Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

End-to-End Identity Management

609 views

Published on

To view recording of this webinar please use below URL:

http://wso2.com/library/webinars/2016/05/end-to-end-identity-management/


In today’s rapidly evolving world, enterprise identity management has proven to be challenging due to the constant changes in associated systems, corporate policies and stakeholder requirements. Therefore, managing identities and their privileges among the systems need to be handled in a flexible manner to save resources when governing identities and controlling access.

There are various specifications of industry standards in this domain making it difficult to select the correct one. Some of them may address the same problem with slight variations and some may look similar but address completely different problems.

This webinar will discuss

The real problems that need to be addressed when managing enterprise identity
Key challenges when implementing concepts
How to overcome these challenges and build a future proof identity and access management system with WSO2 Identity Server

Published in: Technology
  • Be the first to comment

  • Be the first to like this

End-to-End Identity Management

  1. 1. End-to-End Identity Management Darshana Gunawardana Senior Software Engineer Harsha Thirimanna Senior Software Engineer
  2. 2. WSO2 Platform
  3. 3. Agenda o Need of having, o Centralized authentication o Single Sign On o Provisioning o Account management o Workflow o Authorization o Federation for an enterprise
  4. 4. Start from the beginning o Consider a startup : “Extern Inc.” o Handful of employees o No internal apps for employees o No worries :) o After some time o Business running good o Plan to expand the business; going to recruit more o Have several internal application including HR system, email service etc.
  5. 5. User Accounts in all systems… Robert (An employee) Cloud email Service Username = “robert” Password = “robert-pass” Expense Management System HR System Username = “robert2” Password = “robert2-pass” Username = “robert2” Password = “robert2-pass” Username = “robert_5” Password = “K67robert2-AB-#2”
  6. 6. Plan for future : Centralized user store o Which type of user store? o LDAP o Active Directory o Custom user schema over JDBC Database
  7. 7. Connecting Internal Apps o Utilize central user store by connecting all internal apps o How to connect? o Standard authentication protocols o SAML2 SSO, OpenID Connect, OpenID, WS- Federation (passive) o Need of the fully functional Identity Provider System
  8. 8. Centralized Identity Provider Identity Provider (e.g. WSO2 IS) Service provider (e.g. HR System) Robert Username = “robert” Password = “robert-pass” Token Token User store Standard authentication request
  9. 9. All apps connected..! Robert Mail ClientUsername = “robert” Password = “robert-pass” HR System Expense Management System Username = “robert2” Password = “robert2-pass” Username = “robert” Password = “robert-pass” Username = “robert” Password = “robert-pass” Identity Provider (e.g. WSO2 IS)
  10. 10. User experience o Re-entering the same password too many times o Solution : Single Sign On
  11. 11. SSO In General : Initial login Identity provider (e.g. WSO2 IS) Service provider (e.g. HR System) User data 1. Log inrequest 2. Redirect to IDP URL 3. Request token 4. Authenticate 5. Redirect to SP with token 6. Send SAML token Session: S1
  12. 12. SSO In General : Subsequent logins Identity provider (e.g. WSO2 IS) Service provider 2 (e.g. Cloud Mail Service) User data 1. Log in request 2. Redirect to IDP URL 3. Request token (session: IS1) 5. Redirect to SP with token 6. Send SAML token Service provider 1 (e.g. HR System) Session: S1 4. Bypass login page Session: S2
  13. 13. Authentication Protocol Comparison o SAML2 o Most popular protocol with several profiles o Supports single logout o OpenID Connect o Becoming more popular o Having strong supplementary specifications set o OpenID o Deprecated by most Identity Providers o WS Federation (passive) o Widely used with .Net applications
  14. 14. Sync Users to applications o Many applications handles authorization internally o Authorization check as post authentication task o Need to assign relevant attributesroles o Sync application with the centralized identity repository
  15. 15. Provisioning Identity server Identity server Extern Inc. <<< Create User >>> Username: jane Email: jane@extern.com Cloud email service <<< Create User >>> Username: jane Password: jane123 Email: jane@extern.com <<< Create User >>> Username: jane <<< Create User >>> Username: jane@extern.com Contacts Directory Expense Management System
  16. 16. Enterprise Identity Bus : Provisioning o De couples inboundoutbound provisioning o Selective provisioning o Rich processing on data o Subject mapping o Claim mapping o Role mapping o Inbound provisioning : SCIM & SOAP o Outbound provisioning : SCIM & SPML o Extensibility to support any protocol
  17. 17. Account Management o Self Registration o PasswordUserID recovery o Update profile o Enable two factor authentication o Associate accounts o Password policy enforcement o Account locking
  18. 18. Expansion in Extern Inc... o Extern Inc. has acquired a new company in Europe o New division to handle sales and marketing in euro o Identity management perspective: o A new user base o Different user store repository o Plug-in to current system as a secondary user store
  19. 19. Multiple User Stores
  20. 20. Need More Control? Identity server Update roles Update claims I need to approve assignments to “Assessor” role I need to approve all claims One of us has to approve all new assessors
  21. 21. Get More Control with Workflows Identity server Update claims Approve claims update Assigned to “Bob”
  22. 22. Get More Control with Workflows (Ctd..) Identity server Update roles Approve role assignment Approve role assignment Assigned to “supervisors” role Assigned to “James”
  23. 23. Authorization o Authentication o Who is the user o Authorization o What user can do
  24. 24. What the User Can Do... Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details User = Jane User = David User = Tao
  25. 25. What the User Can Do... Service provider 1 (SP1) User = Jane User = David User = Tao Access control policy If user = Tao and resource = /data/archives Permit. If role = Clark and action = write Deny. If role = Manager and resource = /data/files Permit.
  26. 26. Authorization challenges o Authorization rules getting changed frequently o Fine grain authorization requirements o Solution : XACML o Attribute based access control standard o Rule based access control o De-facto standard for fine grain access control
  27. 27. XACML - Architecture /data/files /data/archives /data/visualize /data/details Policy decision Point If user = jane Permit. If role = clark and Action = write Deny. Policy Store Policy Administration Point Policy Enforcement Point (PEP) User = Tao User = David User = Jane
  28. 28. o WSO2 ESB o WSO2 API Manager XACML Policy Enforcement Points WSO2 ESB Proxy service Entitlement Service provider (SP) On accept On reject SendDrop Property [Set user] Property [Set resource] XACML Engine (WSO2 IS)
  29. 29. Connecting with external parties o Extern Inc. acquires a new company “PlusX” as a subsidiary o PlusX has their own identity provider and its own internal apps connected to that o Ability of using Extern Inc. Apps for PlusX Employees?
  30. 30. Connecting with external parties Identity server Extern Inc. PlusXJane wants to access ‘Contact Directory’ app hosted by company Extern Inc. You are not in my Identity Server! But I am registered in PlusX
  31. 31. Connecting with external parties Identity server Extern Inc. PlusX Trust local IS Trust IS in PlusX office If PlusX says “This is Jane” ,then Extern Inc. believes it. (Extern Inc. trusts PlusX IdP)
  32. 32. Enterprise Identity Bus : Federation o Easily connect new Identity Providers o Protocol bridging o Multi step, multi option authentication flows o Inbuilt support for Social Login o Zero changes on Service provider o Rich processing on data o Subject mapping o Claim transformation o Role transformation o Home realm discovery
  33. 33. Concepts in Reality o Some external contributors have access to the community portal via self registration o Employee life cycle the the company o Employee creation o Going through approval o Sync up with the required systems o SSO with all applications o Lock identity upon the resignation
  34. 34. Q&A
  35. 35. Thank You!

×