End-to-End Identity Management

1. End-to-End Identity Management Darshana Gunawardana Senior Software Engineer Harsha Thirimanna Senior Software Engineer

2. WSO2 Platform

3. Agenda o Need of having, o Centralized authentication o Single Sign On o Provisioning o Account management o Workflow o Authorization o Federation for an enterprise

4. Start from the beginning o Consider a startup : “Extern Inc.” o Handful of employees o No internal apps for employees o No worries :) o After some time o Business running good o Plan to expand the business; going to recruit more o Have several internal application including HR system, email service etc.

5. User Accounts in all systems… Robert (An employee) Cloud email Service Username = “robert” Password = “robert-pass” Expense Management System HR System Username = “robert2” Password = “robert2-pass” Username = “robert2” Password = “robert2-pass” Username = “robert_5” Password = “K67robert2-AB-#2”

6. Plan for future : Centralized user store o Which type of user store? o LDAP o Active Directory o Custom user schema over JDBC Database

7. Connecting Internal Apps o Utilize central user store by connecting all internal apps o How to connect? o Standard authentication protocols o SAML2 SSO, OpenID Connect, OpenID, WS- Federation (passive) o Need of the fully functional Identity Provider System

8. Centralized Identity Provider Identity Provider (e.g. WSO2 IS) Service provider (e.g. HR System) Robert Username = “robert” Password = “robert-pass” Token Token User store Standard authentication request

9. All apps connected..! Robert Mail ClientUsername = “robert” Password = “robert-pass” HR System Expense Management System Username = “robert2” Password = “robert2-pass” Username = “robert” Password = “robert-pass” Username = “robert” Password = “robert-pass” Identity Provider (e.g. WSO2 IS)

10. User experience o Re-entering the same password too many times o Solution : Single Sign On

11. SSO In General : Initial login Identity provider (e.g. WSO2 IS) Service provider (e.g. HR System) User data 1. Log inrequest 2. Redirect to IDP URL 3. Request token 4. Authenticate 5. Redirect to SP with token 6. Send SAML token Session: S1

12. SSO In General : Subsequent logins Identity provider (e.g. WSO2 IS) Service provider 2 (e.g. Cloud Mail Service) User data 1. Log in request 2. Redirect to IDP URL 3. Request token (session: IS1) 5. Redirect to SP with token 6. Send SAML token Service provider 1 (e.g. HR System) Session: S1 4. Bypass login page Session: S2

13. Authentication Protocol Comparison o SAML2 o Most popular protocol with several profiles o Supports single logout o OpenID Connect o Becoming more popular o Having strong supplementary specifications set o OpenID o Deprecated by most Identity Providers o WS Federation (passive) o Widely used with .Net applications

14. Sync Users to applications o Many applications handles authorization internally o Authorization check as post authentication task o Need to assign relevant attributesroles o Sync application with the centralized identity repository

15. Provisioning Identity server Identity server Extern Inc. <<< Create User >>> Username: jane Email: jane@extern.com Cloud email service <<< Create User >>> Username: jane Password: jane123 Email: jane@extern.com <<< Create User >>> Username: jane <<< Create User >>> Username: jane@extern.com Contacts Directory Expense Management System

16. Enterprise Identity Bus : Provisioning o De couples inboundoutbound provisioning o Selective provisioning o Rich processing on data o Subject mapping o Claim mapping o Role mapping o Inbound provisioning : SCIM & SOAP o Outbound provisioning : SCIM & SPML o Extensibility to support any protocol

17. Account Management o Self Registration o PasswordUserID recovery o Update profile o Enable two factor authentication o Associate accounts o Password policy enforcement o Account locking

18. Expansion in Extern Inc... o Extern Inc. has acquired a new company in Europe o New division to handle sales and marketing in euro o Identity management perspective: o A new user base o Different user store repository o Plug-in to current system as a secondary user store

19. Multiple User Stores

20. Need More Control? Identity server Update roles Update claims I need to approve assignments to “Assessor” role I need to approve all claims One of us has to approve all new assessors

21. Get More Control with Workflows Identity server Update claims Approve claims update Assigned to “Bob”

22. Get More Control with Workflows (Ctd..) Identity server Update roles Approve role assignment Approve role assignment Assigned to “supervisors” role Assigned to “James”

23. Authorization o Authentication o Who is the user o Authorization o What user can do

24. What the User Can Do... Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details User = Jane User = David User = Tao

25. What the User Can Do... Service provider 1 (SP1) User = Jane User = David User = Tao Access control policy If user = Tao and resource = /data/archives Permit. If role = Clark and action = write Deny. If role = Manager and resource = /data/files Permit.

26. Authorization challenges o Authorization rules getting changed frequently o Fine grain authorization requirements o Solution : XACML o Attribute based access control standard o Rule based access control o De-facto standard for fine grain access control

27. XACML - Architecture /data/files /data/archives /data/visualize /data/details Policy decision Point If user = jane Permit. If role = clark and Action = write Deny. Policy Store Policy Administration Point Policy Enforcement Point (PEP) User = Tao User = David User = Jane

28. o WSO2 ESB o WSO2 API Manager XACML Policy Enforcement Points WSO2 ESB Proxy service Entitlement Service provider (SP) On accept On reject SendDrop Property [Set user] Property [Set resource] XACML Engine (WSO2 IS)

29. Connecting with external parties o Extern Inc. acquires a new company “PlusX” as a subsidiary o PlusX has their own identity provider and its own internal apps connected to that o Ability of using Extern Inc. Apps for PlusX Employees?

30. Connecting with external parties Identity server Extern Inc. PlusXJane wants to access ‘Contact Directory’ app hosted by company Extern Inc. You are not in my Identity Server! But I am registered in PlusX

31. Connecting with external parties Identity server Extern Inc. PlusX Trust local IS Trust IS in PlusX office If PlusX says “This is Jane” ,then Extern Inc. believes it. (Extern Inc. trusts PlusX IdP)

32. Enterprise Identity Bus : Federation o Easily connect new Identity Providers o Protocol bridging o Multi step, multi option authentication flows o Inbuilt support for Social Login o Zero changes on Service provider o Rich processing on data o Subject mapping o Claim transformation o Role transformation o Home realm discovery

33. Concepts in Reality o Some external contributors have access to the community portal via self registration o Employee life cycle the the company o Employee creation o Going through approval o Sync up with the required systems o SSO with all applications o Lock identity upon the resignation

34. Q&A

35. Thank You!

End-to-End Identity Management

WSO2 Inc.

End-to-End Identity Management