720 likes | 1.54k Views
WSO2 Identity Server. Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server. An open source Identity & Entitlement management server. Authentication. LDAP. AD. JDBC. Authentication. An open source Identity & Entitlement management server.
E N D
WSO2 Identity Server Prabath Siriwardena Senior Software Architect
An open source Identity & Entitlement management server Authentication LDAP AD JDBC
An open source Identity & Entitlement management server Authentication Single Sign On SAML2 Kerberos WS-Fed Passive
OpenID • Decentralized Single Sign On • Single user profile • Widely used for community & collaboration aspects • Multifactor Authentication [Infocard, XMPP] • OpenID relying party components
SAML2 • Single Sign On / Single Logout • Widely used *aaS providers [Google Apps, Salesforce] • SAML2 Web SSO Profile • SAML2 Attribute Profile • Distributed Federated SAML2 IdPs • Used in WSO2 StratosLive
Single Sign-On WS-Fed Passive SharePoint
An open source Identity & Entitlement management server Provisioning Authentication Single Sign On SPML SCIM
Provisioning to heterogeneous systems Google Adaptor SF Adaptor
Open standards for provisioning 2012 : SCIM 1.1 2011 : SCIM 1.0 2011 : RESTPML 2010 : SCIM community 2006 : SPML 2.0 2003 : SPML 1.0 2003 : WS-Provisioning 2001 : OASIS PS TC
Open standards for provisioning Provisioning Service Point
System for Cross-domain Identity Management /Users SCIM Service Provider /Groups SCIM Consumer
System for Cross-domain Identity Management add-user.json { "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”prabath@yahoo.com","type":"home"}, {"value":”prabath@wso2.com","type":"work"}] } curl command curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
System for Cross-domain Identity Management add-group.json { "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext", } curl command curl -v -k --user admin:admin -d @add-group.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups
Federated Provisioning Patterns Domain A Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C One way provisioning
Federated Provisioning Patterns Domain A Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C One way provisioning with broker mode
Federated Provisioning Patterns Domain A Provisioning Service Provider SCIM Consumer Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C SCIM Consumer Bi-directional provisioning
Federated Provisioning Patterns Domain A Provisioning Service Provider SCIM Consumer Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C SCIM Consumer Multi-directional provisioning with a centralized PSP
Federated Provisioning Patterns Domain A Provisioning Service Provider 3 SAML2 IdP 2 4 1 Domain B Just-in-time provisioning with SAML2
Federated Provisioning Patterns Domain A 4 Provisioning Service Provider 3 SAML2 IdP 2 5 1 Domain B Just-in-time provisioning with SAML2
Multi-tenancy Provisioning Service Provider facilelogin.com wso2.com SCIM Consumer (wso2.com) SCIM Consumer (facilelogin.com)
An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Auditing XDAS
An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Auditing Delegation WS-TRUST
OAuth • Identity Delegation • Securing RESTful services • 2-legged & 3-legged OAuth 1.01 • XACML integration with OAuth • OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials
An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Federation Auditing Delegation SAML2 WS-TRUST
Security Token Service • Supports WS-Trust 1.3/1.4 • SAML 1.0/1.1/2.0 token profiles • Claim management
Federation Patterns Resource Security Token Service Consumer App Domain A Domain B Cross Domain Authentication with WS-Trust
Federation Patterns Cross Domain Authentication with Kerberos and WS-Trust
Federation Patterns Decentralized Federated SAML2 IdPs
Federation Patterns Decentralized Federated SAML2 IdPs
Federation Patterns Decentralized Federated SAML2 IdPs
An open source Identity & Entitlement management server Role Based Access Control
Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control
Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control Policy Based Access Control XACML
Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control SOAP Policy Based Access Control XACML / WS-XACML
Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control REST SOAP Policy Based Access Control XACML
XACML • The de-facto standard for authorization • XACML 3.0 • Support for multiple PIPs • Policy distribution • Decision / Attribute caching • UI wizard for defining policies • Notifications on policy updates • TryIt tool
XACML EntitlementService EntitlementPolicyAdminService SOAP/Thrift/WS-XACML SOAP Policy Administration Point Policy Decision Point Attribute Finder Extensions Decision Cache Extensions Attribute Cache XACML Engine Default Finder Policy Cache LDAP