Upload
wso2-inc
View
397
Download
4
Embed Size (px)
Citation preview
Case Study : Identity in the WSO2 Ecosystem
Dimuthu LeelarathneDirectorWSO2
Story of Dogfooding WSO2 Identity Server!
Identities in the WSO2 Ecosystem
• Employees
• Customers
• Open-source community
Edgar joins WSO2 Engineering Team
• Infra provisioned him to all these systems– Google Apps– Internal LDAP
• Edgar self-sign up to – wso2.com → wso2.com, OT Jira
• Support manager provision him to– PMT and Support JIRA
Deployment of Systems 2015 September
Cathy is from WSO2 Open-source Community
• Cathy of abc.com self-sign up to wso2.com to test WSO2 IS. She gets → OT Jira
• abc.com becomes a customer
• She get invitation email → automatically provisioned to Support JIRA
Deployment of Systems 2015 Q4
• Use WSO2 IS for the best enterprise Identity Solution
• Centralized identity management– Provide Single Sign-On
– Manage user identity centrally, provision vs. syncing
• Define the concept of “one person”– A person’s attributes change
• Multi-factor authentication for GoogleApps
Redefine Identity in WSO2!
WSO2 Identity Server
• APIs to integrate identity management to any application
• Multi-factor authentication
• Federation and Single Sign-On (SSO) via SAML2, OpenID Connect
• Delegation via OAuth, OAuth 2.0 and WS-Trust
• Many cloud connectors - https://store.wso2.com
WSO2 Identity Server
• User and groups provisioning
• User and groups management
• Multiple user store support
• Password policies
• Account locking
• Entitlement - RBAC, XACML
Single Sign-On
• Provide credentials once (to a 3rd party) and obtain access to many apps
• Reduce password exhaustion
• Central control of the identity
– Increased security
– Reduce redundancy
SAML2.0 Web Profile
• Widely supported by many service providers
• OASIS open standard
• XML based assertions
Customer Identity vs Employee Identity
• Scale
• Centrally controlled vs. Distribution
• Self-service and JIT
• Low assurance vs. high assurance
• Different focus areas - market driver, individual, UX
Identity Server for SSO
Attributes of a Person Changes
• A person can change email address and other attributes
• The person object must stay the same
• Given a set of unique attribute values we should be able to find the person
Provisioning
• Auto-provisioning to – GoogleApps– Concur– External LDAP
• Auto deprovision
SCIM Implementation
• Cross domain identity provisioning standard
• Adapted by many vendors and SaaS apps
• Supports user/group provisioning via REST/JSON API
• IS Supports SCIM 1.1
Identity Server for Provisioning
LDAP Syncing vs Provisioning to Systems
• LDAPs are replicated and synched with each other in batch mode periodically
• Provisioning work with “Callbacks” and then updating the user on remote system
• Modern systems work with trusted third parties
– No need keep credentials
– Provisioning via SCIM, other APIs or auto-provisioning
Multi-factor authentication for GoogleApps
• Identity is
– Something you know
– Something you have
– Something you are
• Use two of the above mechanisms
• Can use SMSOTP, TOTP for GoogleApps → In case of phone misplace
Lets look at Edgar again
• Every morning Edga logs into accounts.apps.wso2.com
• Each time Edga wants to login to OT JIRA/Support JIRA he has to sign in.
Identity Across two Domains
WSO2 Identity Server Architecture
One-Click Operation to Add an IdP
Use of Federation
• Identity Federation - Using same identity or mapping of identity across multiple applications
• SSO is a federation pattern
• We need to use same identity in applications across two different domains
Identity Across two Domains
Identity Server for Federation
Federation in Identity Server
Lets look at Edga again
• Every morning Edga logs into accounts.apps.wso2.com but OT JIRA requires to click on a link
Extensibility of Identity Server
Back Channel Authenticator
• Edgar writes a custom authenticator – Sets for cookie valid for both domains by internal IdP– Checks the cookie by external IdP
→ No more middle screen prompting
• Edgar’s authenticator is deployed!
Cathy Leaves abc.com
• Removed from abc.com support account• Cathy joins WSO2
– Auto-provisioned into the systems
– Maintains open-source profile separately (Consumer identity vs. Employee identity)
Current implementation of the Project
Future
• Authorization for Apps
Thank You