attribute of their choice.
Supported flows
Multi-attribute login is supported in the following flows:
•Identifierfirstauthenticator
•Username & Password Authenticator
•Request path authenticator
•Authentication REST APIs
•Oauth Password grant
•Password recovery flow
10. Device flow support
10
With device flow support, users can leverage other devices, such as
smartphones, to complete login on a device with limited input.
11. PBKDF2 hashing for user passwords
11
Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm is
a modern hashing algorithm recommendedby NIST. We can use the
PBKDF2 hashing method to securely store user passwords in user stores.
This method reduces the risk of brute-force attacks due to insecure
passwords.
[user_store] type = "database_unique_id"
password_digest="PBKDF2"
12. Java 17 Runtime compatibility
12
Java 17 is the latest LTS release of Java. Premier supportof Java 11 is
supposed to end in September2023. WSO2 Identity Server 6.0.0
distribution is compatible withJava 17 runtime.
TestedJDK versions •OpenJDK11
•OpenJDK17
•Oracle JDK11
•Oracle JDK17
•AdoptOpenJDK11
TestedOperating Systems •Ubuntu 20.04
•CentOS 7
•Windows Server 2016
•Windows Server 2012 R2
•Windows 10
•Windows 11
•macOS x86_64
•macOS M1
TestedDBMS •MySQL 8.0
•MySQL 5.7
•Oracle 19C
•Oracle SE2-19.0
•Microsoft SQL Server 2019
•SQLServer-SE-14.00
•DB2 v11.5
•Postgres 10.19
•Postgres 13.7
•Postgres 14
•Embedded H2
TestedLDAPs • Open LDAP 2.4.28
• Microsoft ActiveDirectory
Windows 2012
13. Authentication SDKs
13
SDKs allow you to integrate web or single-page applications easily with
WSO2 Identity Server and OpenID Connectwhile adhering to security best
practices. The following SDKs are supported:
• React SDK
• Angular SDK
• JavaScript SDK
14. Password less authentication with Magic Link
14
Magic Link is a form of passwordless authentication. It allows users to log
in by clicking alink sent to their email instead of entering a password.
15. FIDO attestation validations
15
FIDO attestation validations allowyou to further validate the FIDO2
authenticator data during the security key registration.
FIDO2 attestation validations allowyou to further validate the FIDO2
authenticator data during the security key registration. WSO2 identity server
provides two means of validating the authenticator data during the security
key registration.
•Advanced validations:WSO2 identity server will perform some advanced
validations forthe device registration data. Examples include attestation
type specific validations, certificate related validations,etc.
•Security Key/Biometrics (FIDO) metadata based validations: WSO2
identity server will validate the device registration data against the FIDO
alliance’s metadata.
16. Federated IDP Initiated OIDC Back-Channel Logout
16
With OIDC identity federation in the identity server, WSO2 IS acts as a Relying Party (RP) to the
federated identity provider.
However, currently, there is no mechanism to terminate the sessions and revoke tokens in WSO2 IS
(RP) whenever there is a session update on the federated IDP (OP) side.
The OIDC Back Channel Logout v1.0 spec defines a mechanism forcommunicating logoutrequests
to all RPs that have established sessions withan OP.
This mechanism relies upon direct communicationof such requests between OP and RPs bypassing
the User-Agent.
It imposes newrequirements that RPs have a logout endpointthat is reachable by the OP. This
feature will enable that capability in WSO2 Identity Server.
17. Support for rotating symmetric encryption key
17
This is an external tool that re-encrypts internal data after rotation of the
configured symmetric dataencryption key. You can use this tool to re-
encryptthe identity and registry databases and other configurationfiles as
user store configurations. Additionally,the tool can sync end-user data that
gets generated in the live system with minimumdowntime.
18. Remove the dependency on cookies for OIDC flows when extending the
IdP session
18
Overcome the restrictions (due to third-party cookie limitations by browsers such as Safari)
to extend IDP sessions when application and IDP origins differfrom each other.
This serves as an alternative to passive authentication requests that would no longerwork
in impacted browsers.
19. Auto login after self-registration
19
In the self-registration flow, the user is asked to re-enter password credentials after
the user is verified using email.
With this feature, after the user is verified by clickingthe verification mail, the user is
logged in immediately without having to re-enter credentials.
20. Enhanced login portal and my account
20
Hides UI widgets based on tenant-level account managementconfigurationpreferences
such as self-registration and accountrecovery.
This dynamically changes the UI elements accordingto the tenant-level configurations.
For example, if self-registration is not enabled forthe tenant, the self-registration link is
hidden on the login page.
The latest set of features that will be available with the new My Accountincludes:
•User profile management
•Linked accounts
•Export user profile
•Reset password
•Account recovery
•Multi-factorauthentication
•Monitoractive user sessions
•Consentmanagement
•Reviewpending approvals
21. reCAPTCHA v3 and invisible reCAPTCHA v2 support
21
Improved security againstspam and fraudulent activity with an enhanced reCAPTCHA
user experience compared to the conventional"I'm not a robot" checkbox.
reCAPTCHA v2 (InvisiblereCAPTCHA)¶
The invisible reCAPTCHA badge does not require the user to click a checkbox; instead, it is activated
when the user clicks on an existing button on your site or via a JavaScript API call. Only the most
suspicious traffic will be prompted to solve a captcha.
reCAPTCHA v3¶
With the reCAPTCHA v3, a score is returned for each request without requiring user interaction. It
allows you the ability to take action inside the context of your website, such as adding more
authentication factors, flagginga postfor moderation, orslowing down scraping bots.
In the Identity Server implementation, youare required to selecta threshold value by looking at the
traffic at reCAPTCHA admin console.
If the score is less than the threshold, the request will be blocked by the server. The default value for
the threshold is 0.5.
22. Google One Tap authentication
22
Enabling seamlessauthentication with Google on authenticated Google
sessions with a single tap. A personalized login button will be there forsign-
in/sign-up.
This option is enabled via the existing Google authenticator.
23. Accessibility
23
The user authentication and recovery pages are now WCAG 2.1 AA compliant,enhancingthe accessibility of WSO2
Identity Server to a broader audience.
24. Main UseCase/Features
24
Identity federation and single sign on
Enables federated access to web and mobile applications
using open identity standards.
Identity bridging
Facilitates exchanging identity attributes and authentication
decisionsbetween heterogeneous identity systems in a
seamless manner.
Adaptive and strong authentication
Enables applications to secure access with multi-factor
authentication based on environment,user attributes,
behavior, and risk.
API and microservices security
Secures access to APIs and microservices based on open
standards.
Accountmanagementand identity provisioning
Helps to manage users and groups with automated
provisioningand approval workflows.
Access Control
Control access to applications in the login flowwith fine-
grained policies and act as a policy decision pointforthird-
party applications.
Privacy and consentmanagement
Enables privacy and gives users control over their data with
consent lifecycle managementand data security that adhere
to privacy by design and privacy by default principles.
Identity analytics
Provides administrators with insights related to
authentication, concurrent sessions, and anomalous login
patterns.