Embed Size (px)
Citation preview
Connected Identity & the role of the Identity Bus
Prabath SiriwardenaDirector of Security Architecture
WSO2
In U.S only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic
In Europe 58 percent transact directly with users from other businesses
and/or consumers
In UK 65 percent transact directly with users from other businesses and/or consumers
Gartner predicts, by 2020, 60% of all digital identities interacting with enterprises will come from external IdPs
Federation Ant-patterns
Identity Silos
Federation Ant-patterns
Spaghetti Identity
Identity Broker Pattern
Fundamental #1: Federation protocol agnostic : • Should not couple into a specific federation
protocol like SAML, OpenID Connect. • Ability to connect multiple identity providers over
heterogeneous identity federation protocols. • Should have ability transform ID tokens between
heterogeneous federation protocols.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #2: Transport protocol agnostic : • Should not couple into a specific transport protocol
– HTTP, MQTT
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #3: Authentication protocol agnostic: • Should not couple into a specific authentication
protocol, username/password, FIDO, OTP.• Pluggable authenticators.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #4: Claim Transformation: • Should have the ability to transform identity
provider specific claims into service provider specific claims.
• Simple claim transformations and complex transformations.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #5: Home Realm Discovery: • Should have the ability to find the home identity
provider corresponding to the incoming federation request looking at certain attributes in the request.
• Filter based routing.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #6: Multi-option Authentication: • Should have the ability present multiple login
options to the user, by service provider.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #7: Multi-step Authentication: • Should have the ability present multiple step
authentication (MFA) to the user, by service provider.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #8: Adaptive Authentication: • Should have the ability change the authentication
options based on the context.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #9: Identity Mapping: • Should have the ability map identities between
different identity providers. • User should be able to maintain multiple identities
with multiple identity providers.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #10: Multiple Attribute Stores: • Should have the ability connect to multiple
attribute stores and build an aggregated view of the end user identity.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #11: Just-in-time Provisioning: • Should have the ability to provision users to
connected user stores in a protocol agnostic manner.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #12: Manage Identity Relationships: • Should have the ability to manage identity
relationships between different entities and take authentication and authorization decisions based on that.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #13: Trust Brokering: • Each service provider should identify which
identity providers it trusts.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #14: Centralized Access Control: • Who gets access to which user attribute? Which
resources the user can access at the service provider?
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #15: Centralized Monitoring: • Should have the ability monitor and generate
statistics on each identity transaction flows through the broker.
Fifteen Fundamentals
Identity Broker Pattern
Fifteen Fundamentals
Identity Mediation Languagehttp://blog.facilelogin.com/2015/05/identity-mediation-language-iml.html
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #1: More than humans - It’s also about Identities of things, devices, services, and apps
Fundamental #2: Multiple Identity Providers - We will not manage all identities internally anymore and trust will vary
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #3: Multiple Attribute Providers - There will no longer be a single source of truth and information on identities anymore
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #4: Multiple Identities - Many users will use different identities (or personas) and flexibly switch between these
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #5: Multiple Authenticators - There is no single authenticator that works for all
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #6: Identity Relationships - We must map humans to things, devices, and apps
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #7: Context - Identity and Access Risk varies in context
Seven Fundamental of Future IAM
By Martin Kuppinger
Thank You
