In this slide deck, Ken McDonald will walk you through the architecture and capabilities that are now being leveraged within Symcor to facilitate federated API access. Watch video: https://wso2.com/library/conference/2018/07/wso2con-usa-2018-nightmare-on-sso-street/

1. Associate Director, Application Security,
Symcor
Nightmare on SSO Street
Ken McDonald

2. Breakdown
● Symcor SSO History
● Current and Future Initiatives
● Cloud & DevOps

3. Symcor SSO
History
● OpenSSO
● Custom use case
○ 2 separate custom use cases
spanning 3 client implementations
○ 1 extremely complex
● Difficult to support and maintain
○ Resources became fearful to touch
the environment

4. Typical Use Case

5. Complex
Use Case:
Federation Using
Persistent Pseudonym
Identifiers

6. Symcor’s
Implementation
Don’t try this at home!

7. Replacement Projects
● Several failed attempts to replace solution (x 3)
● Skill set and historical knowledge of platform and special use
case was lacking
● Evaluated many options for replacement
○ All products required customization ($$$)

8. Picketlink -> Keycloak
• Final failed attempt
• Customizations made to Picketlink
▪ Very challenging getting custom workflow to work and was
never 100% successful or complete
▪ Spent many months in development and test without success
• Pickelink (RH) slotted for End of Life!
• Keycloak is replacement (RH)
▪ Again customizations required
• At this point my team volunteered to move this forward

9. Back to the drawing board
• Product evaluations started again
• Gartner
• Keycloak
• OpenAM
• WSO2
• Each product was evaluated by (note: this was from an SSO
perspective only)
○ All willing to make our customizations – again, this is NOT recommended,
everything is built on standard protocols and specifications, deviating from
these will cause long term heartburn from support, maintenance/patching
perspective

10. WSO2
○ WSO2 was selected
○ Customizations very affordable
○ API manager was added as an after thought (surprise!)
○ After many discussions internally it was decided we would branch out and leave
our custom use case on an instance of its own
Implementing custom use case was not without it’s challenges, but the replacement
project was finally successful.

11. Current and Future Initiatives
○ WSO2 has many capabilities
○ No local accounts - only federation.
■ Multiple IDPs to same SP, IDP initiated typically
■ No desire to manage local accounts within the system. We are a federation hub supporting our client
identities. Clients are large organizations that have their own identity providers
■ Managing local accounts that gain access to sensitive data carries liabilities that we would like to avoid. This
model works well for us
○ The news spread throughout the organization regarding the new SSO/API platform and the
use cases started piling up - nothing new was happening within the organization in terms of
product/capabilities without inclusion of WSO2, whether from IAM / SSO, or through
Microservices exposed through API Manager
■ What turned into a simple replacement for 3 small applications has spiraled into our digital
delivery/transformation avenue - which has kept my team very busy.

12. SAML Extension Grant
Includes elements:
SAML
OIDC
OAuth
Identity Server
API Manager

13. SAML Extension Grant
Support both:
Initial SAML SP Federation
IDP Initiated API Federation

14. Monitoring
● Entire WSO2 Infrastructure, spanning 3 environments with 6
nodes each, is monitored through splunk
● Splunk App: https://splunkbase.splunk.com/app/3458/
○ Published by Symcor

15. Cloud & DevOps

16. Cloud & DevOps
GitLab, WUM, Packer, AWS

17. Cloud & DevOps
GitLab, Terraform, AWS

18. Cloud & DevOps
WSO2 Kubernetes
https://github.com/wso2/kubernetes-apim/tree/master/pattern-2

19. Cloud & DevOps
AWS EKS & K8S
AWS Components:
EKS
EFS
RDS

20. Cloud & DevOps
AWS EKS & K8S

21. THANK YOU
wso2.com