Case Study : Identity in the WSO2 Ecosystem

Dimuthu LeelarathneDirectorWSO2

Story of Dogfooding WSO2 Identity Server!

Identities in the WSO2 Ecosystem

• Employees

• Customers

• Open-source community

Edgar joins WSO2 Engineering Team

• Infra provisioned him to all these systems– Google Apps– Internal LDAP

• Edgar self-sign up to – wso2.com → wso2.com, OT Jira

• Support manager provision him to– PMT and Support JIRA

Deployment of Systems 2015 September

Cathy is from WSO2 Open-source Community

• Cathy of abc.com self-sign up to wso2.com to test WSO2 IS. She gets → OT Jira

• abc.com becomes a customer

• She get invitation email → automatically provisioned to Support JIRA

Deployment of Systems 2015 Q4

• Use WSO2 IS for the best enterprise Identity Solution

• Centralized identity management– Provide Single Sign-On

– Manage user identity centrally, provision vs. syncing

• Define the concept of “one person”– A person’s attributes change

• Multi-factor authentication for GoogleApps

Redefine Identity in WSO2!

WSO2 Identity Server

• APIs to integrate identity management to any application

• Multi-factor authentication

• Federation and Single Sign-On (SSO) via SAML2, OpenID Connect

• Delegation via OAuth, OAuth 2.0 and WS-Trust

• Many cloud connectors - https://store.wso2.com

WSO2 Identity Server

• User and groups provisioning

• User and groups management

• Multiple user store support

• Password policies

• Account locking

• Entitlement - RBAC, XACML

Single Sign-On

• Provide credentials once (to a 3rd party) and obtain access to many apps

• Reduce password exhaustion

• Central control of the identity

– Increased security

– Reduce redundancy

SAML2.0 Web Profile

• Widely supported by many service providers

• OASIS open standard

• XML based assertions

Customer Identity vs Employee Identity

• Scale

• Centrally controlled vs. Distribution

• Self-service and JIT

• Low assurance vs. high assurance

• Different focus areas - market driver, individual, UX

Identity Server for SSO

Attributes of a Person Changes

• A person can change email address and other attributes

• The person object must stay the same

• Given a set of unique attribute values we should be able to find the person

Provisioning

• Auto-provisioning to – GoogleApps– Concur– External LDAP

• Auto deprovision

SCIM Implementation

• Cross domain identity provisioning standard

• Adapted by many vendors and SaaS apps

• Supports user/group provisioning via REST/JSON API

• IS Supports SCIM 1.1

Identity Server for Provisioning

LDAP Syncing vs Provisioning to Systems

• LDAPs are replicated and synched with each other in batch mode periodically

• Provisioning work with “Callbacks” and then updating the user on remote system

• Modern systems work with trusted third parties

– No need keep credentials

– Provisioning via SCIM, other APIs or auto-provisioning

Multi-factor authentication for GoogleApps

• Identity is

– Something you know

– Something you have

– Something you are

• Use two of the above mechanisms

• Can use SMSOTP, TOTP for GoogleApps → In case of phone misplace

Lets look at Edgar again

• Every morning Edga logs into accounts.apps.wso2.com

• Each time Edga wants to login to OT JIRA/Support JIRA he has to sign in.

Identity Across two Domains

WSO2 Identity Server Architecture

One-Click Operation to Add an IdP

Use of Federation

• Identity Federation - Using same identity or mapping of identity across multiple applications

• SSO is a federation pattern

• We need to use same identity in applications across two different domains

Identity Across two Domains

Identity Server for Federation

Federation in Identity Server

Lets look at Edga again

• Every morning Edga logs into accounts.apps.wso2.com but OT JIRA requires to click on a link

Extensibility of Identity Server

Back Channel Authenticator

• Edgar writes a custom authenticator – Sets for cookie valid for both domains by internal IdP– Checks the cookie by external IdP

→ No more middle screen prompting

• Edgar’s authenticator is deployed!

Cathy Leaves abc.com

• Removed from abc.com support account• Cathy joins WSO2

– Auto-provisioned into the systems

– Maintains open-source profile separately (Consumer identity vs. Employee identity)

Current implementation of the Project

Future

• Authorization for Apps

Thank You