WSO2 Identity Server

1. WSO2 Identity Server Prabath Siriwardena Senior Software Architect

2. An open source Identity & Entitlement management server

3. An open source Identity & Entitlement management server Authentication LDAP AD JDBC

4. Authentication

5. An open source Identity & Entitlement management server Authentication Single Sign On SAML2 Kerberos WS-Fed Passive

6. OpenID • Decentralized Single Sign On • Single user profile • Widely used for community & collaboration aspects • Multifactor Authentication [Infocard, XMPP] • OpenID relying party components

7. SAML2 • Single Sign On / Single Logout • Widely used *aaS providers [Google Apps, Salesforce] • SAML2 Web SSO Profile • SAML2 Attribute Profile • Distributed Federated SAML2 IdPs • Used in WSO2 StratosLive

8. Single Sign-On WS-Fed Passive SharePoint

9. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On SPML SCIM

10. Provisioning

11. Provisioning to heterogeneous systems Google Adaptor SF Adaptor

12. Open standards for provisioning 2012 : SCIM 1.1 2011 : SCIM 1.0 2011 : RESTPML 2010 : SCIM community 2006 : SPML 2.0 2003 : SPML 1.0 2003 : WS-Provisioning 2001 : OASIS PS TC

13. Open standards for provisioning Provisioning Service Point

14. System for Cross-domain Identity Management /Users SCIM Service Provider /Groups SCIM Consumer

15. System for Cross-domain Identity Management add-user.json { "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”prabath@yahoo.com","type":"home"}, {"value":”prabath@wso2.com","type":"work"}] } curl command curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

16. System for Cross-domain Identity Management add-group.json { "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext", } curl command curl -v -k --user admin:admin -d @add-group.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups

17. System for Cross-domain Identity Management

18. Federated Provisioning Patterns Domain A Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C One way provisioning

19. Federated Provisioning Patterns Domain A Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C One way provisioning with broker mode

20. Federated Provisioning Patterns Domain A Provisioning Service Provider SCIM Consumer Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C SCIM Consumer Bi-directional provisioning

21. Federated Provisioning Patterns Domain A Provisioning Service Provider SCIM Consumer Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C SCIM Consumer Multi-directional provisioning with a centralized PSP

22. Federated Provisioning Patterns Domain A Provisioning Service Provider 3 SAML2 IdP 2 4 1 Domain B Just-in-time provisioning with SAML2

23. Federated Provisioning Patterns Domain A 4 Provisioning Service Provider 3 SAML2 IdP 2 5 1 Domain B Just-in-time provisioning with SAML2

24. Multi-tenancy Provisioning Service Provider facilelogin.com wso2.com SCIM Consumer (wso2.com) SCIM Consumer (facilelogin.com)

25. WSO2 Charon

26. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Auditing XDAS

27. Auditing

28. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Auditing Delegation WS-TRUST

29. Delegation

30. OAuth Evolution

31. OAuth Evolution

32. OAuth Evolution

33. OAuth Evolution

34. OAuth • Identity Delegation • Securing RESTful services • 2-legged & 3-legged OAuth 1.01 • XACML integration with OAuth • OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials

35. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Federation Auditing Delegation SAML2 WS-TRUST

36. Federation

37. Security Token Service • Supports WS-Trust 1.3/1.4 • SAML 1.0/1.1/2.0 token profiles • Claim management

38. Federation Patterns Resource Security Token Service Consumer App Domain A Domain B Cross Domain Authentication with WS-Trust

39. Federation Patterns Cross Domain Authentication with Kerberos and WS-Trust

40. Federation Patterns Decentralized Federated SAML2 IdPs

41. Federation Patterns Decentralized Federated SAML2 IdPs

42. Federation Patterns Decentralized Federated SAML2 IdPs

43. An open source Identity & Entitlement management server Role Based Access Control

44. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control

45. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control Policy Based Access Control XACML

46. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control SOAP Policy Based Access Control XACML / WS-XACML

47. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control REST SOAP Policy Based Access Control XACML

48. XACML • The de-facto standard for authorization • XACML 3.0 • Support for multiple PIPs • Policy distribution • Decision / Attribute caching • UI wizard for defining policies • Notifications on policy updates • TryIt tool

49. XACML EntitlementService EntitlementPolicyAdminService SOAP/Thrift/WS-XACML SOAP Policy Administration Point Policy Decision Point Attribute Finder Extensions Decision Cache Extensions Attribute Cache XACML Engine Default Finder Policy Cache LDAP

50. XACML