Embed Size (px)
DESCRIPTION
WSO2 Identity Server. Prabath Siriwardena Director – Security Architecture. An open source Identity & Entitlement management server. An open source Identity & Entitlement management server. Authentication. LDAP. AD. JDBC. Authentication. - PowerPoint PPT Presentation
Citation preview
WSO2 Identity Server
Prabath SiriwardenaDirector – Security Architecture
An open source Identity & Entitlement management server
An open source Identity & Entitlement management server
Authentication
ADLDAP JDBC
Authentication
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
SAML2 Kerberos WS-Fed Passive
OpenID
Decentralized Single Sign On Single user profile Widely used for community &
collaboration aspects Multifactor Authentication
[Infocard, XMPP] OpenID relying party
components
SAML2
Single Sign On / Single Logout Widely used *aaS providers [Google Apps, Salesforce] SAML2 Web SSO Profile SAML2 Attribute Profile Distributed Federated SAML2 IdPs Used in WSO2 StratosLive
SharePoint
WS-Fed Passive
Single Sign-On
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
SCIMSPML
Provisioning
Provisioning to heterogeneous systems
Adaptor
SF Adapto
r
Open standards for provisioning
2001 : OASIS PS TC
2003 : SPML 1.02003 : WS-Provisioning
2006 : SPML 2.02010 : SCIM community
2011 : SCIM 1.02012 : SCIM 1.1
2011 : RESTPML
Open standards for provisioning
Provisioning
Service Point
System for Cross-domain Identity Management
SCIM Service Provider
/Users
/GroupsSCIM Consumer
System for Cross-domain Identity Management
{ "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”[email protected]","type":"home"},
{"value":”[email protected]","type":"work"}]}
curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
add-user.json
curl command
System for Cross-domain Identity Management
{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext",}
curl -v -k --user admin:admin -d @add-group.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups
add-group.json
curl command
System for Cross-domain Identity Management
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
One way provisioning
Provisioning Service Provider
Provisioning Service Provider Domain
C
SCIM Consumer
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
One way provisioning with broker mode
Provisioning Service Provider
Provisioning Service Provider Domain
C
SCIM Consumer
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Bi-directional provisioning
Provisioning Service Provider
Provisioning Service Provider Domain
C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Multi-directional provisioning with a centralized PSP
Provisioning Service Provider
Provisioning Service Provider Domain
C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning Service Provider
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Just-in-time provisioning with SAML2
SAML2 IdP
12
3
4
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Just-in-time provisioning with SAML2
SAML2 IdP
12
3
5
4
Provisioning Service Provider
Multi-tenancy
SCIM Consumer (facilelogin.com)
SCIM Consumer (wso2.com)wso2.com
facilelogin.com
WSO2 Charon
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing
XDAS
Auditing
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing Delegation
WS-TRUST
Delegation
OAuth Evolution
OAuth Evolution
OAuth Evolution
OAuth Evolution
OAuth
Identity Delegation Securing RESTful services 2-legged & 3-legged OAuth 1.01 XACML integration with OAuth OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing DelegationFederation
WS-TRUSTSAML2
Fede
rati
on
Security Token Service
Supports WS-Trust 1.3/1.4 SAML 1.0/1.1/2.0 token profiles Claim management
Security Token Service
Consumer App
Resource
Domain A
Domain B
Federation Patterns
Cross Domain Authentication with WS-Trust
Federation Patterns
Cross Domain Authentication with Kerberos and WS-Trust
Federation Patterns
Decentralized Federated SAML2 IdPs
Federation Patterns
Decentralized Federated SAML2 IdPs
Federation Patterns
Decentralized Federated SAML2 IdPs
An open source Identity & Entitlement management server
Role Based Access Control
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
XACML
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
SOAP
XACML / WS-XACML
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
SOAP
REST
XACML
XACML
The de-facto standard for authorization
XACML 3.0 Support for multiple PIPs Policy distribution Decision / Attribute caching UI wizard for defining policies Notifications on policy updates TryIt tool
XACML
EntitlementService EntitlementPolicyAdminService
Policy Decision Point
Policy Cache
Decision Cache
XACML Engine
ExtensionsPolicy
Administration Point
Attribute Finder
Extensions
Default Finder
LDAP
Attribute Cache
SOAP/Thrift/WS-XACML SOAP
XACML
XACML
XACML
XACML
What Do We Have Now ?
User stores with LDAP/AD/JDBC Multiple user stores OpenID SAML2 Kerberos Integrated Windows Authentication Information Cards XACML 2.0/3.0 OAuth 1.0a/2.0 Security Token Service with WS-Trust SCIM 1.1 WS-XACML WS-Fed Passive
