WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
1 like576 views
The document presents a case study on identity management within the WSO2 ecosystem, focusing on experiences of employees and customers using the WSO2 Identity Server. It discusses features such as centralized user management, single sign-on, multi-factor authentication, and provisioning via SCIM, highlighting the importance of integrating identity management across various applications. The case also illustrates user scenarios and the future direction of identity management, emphasizing both customer and employee identities.
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
- 1. Case Study : Identity in the WSO2 Ecosystem Dimuthu Leelarathne Director WSO2
- 2. Story of Dogfooding WSO2 Identity Server!
- 3. Identities in the WSO2 Ecosystem • Employees • Customers • Open-source community
- 4. Edgar joins WSO2 Engineering Team • Infra provisioned him to all these systems – Google Apps – Internal LDAP • Edgar self-sign up to – wso2.com → wso2.com, OT Jira • Support manager provision him to – PMT and Support JIRA
- 5. Deployment of Systems 2015 September
- 6. Cathy is from WSO2 Open-source Community • Cathy of abc.com self-sign up to wso2.com to test WSO2 IS. She gets → OT Jira • abc.com becomes a customer • She get invitation email → automatically provisioned to Support JIRA
- 7. Deployment of Systems 2015 Q4
- 8. • Use WSO2 IS for the best enterprise Identity Solution • Centralized identity management – Provide Single Sign-On – Manage user identity centrally, provision vs. syncing • Define the concept of “one person” – A person’s attributes change • Multi-factor authentication for GoogleApps Redefine Identity in WSO2!
- 9. WSO2 Identity Server • APIs to integrate identity management to any application • Multi-factor authentication • Federation and Single Sign-On (SSO) via SAML2, OpenID Connect • Delegation via OAuth, OAuth 2.0 and WS-Trust • Many cloud connectors - https://store.wso2.com
- 10. WSO2 Identity Server • User and groups provisioning • User and groups management • Multiple user store support • Password policies • Account locking • Entitlement - RBAC, XACML
- 11. Single Sign-On • Provide credentials once (to a 3rd party) and obtain access to many apps • Reduce password exhaustion • Central control of the identity – Increased security – Reduce redundancy
- 12. SAML2.0 Web Profile • Widely supported by many service providers • OASIS open standard • XML based assertions
- 13. Customer Identity vs Employee Identity • Scale • Centrally controlled vs. Distribution • Self-service and JIT • Low assurance vs. high assurance • Different focus areas - market driver, individual, UX
- 14. Identity Server for SSO
- 15. Attributes of a Person Changes • A person can change email address and other attributes • The person object must stay the same • Given a set of unique attribute values we should be able to find the person
- 16. Provisioning • Auto-provisioning to – GoogleApps – Concur – External LDAP • Auto deprovision
- 17. SCIM Implementation • Cross domain identity provisioning standard • Adapted by many vendors and SaaS apps • Supports user/group provisioning via REST/JSON API • IS Supports SCIM 1.1
- 18. Identity Server for Provisioning
- 19. LDAP Syncing vs Provisioning to Systems • LDAPs are replicated and synched with each other in batch mode periodically • Provisioning work with “Callbacks” and then updating the user on remote system • Modern systems work with trusted third parties – No need keep credentials – Provisioning via SCIM, other APIs or auto-provisioning
- 20. Multi-factor authentication for GoogleApps • Identity is – Something you know – Something you have – Something you are • Use two of the above mechanisms • Can use SMSOTP, TOTP for GoogleApps → In case of phone misplace
- 21. Lets look at Edgar again • Every morning Edga logs into accounts.apps.wso2.com • Each time Edga wants to login to OT JIRA/Support JIRA he has to sign in.
- 22. Identity Across two Domains
- 23. WSO2 Identity Server Architecture
- 24. One-Click Operation to Add an IdP
- 25. Use of Federation • Identity Federation - Using same identity or mapping of identity across multiple applications • SSO is a federation pattern • We need to use same identity in applications across two different domains
- 26. Identity Across two Domains
- 27. Identity Server for Federation
- 28. Federation in Identity Server
- 29. Lets look at Edga again • Every morning Edga logs into accounts.apps.wso2.com but OT JIRA requires to click on a link
- 30. Extensibility of Identity Server
- 31. Back Channel Authenticator • Edgar writes a custom authenticator – Sets for cookie valid for both domains by internal IdP – Checks the cookie by external IdP → No more middle screen prompting • Edgar’s authenticator is deployed!
- 32. Cathy Leaves abc.com • Removed from abc.com support account • Cathy joins WSO2 – Auto-provisioned into the systems – Maintains open-source profile separately (Consumer identity vs. Employee identity)
- 33. Current implementation of the Project
- 34. Future • Authorization for Apps
- 35. Thank You