Embed Size (px)
Citation preview
WSO2 Identity Server 5.1.0 Overview
Agenda
o Introduction
o Product Overview
o Authentication & SSO
o User Provisioning & Management
o Authorization & Entitlement
o Deployment Options
Introduction
Security Landscape
Borders across systems don’t work anymore
Why ?
o Bring Your Own Device
o Bring Your Own Identity o Identity is maintained in one domain, accessed in other domains
o Social network identities (Facebook, LinkedIN, Google)
o Open APIs
o Ecosystems
o Mergers / Acquisitions
o Value Webs (Composable Enterprises)
Introducing Enterprise Identity Bus (EIB)
What Does an EIB Do ?
Bridges
Tokens
• OAuth/2
• OpenID/OpenID Connect
• SAML2
• WS-Federation
• Kerberos, etc
Claims & Claim Dialects
• Email Addresses
• Phone Numbers
• Names, etc
User Stores
• SPML, SCIM, Salesforce, Google, etc
• Just in Time provisioning, inbound, outbound
Unified SSO Platform
How Does it Work ?
o Bridges multiple web applications across multiple protocols o Login into Drupal using SAML and get automatically signed
on your Web application, which requires Open ID Connect.
o Connect to Facebook and be automatically connected to Salesforce
o Bridges across: OpenID Connect, SAML 2.0, OAuth 2.0, OpenID, WS-Federation (Passive)
o Benefits o Transparent to the application users
o Extensible
Federated Identity
How Does it Work ?
o Bridge multiple identity providers
o Identity Server serves a central authentication hub for all applications - Each application continues to use their own IdP of choice (say OpenID Connect)
o Home Realm Discovery - Identity Server uses the request to redirect the user to the correct IdentityProvider
o Benefits: o Client App only need to trust its own Identity Provider
o Authentication protocol at the client side is decoupled from the Identity Provider
o Trust relationship maintained centrally
User Provisioning
How Does it Work ?
o Bus serves as central hub to provision identities to multiple IdPs
o Transforms provisioning requests, from SCIM to SPML for example
o Provides just-in-time provisioning
o Benefits o Supports SCIM (System for Cross-Domain Identity
Management) standard
o Supports SPML, JDBC, LDAP, GoogleApps, Salesforce
o Simple extension model
Mobile IdP Proxy
How Does it Work ?
o IDP proxy application delivers SSO functionality for native mobile applications
o SDK is used to invoke IdP proxy from the mobile application
o Allows the application to obtain an OAuth access token from an identity
o Benefits - Leverage enterprise identity management system for mobile applications
Product Overview
WSO2 Identity Server
o 5th Generation Product
o Current version 5.0.0 (released May 2014)
o Why did we build it? o Federated identity and entitlement is a key part of any distributed
architecture o Internal security threats, Partnerships o Mergers, De-mergers o APIs, Cloud systems
o SSO is important but need to federate and bridge across SSOs o Open Standards for Identity are changing the industry landscape
o Based on WSO2 Carbon platform, which provides support for multi-tenancy, logging, clustering, and other common services
Identity Server Landscape
Benefits
o Scenario-driven configuration
o Large number of scenarios supported out of the box, through simple configuration o Single Sign On o Federated Identity o User Provisioning and Management o Authorization and Entitlements
o Extensible & Customizable - Custom Authenticators
Authentication & SSO
Authentication
o Extensible user stores integration
o Security for APIs and Web Services
o Web Single Sign On for heterogeneous systems
o Highly configurable and extensible authentication flows
o Federation and Social integration
User Stores
o Identity Server supports connecting 1 to N user repositories to a single server o One primary and multiple secondary
o Configurable through UI
o Supports following o Built-in LDAP based on Apache DS
o JDBC - Any data store, tested with Oracle, MySQL, DB2 and others
o Active Directory
Securing SOAP Services
o Security Token Service (STS)
o Supports WS-Trust 1.4
o Issues SAML 1.1 and SAML 2.0 Tokens
o HOK and Bearer subject confirmations
o Configurable Security Policies for the STS o Kerberos token based
o X509 Certificate based
o User Name password based
o Built on Apache Rampart project
Securing REST APIs
o Complete OAuth 2.0 and OAuth 1.0a supported Authorization Server
o Supported OAuth 2.0 Grants - Authorization Code, Implicit, Resource Owner Password, Client Credential, SAML Bearer, IWA-NTLM, Refresh Token
o JWT implementation
o Key Manager for the WSO2 API Manager
Authenticators
o Local Authenticators
o Basic Authenticator - Username, password
o IWA Authenticator – Zero password login
o FIDO (Fast Identity Online) - Multifactor authentication
o Federated
o SAML 2.0 Web SSO Authenticator
o OAuth2/OpenID Connect Authenticator
o OpenID Authenticator
o WS-Federation (Passive) Authenticator
Configurable Authenticator Flow
o Multi-Step : Add any number of authentication steps o Multi-Option : Add any number of authenticators for a step o Configuration per service provider (application)
Web Single Sign On
o SAML 2.0 Web Browser SSO o Basic Attribute Profile o IDP initiated SSO
o OpenID 2.0 o Simple Registration Extension o Attribute Exchange
o OpenID Connect o IDToken o User Endpoint
o WS-Federation Passive STS o SAML 1.1 Tokens o Preferred by Windows Identity Foundation (WIF) based
clients (ASP.NET) o Based on Apache Rampart project
SSO for Heterogeneous Systems
o Web Applications can speak in any identity language (e.g. SAML2, OpenID, OpenID Connect) to the Identity Server
o Single Login
o Role transformations
o Claim transformations
o Customizable login screens
Federation
o Configure Trusted Identity Providers (IdPs)
o Add Trusted IDPs to application authentication flows to enable Federation
o Configure Provisioning for Identity Providers o Just-In-Time (JIT) provisioning o Outbound provisioning
o Role transformations
o Claims Transformations
Home Realm Discovery
o Process of identifying correct federated IDP for an authentication request
o A key feature of federation
o Uses the information in the authentication request to identity the IDP
o Logic is pluggable
User Provisioning & Management
Provisioning and Management
o Just In Time Provisioning
o Highly extensible User Provisioning Framework
o Users and groups management
o Accounts and Policies Management
o Self Service Dashboard
o Logging and Monitoring
o Custom user management workflows – user specific approvals, multi-step approvals, approvals requiring multiple roles
Just-in-time Provisioning
o Federated Identities can be provisioned into the WSO2 Identity Server while federating
o Users can be provisioned to any primary or secondary user store
o JIT provisioned users can be provisioned to any other
systems instantly
Provisioning Framework
o Three inbound provisioning APIs o System for Cross-Domain Identity Management (SCIM) API
– REST/JSON
o UserAdmin – SOAP/XML
o RemoteUserStoreManagerService – SOAP/XML
o Pluggable outbound provisioning connectors o Out-of-the-box provisioning connectors : SCIM, SPML,
Google and SalesForce
o Custom connectors (create and drop in !)
SCIM Implementation
o System cross-domain identity management - http://www.simplecloud.info/
o Adopted by many vendors and SaaS applications (Salesforce for example)
o Supports users (including bulk creation) and groups provisioning, via REST API
o IS supports SCIM 1.1 - SCIM 2.0 work ongoing
User and Role Management
o Comprehensive Administrative UI for User and Roles Management o Add, delete, update user profiles and roles
o Search/list users and roles
o Reset user passwords
o Can manage users / groups in multiple user stores
Account and Password Policy Management
o Configure password complexity – E.g. 8 character long, must include numbers and symbols
o Password expiry configuration
o Failed login attempts and account locking
o Captcha verification
o Self registration and user account verification
o Account recovery, forgotten password
Self-service Dashbaord
Auditing
o Privileged operations are saved to log files, including login/logout operations
o Data is saved in XDAS format
o Through extensions, events can be published to our
Data Analytics solutions (BAM and CEP)
Authorization & Entitlements
Authorization and Entitlement
o Role Based Access Control
o Attribute Based Access Control
o Policy Based Access Control
o XACML 2.0/3.0
o Support for OpenAz
o Hierarchical Resource Profile
o Hierarchical Role Profile
o Multiple Decision Profile
Role-based Access Control
o Provisioning UI for assigning permissions for Roles and assigning users for roles
o SOAP/XML APIs for authorization o UserAdmin o RemoteUserStoreManagerService o RemoteAuthorizationManagerService
Scope-based Access Control
o OAuth is a scope based authorization framework
o WSO2 Identity Server supports OAuth version 1.0a and 2.0
o Users and Permit/Deny granting authorization for applications
o Access Token is validated over SOAP API - JWT (JSON Web Token) attached to response, contains information about token authorized scopes (for back-end consumption)
Claim-based Access Control
o Comprehensive UI to manage/configure claim dialects
o Default claim dialects: SCIM, OpenID AX, OpenID SReg, XML/WSDL, OpenID Connect and WSO2 dialect
o Write XACML policies based on User Claims
o Define WS-Trust/ WS- Security policies based on User Claims
o Retrieve user claims for authorization over OpenID, OpenID Connect and SAML
Policy-based Access Control
o Fine grained access control with XACML 2.0 and 3.0
o Pluggable and extensible architecture
o Plug-in various PIP and PEP modules
o Plug in policy stores
o Policy Management UI
o Try-it tool to test policies
o Caching and Thrift transport support for high performance
Importing and Publishing
Distributed PDP Management
TryIt
Policy Governance
XACML Integration Points
o Entitlement Mediator for WSO2 ESB
o Entitlement Handler for WSO2 API Manager
o Entitlement Servlet Filter for WSO2 Application Server
o Third-party agents o Java EE Servlet Filter
o Liferay Agent
o Microsoft IIS Agent
Deployment Options
WSO2 Platform Deployment Options
o Stand-alone servers o Private clouds:
e.g. Stratos, Kubernetes o Public Clouds:
e.g. AWS o Hybrid deployments
o Dedicated hosting of any WSO2-based solutions
o WSO2 operations team is managing the deployment and keeps it running
o 99.99% uptime SLA o Any AWS region of choice o Can be VPNed to local network o Includes monitoring, backups,
patching, updates
o Shared public cloud, o Currently available for application
and API hosting (hosted API Manager and App Factory),
o Preset multitenant deployment in AWS US East run by WSO2,
o Month-to-month credit card payment
Thank You!
Download WSO2 Iden/ty Server at: h6p://wso2.com/products/iden/ty-‐server/
