The document presents a case study on identity management within the WSO2 ecosystem, focusing on experiences of employees and customers using the WSO2 Identity Server. It discusses features such as centralized user management, single sign-on, multi-factor authentication, and provisioning via SCIM, highlighting the importance of integrating identity management across various applications. The case also illustrates user scenarios and the future direction of identity management, emphasizing both customer and employee identities.

1. Case Study : Identity in the
WSO2 Ecosystem
Dimuthu Leelarathne
Director
WSO2

2. Story of Dogfooding WSO2 Identity Server!

3. Identities in the WSO2 Ecosystem
• Employees
• Customers
• Open-source community

4. Edgar joins WSO2 Engineering Team
• Infra provisioned him to all these systems
– Google Apps
– Internal LDAP
• Edgar self-sign up to
– wso2.com → wso2.com, OT Jira
• Support manager provision him to
– PMT and Support JIRA

5. Deployment of Systems 2015
September

6. Cathy is from WSO2 Open-source Community
• Cathy of abc.com self-sign up to
wso2.com to test WSO2 IS. She
gets → OT Jira
• abc.com becomes a customer
• She get invitation email →
automatically provisioned to
Support JIRA

7. Deployment of Systems 2015 Q4

8. • Use WSO2 IS for the best enterprise Identity
Solution
• Centralized identity management
– Provide Single Sign-On
– Manage user identity centrally, provision vs. syncing
• Define the concept of “one person”
– A person’s attributes change
• Multi-factor authentication for GoogleApps
Redefine Identity in WSO2!

9. WSO2 Identity Server
• APIs to integrate identity management to any
application
• Multi-factor authentication
• Federation and Single Sign-On (SSO) via SAML2,
OpenID Connect
• Delegation via OAuth, OAuth 2.0 and WS-Trust
• Many cloud connectors - https://store.wso2.com

10. WSO2 Identity Server
• User and groups provisioning
• User and groups management
• Multiple user store support
• Password policies
• Account locking
• Entitlement - RBAC, XACML

11. Single Sign-On
• Provide credentials once (to a 3rd party) and
obtain access to many apps
• Reduce password exhaustion
• Central control of the identity
– Increased security
– Reduce redundancy

12. SAML2.0 Web Profile
• Widely supported by
many service providers
• OASIS open standard
• XML based assertions

13. Customer Identity vs Employee Identity
• Scale
• Centrally controlled vs. Distribution
• Self-service and JIT
• Low assurance vs. high assurance
• Different focus areas - market driver, individual, UX

14. Identity Server for SSO

15. Attributes of a Person Changes
• A person can change email address and other
attributes
• The person object must stay the same
• Given a set of unique attribute values we should be
able to find the person

16. Provisioning
• Auto-provisioning to
– GoogleApps
– Concur
– External LDAP
• Auto deprovision

17. SCIM Implementation
• Cross domain identity provisioning standard
• Adapted by many vendors and SaaS apps
• Supports user/group provisioning via
REST/JSON API
• IS Supports SCIM 1.1

18. Identity Server for Provisioning

19. LDAP Syncing vs Provisioning to Systems
• LDAPs are replicated and synched with each other in
batch mode periodically
• Provisioning work with “Callbacks” and then
updating the user on remote system
• Modern systems work with trusted third parties
– No need keep credentials
– Provisioning via SCIM, other APIs or auto-provisioning

20. Multi-factor authentication for GoogleApps
• Identity is
– Something you know
– Something you have
– Something you are
• Use two of the above mechanisms
• Can use SMSOTP, TOTP for GoogleApps → In case of
phone misplace

21. Lets look at Edgar again
• Every morning Edga logs into
accounts.apps.wso2.com
• Each time Edga wants to login to
OT JIRA/Support JIRA he has to
sign in.

22. Identity Across two Domains

23. WSO2 Identity Server Architecture

24. One-Click Operation to Add an IdP

25. Use of Federation
• Identity Federation - Using same identity or
mapping of identity across multiple applications
• SSO is a federation pattern
• We need to use same identity in applications across
two different domains

26. Identity Across two Domains

27. Identity Server for Federation

28. Federation in Identity Server

29. Lets look at Edga again
• Every morning Edga logs into
accounts.apps.wso2.com but OT
JIRA requires to click on a link

30. Extensibility of Identity Server

31. Back Channel Authenticator
• Edgar writes a custom authenticator
– Sets for cookie valid for both domains by internal IdP
– Checks the cookie by external IdP
→ No more middle screen prompting
• Edgar’s authenticator is deployed!

32. Cathy Leaves abc.com
• Removed from abc.com support account
• Cathy joins WSO2
– Auto-provisioned into the systems
– Maintains open-source profile separately (Consumer
identity vs. Employee identity)

33. Current implementation of the Project

34. Future
• Authorization for Apps

35. Thank You