Upload
wso2-inc
View
320
Download
0
Embed Size (px)
Citation preview
End-to-End Identity Management
Darshana GunawardanaSenior Software Engineer
Harsha ThirimannaSenior Software Engineer
Agenda
o Need of having,o Centralized authenticationo Single Sign Ono Provisioningo Account managemento Workflowo Authorizationo Federation
for an enterprise
Start from the beginning
o Consider a startup : “Extern Inc.”o Handful of employeeso No internal apps for employeeso No worries :)
o After some timeo Business running goodo Plan to expand the business; going to recruit moreo Have several internal application including HR
system, email service etc.
User Accounts in all systems…
Robert(An employee)
Cloud email Service
Username = “robert”Password = “robert-pass”
Expense Management
SystemHR System
Username = “robert2”Password = “robert2-pass”Username = “robert2”Password = “robert2-pass”
Username = “robert_5”Password = “K67robert2-AB-#2”
Plan for future : Centralized user store
o Which type of user store?o LDAPo Active Directoryo Custom user schema over JDBC Database
Connecting Internal Apps
o Utilize central user store by connecting all internal apps
o How to connect?o Standard authentication protocolso SAML2 SSO, OpenID Connect, OpenID, WS-
Federation (passive)
o Need of the fully functional Identity Provider System
Centralized Identity Provider
Identity Provider
(e.g. WSO2 IS)
Service provider(e.g. HR System)
Robert
Username = “robert”Password = “robert-pass”
Token
Token
Userstore
Standard authentication request
All apps connected..!
Robert
Mail ClientUsername = “robert”Password = “robert-pass”
HR System
Expense Management
System
Username = “robert2”Password = “robert2-pass”Username = “robert”Password = “robert-pass”
Username = “robert”Password = “robert-pass”
Identity Provider
(e.g. WSO2 IS)
SSO In General : Initial login
Identity provider(e.g. WSO2 IS)
Service provider(e.g. HR System)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token4. Authenticate
5. Redirect to SP with token
6. Send SAML token Session: S1
SSO In General : Subsequent logins
Identity provider(e.g. WSO2 IS)
Service provider 2(e.g. Cloud Mail
Service)
Userdata
1. Log in request
2. Redirect to IDP URL
3. Request token (session: IS1)
5. Redirect to SP with token
6. Send SAML token
Service provider 1(e.g. HR System)
Session: S1
4. Bypass login page
Session: S2
Authentication Protocol Comparison
o SAML2o Most popular protocol with several profileso Supports single logout
o OpenID Connecto Becoming more popularo Having strong supplementary specifications set
o OpenIDo Deprecated by most Identity Providers
o WS Federation (passive)o Widely used with .Net applications
Sync Users to applications
o Many applications handles authorization internally
o Authorization check as post authentication tasko Need to assign relevant attributes\roleso Sync application with the centralized identity
repository
Provisioning
Identity server
Identity server
Extern Inc.
<<< Create User >>>Username: janeEmail: [email protected]
Cloud email service
<<< Create User >>>Username: janePassword: jane123Email: [email protected]
<<< Create User >>>Username: jane
<<< Create User >>>Username: [email protected]
Contacts DirectoryExpense Management System
Enterprise Identity Bus : Provisioning
o De couples inbound\outbound provisioningo Selective provisioningo Rich processing on data
o Subject mappingo Claim mappingo Role mapping
o Inbound provisioning : SCIM & SOAP o Outbound provisioning : SCIM & SPMLo Extensibility to support any protocol
Account Management
o Self Registrationo Password\UserID recoveryo Update profileo Enable two factor authenticationo Associate accounts
o Password policy enforcemento Account locking
Expansion in Extern Inc...
o Extern Inc. has acquired a new company in Europe
o New division to handle sales and marketing in euro
o Identity management perspective:o A new user baseo Different user store \ repository
o Plug-in to current system as a secondary user store
Need More Control?
Identity server
Update roles
Update claims
I need to approve assignments to “Assessor” role
I need to approve all claims
One of us has to approve all new assessors
Get More Control with Workflows
Identityserver
Update claims
Approve claims update
Assigned to “Bob”
Get More Control with Workflows (Ctd..)
Identityserver
Update roles
Approve role assignment
Approve role assignment
Assigned to “supervisors” role
Assigned to “James”
What the User Can Do...
Service provider 1(SP1)
/data/files
/data/archives
/data/visualize
/data/details
User = Jane
User = David
User = Tao
What the User Can Do...
Service provider 1(SP1)
User = Jane
User = David
User = Tao
Access control policy
If user = Tao and resource = /data/archives
Permit.
If role = Clark and action = write
Deny.
If role = Manager and resource = /data/files
Permit.
Authorization challenges
o Authorization rules getting changed frequentlyo Fine grain authorization requirements
o Solution : XACMLo Attribute based access control standardo Rule based access controlo De-facto standard for fine grain access control
XACML - Architecture
/data/files
/data/archives
/data/visualize
/data/details
Policy decision Point
If user = jane Permit.
If role = clark andAction = writeDeny.
Policy Store
Policy Administration Point
Policy Enforcement Point(PEP)User = Tao
User = David
User = Jane
o WSO2 ESBo WSO2 API Manager
XACML Policy Enforcement Points
WSO2 ESBProxy
service
Entitlement
Service provider (SP)
On accept
On reject
SendDrop
Property [Set user]
Property [Set resource]
XACML Engine(WSO2 IS)
Connecting with external parties
o Extern Inc. acquires a new company “PlusX” as a subsidiary
o PlusX has their own identity provider and its own internal apps connected to that
o Ability of using Extern Inc. Apps for PlusX Employees?
Connecting with external parties
Identity server
Extern Inc. PlusXJane wants to access ‘Contact Directory’ app
hosted by company Extern Inc.
You are not in my Identity Server!
But I am registered in PlusX
Connecting with external parties
Identity server
Extern Inc. PlusX
Trust local IS
Trust IS in PlusX office
If PlusX says “This is Jane” ,then Extern Inc. believes it.
(Extern Inc. trusts PlusX IdP)
Enterprise Identity Bus : Federation
o Easily connect new Identity Providerso Protocol bridgingo Multi step, multi option authentication flowso Inbuilt support for Social Logino Zero changes on Service providero Rich processing on data
o Subject mappingo Claim transformationo Role transformationo Home realm discovery
Concepts in Reality
o Some external contributors have access to the community portal via self registration
o Employee life cycle the the companyo Employee creationo Going through approvalo Sync up with the required systemso SSO with all applicationso Lock identity upon the resignation