This report is based on the internship experience I had during my time of internship. The relevant details of the internship program are available in the cover page. This report contains three main chapters namely, Introduction to the Training Establishment, Training Experience and Conclusion. In the following paragraphs, what each chapter contains is explained briefly. The first chapter is titled, “Introduction to training establishment” and it contains information about the organization that I had my training at. The second chapter includes information related to the training experience I had, during my time of stay at the training establishment. The final chapter is the conclusion of the report, where it contains a summary of the training experience mentioned in chapter 2 and how all these training experiences affected my life and career and it distinguishes the university life from the training life, by clearly mentioning what I gained as an intern in that company.

1. UNIVERSITY OF MORATUWA
Faculty of Engineering
Non-GPA Module 3992: Industrial Training
TRAINING REPORT
WSO2 Lanka (PVT) Ltd
From 25/07/2016 to 23/12/2016
Date of Submission: 31/01/2017
Sugathadasa K. M.
130581H Department of Computer Science and Engineering

2. i
Preface
This report is based on the internship experience I had during my time of internship. The
relevant details of the internship program are available in the cover page. This report contains
three main chapters namely, Introduction to the Training Establishment, Training Experience
and Conclusion. In the following paragraphs, what each chapter contains is explained briefly.
The first chapter is titled, “Introduction to training establishment” and it contains information
about the organization that I had my training at. This chapter contains information about the
training establishment, its main functions, organizational structure and hierarchical levels. The
information about the training establishment contains information like what this company is all
about and the history of the company. In the mid-section of the chapter, it explains the core
functionalities of the company and the platform that the company uses, alongside its main
products. And in the latter part of the chapter, it mentions a SWOT analysis and my suggestions
to improve its overall performance, with the contribution of the company towards the IT
industry of Sri Lanka.
The second chapter includes information related to the training experience I had, during my
time of stay at the training establishment. This chapter emphasizes on the work carried out at
the training establishment as an intern. It includes information regarding how I saw the
company from my perspective and what I experienced as an intern. It also contains the duties
assigned to me, events in the company and how I took part in all of them. The beginning of the
chapter contains information on commencement of the internship program and how my new
experience was with the company. The mid-section of the chapter explains the work that I
carried out and the latter part of the chapter talks about the life at the company where all the
events and how I enjoyed those events are being mentioned.
The final chapter is the conclusion of the report, where it contains a summary of the training
experience mentioned in chapter 2 and how all these training experiences affected my life and
career and it distinguishes the university life from the training life, by clearly mentioning what
I gained as an intern in that company. The identified weaknesses of myself as a trainee is
mentioned here and how I intend to take measures to overcome these weaknesses within the
final year of my university career. It also contains about the ability for the training organization
to provide a good training for interns when they come for training.

3. ii
Acknowledgement
I would first like to thank the Department of Computer Science and Engineering, for providing
us with these wonderful companies to work in and for making sure that everyone in the batch
gets a fair chance in selecting the training places. I would like to thank Dr. C. De Silva (Head
of the Department of Computer Science and Engineering) and Dr. D. Bandara (Head of the
Training Program for the Department) for all the effort you put to let us work and gain a great
amount of experience during our internship periods.
Next I would like to thank the Industrial Training Division of University of Moratuwa, and the
National Apprentice and Industrial Training Authority (NAITA) for letting us work in such
companies and for giving us guidance on how to work and behave during the training period.
And I would like to thank the Industrial Training Division for being very flexible with the
submissions and other tasks, despite their busy schedules.
Next I would like to thank Dr. S. Weerawarana (CEO and Founder of WSO2) for making sure
that interns get a great experience during the stay at the company and for showing us no
difference when it comes to employees and interns. Then I would also like to thank my mentor,
Mr. P. Siriwardena (Director of Security Architecture at WSO2) for guiding me along every
path and providing me necessary advices at the right time. If not for him, i wouldn’t be writing
this many blogs by now, where his work is what inspired me so to work very hard and share
my knowledge.
I would also like to thank, Mr J. Nallathmaby (Technical Lead of Identity Server at WSO2) for
helping me through out and acting like my mentor, since my mentor was working abroad. And
I would also like to thank Mr. H. Thirimanne (Associate Technical Lead of Identity Server at
WSO2) where he was the one who gave me all the technical support whenever I needed it. I
would not have been able to finish my project if he hadn’t helped me the way he helped me
when I was an intern.
Last but not the least, I would like to thank everyone in the University, at WSO2 and all the
interns who worked with me for making my internship life enjoyable and successful.

4. iii
Contents
1 Introduction to the Training Establishment .......................................................................1
1.1 What is WSO2.............................................................................................................1
1.2 History of WSO2.........................................................................................................2
1.3 WSO2 Vision ..............................................................................................................2
1.4 WSO2 Platform...........................................................................................................2
1.1.1 Features of WSO2 Platform.................................................................................3
1.1.2 WSO2 Advantage ................................................................................................4
1.2 The Organizational Structure ......................................................................................4
1.3 SWOT Analysis of the Company................................................................................6
1.3.1 Strengths ..............................................................................................................6
1.3.2 Weaknesses..........................................................................................................7
1.3.3 Opportunities........................................................................................................7
1.3.4 Threats..................................................................................................................7
1.4 Contributions to the Sri Lankan Society .....................................................................8
1.5 How to improve the overall performance?..................................................................8
2 Training Experience...........................................................................................................9
2.1 Selection Interviews ....................................................................................................9
2.2 Training at WSO2 .......................................................................................................9
2.2.1 First day at WSO2................................................................................................9
2.2.2 Orientation Program...........................................................................................10
2.2.3 Joining the Identity Server Team.......................................................................16
2.2.4 My Project – The Mobile Connect Federated Authenticator.............................23
2.2.5 Assisting Project – OpenID Connect Protocol...................................................31
2.2.6 WSO2 Mobile Connect Webinar.......................................................................34
2.3 Life at WSO2 ............................................................................................................36
2.3.1 Inter House Tea Time Championships ..............................................................36
2.3.2 Inter House Badminton Tournament .................................................................36
2.3.3 WSO2 Smart Ass Quiz ......................................................................................37
2.3.4 Secret Santa........................................................................................................37

5. iv
2.3.5 Karaoke Session.................................................................................................38
2.3.6 Whack Internal Hackathon ................................................................................38
2.3.7 WSO2 Intern Life ..............................................................................................39
2.3.8 WSO2 Year End Party.......................................................................................41
3 Conclusion .......................................................................................................................42
3.1 A different exposure from university life..................................................................43
3.2 How to improve my final year at university?............................................................43
3.3 Quality of the training I received ..............................................................................44
3.4 Comments on the training program organized by the university and NAITA..........45
4 References........................................................................................................................46
5 Table of Figures ...............................................................................................................47

6. 1
1 Introduction to the Training Establishment
1.1 What is WSO2
The term WSO2 stands for Web Services Oxygenated and it is one of the leading open source
software companies in the world. It is a company that provides Service Oriented Architecture
(SOA) middleware [1]. It has a variety of products which are being used by leading
organizations in the world like eBay, Boeing, Experian and others. The Enterprise Service Bus
(ESB) of WSO2 is one of the main products that is being used by many organizations around
the world. More on WSO2 products and their platforms can be found in section 1.4 of this
report
WSO2 was founded by two persons namely Dr. Sanjiva Weerawarana and Paul Fremantle in
August 2005, and investments for this company is being carried out by various supporters such
as Intel Capital, Toba Capital Pacific Controls and some others. Having over 11 years of
exposure in the industry, WSO2 has offices located in various parts of the world, including
Colombo Sri Lanka, London United Kingdom, Mountain View CA in United States, whereas
most of the engineering and research teams are situated in the Colombo Sri Lanka office which
is in the Palm Grove Avenue of Colpetty. WSO2 gained a lot of attraction in the middleware
industry eBay being one of the major customers of WSO2, released that the overall
functionality of their organization is being backed by a WSO2 product namely the WSO2 ESB
(Enterprise Service Bus).
All the products of WSO2 are being released under the WSO2 Apache License Version 2 and
it follows open source development principles which includes the codes and architectures being
publicly available for everyone, transparency of the work being carried out by providing public
mailing lists and documentations and conducting workshops every month to get the public
aware on the open source community of WSO2. When considering the application
infrastructure market, the company names Gartner, consider WSO2 as one of their leading
competitors.
The 100% open source middleware architecture platform gives the ability to companies to build
their very own infrastructure completely and reliably using each of the products of WSO2. The
customizable architecture of the products at WSO2, allows all the users to use only what they
need and automatically adapt business activity in response to market events.

7. 2
1.2 History of WSO2
Dr. Sanjiva Weerawarana is one of the founders of the web services platform at IBM, where
he was working there as a researcher. WSO2 was started by Dr. Sanjiva Weerawarana, where
he was joined by Paul Fremantle where he became WSO2’s Chief Technical Officer (CTO)
and was subsequently named one of Infoworld’s Top 25 CTOs in 2008.
The first product of WSO2 was named Tungsten and it was used for development of web
applications. The next product of WSO2 was named as WSO2 Titanium, which later happened
to become well known as WSO2 Enterprise Service Bus (ESB). Funding for WSO2 was done
by various different investors like Intel Capital, Godel Technologies, Toba Capital, Cisco and
in 2015, Pacific Controls and Toba Capital raised another $20 million as investment for WSO2.
The WSO2Mobile was launched in 2013 as a subsidiary, with Harsha Purasinghe of
MicroImage as the CEO and Co-founder for WSO2Mobile. In 2015, a new line for WSO2 was
launched as WSO2.Telco with the partnership of the Malaysian Telecommunications Company
Axiata.
The top leadership at WSO2 have contributed a lot to Apache Projects, and in 2016, WSO2
was ranked seven for having most number of committers for Apache. WSO2 has always had a
very close connection with Apache where WSO2’s Stratos project was donated to Apache later
on.
1.3 WSO2 Vision
The main global vision of WSO2 is to become the leading Middleware Provider for enterprise
architecture in the whole of Asia. Currently WSO2 faces challenges in terms of expansion and
competition throughout the industry despite their successful strong customer base which
includes many leading companies from around the world.
WSO2 also targets at becoming achieving levels of recognitions via their business models
provided, working environment for employees, support and marketing aspects and technology
being used in the company.
1.4 WSO2 Platform
WSO2 is an Open Source Community where most of the products available today lets users
customize the systems according their needs and deploy it to enhance a digital service into their
businesses. For the past 11 years, WSO2 has provided organizations with an Open and

8. 3
Comprehensive Platform to connect their businesses digitally. With the vision of going forward
as the leading Middleware company in Asia, WSO2 now enhances the global movement of
making enterprise middleware flexible, cost efficient, collaborative and faster like never seen
before. The entire platform provides the pan for the entire breadth of Service Oriented
Architecture (SOA) whilst being 100% open source to the community [2]. The following image
depicts the overall platform and the available products of WSO2.
Figure 1.1 WSO2 Platform
1.1.1 Features of WSO2 Platform
 A Platform build for the future – The overall platform of WSO2 runs on top of the
WSO2 Carbon. It will let you customize the components as required and automatically
adapt to the relevant business activity in response to market events.

9. 4
 Develop Once, Deploy Everywhere – The entire WSO2 middleware stack and
architecture supports to work on many different clouds such as private, public, hybrid
and even on premise.
 Optimized for Internet of Things (IoT) – The WSO2 products enable the System
Integrators to build, integrate, analyze, manage and secure IoT Enabled solutions for
any WSO2 enabled enterprises.
 Open and Infinitely Flexible – All WSO2 products run on Open Source and Open
Standards to completely protect from lock in. The platform supports many other
standards and protocols, despite the fact whether each of the external components are
paid or open source. Giving a pluggable architecture to the entire platform makes it
infinitely flexible and many enterprises take advantage of this fact to expand the system
as needed.
1.1.2 WSO2 Advantage
The WSO2 Advantage is a concept brought up by the company to show the advantages that
one would get by integrating the WSO2 platform into their enterprises. WSO2 is known as the
Middleware Paradigm Shift, that will advance the entire world. Following are the core features
mentioned under the WSO2 Advantage Concept.
 100% Open Source
 Comprehensive Platform
 Easy Integration by Design
 Fully Cloud Ready
 Rapid, Expert Support
 A Proven Fortune 500 Partner
1.2 The Organizational Structure
The organizational structure at WSO2 provides a flat hierarchy and transparency in everything
that happens within the company and outside of it. The flat organization (hierarchy) depicts a
structure with few levels of middle management between the staff and executives.

10. 5
The flat and informal structure within WSO2 is what drives employees to build rapid and
innovative systems throughout the products span of the company. The following list shows the
current senior management at WSO2.
 Sanjiva Weerawarana – Founder, CEO, Chief Architect
 Jonathan Marsh – Vice President Strategy
 Samisa Abeysinghe – Vice President Delivery
 Devaka Randeniya – Vice President Sales
 Padmika Dissanaika – Vice President Finance
 Puny Navaratne – Vice President Legal Affairs
 Asanka Abeysinghe – Vice President Solutions Architecture
 Udeshika Ratnavira – Vice President Human Resources & Administration
 Selvaratnam Uthaiyashankar – Vice Preseident Engineering
 Jackie Wheeler – Vice President Technical Content
 Srinath Perera – Vice President Research
 Shevan Goonetilleke – Vice President Operations
 Hasmin AbdulCader – Vice President Marketing
 Dmitry Sotnikov – Vice President Cloud
The following diagram shows the overall hierarchy of WSO2.

11. 6
Figure 1.2 Company Hierarchy of WSO2
1.3 SWOT Analysis of the Company
1.3.1 Strengths
 Open Source Community: The open source community in the world today is very strong
and WSO2 place a major role in the overall community. Currently it holds rank seven, for
having the most number of open source contributors for Apache in the year of 2016. This is
a great achievement for the company
 Comfortable working environment: Having a comfortable working environment is a
strength of the company since, that is what allows the workers to think out of the box and
work in a very relaxed mind set. This allows employees to be innovating and solve problems
really fast to provide a better service to its customers
 Talented set of developers and employees: The employees at WSO2 is a very strong base,
because it has people from every industry working in various parts of the company. These
employees bring reputation and sales into the company by their talents being shown around
the globe. Their talent is what brings new features to the WSO2 products within every
release of each product.

12. 7
 Strong Carbon Platform: The carbon platform being used at WSO2, is a very strong and
reliable one which is running on top of the OSBI bundle. The carbon platform is what runs
as the core component of every WSO2 product available today. Having a reliable
architecture underneath every product is a strength to the company.
 Flexible working hours: Having flexible working hours can be seen as a strength of the
company, where this is what allows the employees to work freely during the times they are
mostly comfortable in. If you decide to work from home, you can do so. If you decide to
sleep during the day and work over night, you can make arrangements to do so as well. This
is seen as a strength that will bring out the fullest potential of the employees.
1.3.2 Weaknesses
 Employee Turnover: Within my stay at WSO2, I found out that many leading engineers
and people from the senior leadership, getting better job opportunities from other Software
Engineering companies in Sri Lanka and abroad. I see this as a weakness of the company
for not being able to retain the current workforce, and due to this reason, the company will
have to invest more on new employees to get them to adapt to the WSO2 culture and working
environment
1.3.3 Opportunities
 Top leading companies being interested in WSO2 products: During my stay at WSO2, I
was working in a new concept for the WSO2 Identity Server, which is Mobile Connect. And
from the webinars and blogs I wrote, I noticed that many leading companies were interested
in joining WSO2 as their key partners for their underlying system
 The growth in the Open Source Community: We can see the open source community in
the world is growing day by day, and this is a great opportunity for WSO2 in the way I see
it. Being open and transparent, makes other organizations think that, WSo2 products are
more reliable over its competitor products.
1.3.4 Threats
 Competitors for each WSO2 product: Having competitors in any kind of business is what
drives a business to achieve better goals and perfection. Similarly WSO2 also has some
challenging competitors when it comes to each of the products whereas WSO2 has to be
more careful in retaining their existing customer base.

13. 8
 Customer Complaints: During my stay at WSO2, I notice several incidents where some
top customers at WSO2, being disappointed in the service being provided to them by the
support team. The customers are our main asset when it comes to open source products.
Therefore, it is important to maintain a good relationship with the customers of each of the
products.
1.4 Contributions to the Sri Lankan Society
Being one of the leading open source platforms in the country, WSO2 provides a separate eco
system for developers in Sri Lanka to get in touch with the products and work with them.
Recently, WSO2 was selected as a company for Google Summer of Code, and by this, it opened
up a lot of opportunities for developers in Sri Lanka as well as abroad to take part in WSO2
products and start developments as needed.
WSO2 provides many job opportunities for students from state universities as well as private
universities, and most of them are computer science graduates. This is a good opportunity for
those graduates to gain a greater exposure about the industry and work in one of the leading
Software Engineering companies in Sri Lanka.
During my stay at WSO2, I saw many social projects being carried out by WSO2, where once
they went to the University of Sabaragamuwa, and conducted a few workshops for the first-
year Computer Science students.
1.5 How to improve the overall performance?
Improving in terms of marketing would be a good way to increase the performance, because
marketing is what brings in customers into the company where it is hard to get customers to
contact support of WSO2, because all the products are open source products. WSO2 conducted
an internal hackathon for us, where the while purpose was to identify better means of bringing
in customers into the company.
Further, expanding the company to various other parts in the world, where it will let the
customers feel reliable and eased, because having a local office in some countries, would be
really beneficial for the customers as well as the company to reach each other without a bug
hassle.

14. 9
2 Training Experience
2.1 Selection Interviews
The selection interviews for internships at WSO2 was held in the month of August and it was
conducted by Mr. Selvaratnam Uthaiyashankar (Vice President Engineering) and it was a very
comfortable and friendly interview. He was very polite and had done a background search on
every interviewee who had come on that day. From what I saw, he had checked our LinkedIn
Profiles as well, where he happened to ask a few questions from my LinkedIn profile on the
day of the interview.
I was a bit nervous at the beginning of the interview, but it all faded away when Mr.
Uthaiyashankar called me from my first name and started asking about my family background.
And from that moment onwards I felt really comfortable and without hesitation I expressed my
very own ideas for all the questions he asked. He asked questions like what are my interests,
the projects I have done and what are my future goals. He was interested in my hackathon
achievements and he encouraged me to do more because that’s what builds the motivation and
enthusiasm to work as Computer Science Students.
I was contacted by Mr. Nirshan Fernando from the Human Resource Division of WSO2, and
the confirmation of my internship was informed to me. I was excited and happy, where I was
really looking forward to work at WSO2 as soon as the internship period starts.
2.2 Training at WSO2
2.2.1 First day at WSO2
We commenced our internship at WSO2 on the 25th
of July 2016, and we all were asked to
come to the Human Resource Division at WSO2, where we were joined by some other interns
from University of Moratuwa, Department of Electronics and Telecommunications and APIIT.
Most of us were there for the training program of Engineering Team at WSO2 and one person
was for the Marketing Team of WSO2, where all of us were joining as interns. We were
addressed by Mr. Charitha Bandara who is the Lead of Administration and Human Resources
at WSO2, and he welcome us all. He introduced us to the WSO2 orientation program and our
next two weeks at WSO2 were mainly focused on the orientation program.

15. 10
2.2.2 Orientation Program
The first day of the orientation program started with the introduction to the houses at WSO2,
and the four houses are,
 Cloudbots
 Titans
 Wild Boars
 Legions
I was selected to Cloudbots and we were all asked to do a presentation on the concepts at
WSO2. There were many different concepts where our house was given the chance to present
on the concept called “broken windows” and it was presented by me for the house. That was
the first presentation that I did at WSO2, and was interesting to go to the front of a meeting
room and presenting to all the interns.
2.2.2.1 Tour around the company
Then we were taken around the WSO2 premises by Mr. Charitha Bandara (Lead HR and
Administration) and he explained what teams were on each floor and the special rooms in each
of the floors. Each floor at WSO2 had a separate theme, just to bring some variety into the
working employees and give some fun exposure to work in. And each floor consisted of one
or more teams working for some products and they were all working collaboratively with each
other.
Another interesting part which I saw in the company as the space allocated for employees to
do communications and carry out meetings. Each floor consisted of more than one call room
where employees can go to the call room and make a call whenever needed. The purpose of
this was to allow the employees to communicate comfortably with people and not to disturb
others in the process of doing it.
There were some interesting rooms that we found out at WSO2, and one of them was named
as the snooze room. Whenever an employee is feeling sleepy, he or she can go there and have
a nap, where the whole purpose is to avoid employees working in sleepy conditions because it
just slows down the work making it inaccurate at times. I, myself have been to the snooze room
whenever I felt sleepy and rested there for some time before working again.

16. 11
Another interesting room at WSO2 is the Crèche. This room was built as a day care center for
kids, where there was a nurse attending all the babies in that room. The employees can bring
their kids and babies to this place whenever they come to work, so that they can leave the baby
in that room and go to work comfortably. This room was on the topmost floor of the building
so that it will not interfere with the work environment of the company. The purpose of this
room is to let employees off the worries of thinking about the kids all the time, and focus on
the work being carried out there.
The building has a separate gymnasium and a basketball court for employees to come and play
whenever they want. The purpose of this is to make sure that the employees have a stress free
working environment and to make sure that the employees being physically healthy.
The lobby area contains a lot of games and fun activities including, carom, table tennis, chess,
a pool table, a play station and many more. When the employees come down for tea and lunch,
they can relax themselves by playing on of the games with other employees and relieving the
stress they have. This is to ensure that the employees always maintaining a healthy mindset
where it will always increase the accuracy of the work they are doing when they go back to
their desk or work area.
Then kitchen area was also shown to us as a part of the tour around the building where food
was provided to everyone at WSO2 at any time of the day. Whether it is lunch, breakfast, dinner
or tea, the company provides all these and plus other refreshments to all the employees. The
main purpose for providing food like this inside the company is to ensure that employees do
not go out of the company for food, and by that wasting time that could have been used for a
better purpose.
And finally, he showed us that there is a special area for playing music inside the company
where there is a guitar, drum set, organ and other instruments for employees to come and play
with. This gives employees the opportunity to come in the evening and have some musical
session with everyone and enjoy the time at WSO2.
2.2.2.2 Presentation by Teams
During the orientation program, we had various sessions with many different people from
around the company. There were fun sessions as well as knowledge sharing sessions where

17. 12
team leads from various teams came to us and tried to market their products to us in a way that
will gain our interest when picking a project for the internship program. It was also a knowledge
sharing session where all of us were well informed about the products at WSO2. Following
teams came to us and explained about their products and the available products for all of the
interns. We had to take note of those available projects and pick one at the end of the orientation
program. The following topics explains the items that each team presented at the orientation
program.
Identity Server Team
WSO2 Identity Server team is one of the most prominent teams at WSO2, where I got a chance
to work as an intern during my internship period. The WSO2 Identity Server is the industry’s
first Enterprise identity Bus (EIB) where the WSO2 Carbon platform runs as the core
component of the system. The Identity Server runs on a lot of application despite the fact of
different protocols being used, because it supports many different components to be attached
into the server without any hassle. WSO2 Identity Server is the central backbone that connects
and manages multiple identities across applications, APIs, the cloud, mobile, and Internet of
Things devices, regardless of the standards on which they are based.
The Identity Server provides many different connectors for the WSO2 Identity Server and those
connectors are directly pluggable to where new functionalities and features can be added as
extensions to the identity server. Ms. Malithi Edirisinghe being the Associate Technical Lead,
came to the interns during the orientation program and presented their projects for the intern.
Some of the projects are as follows.
 Mobile Connect Authenticator as a Federated Authenticator
 SCIM for Identity Server
 SAML 2.0 Upgrade
 Metadata Support for WSO2 Identity Server
 LDAP connector for the WSO2 Carbon platform

18. 13
API Manager
Any connected business has many different applications inter connected together and bringing
in major functionalities for the business. APIs are at the core of any connected business,
exposing valuable services across customers, partners, and supplier channels. The WSO2
Platform for API Management will revive your APIs and ensure faster return on investment.
The WSO2 API Manager allows the enterprise to achieve their business goals by achieving
fast, scalable, flexible and proven platform that gives you complete control over infrastructure
and management of all your APIs. The system gives the following features to the customers.
 Design and Implementation
 Secure and Manageable
 Publish and Engage with ease
 Monitor and Analyze
WSO2 Research Team
The WSO2 Research Team is led by Dr. Shrinath Perera (Vice President – Research) and this
team was also an interesting team to work in. They had many projects which included areas
like, machine learning and analytics where most of them led to interesting research areas in the
field. One of the interesting projects that I applied for was the “using machine learning for
predictive maintenance” project. There was another project where many interns applied for and
it was the “use decoders for anomaly detection” project.
2.2.2.3 Games – Orientation Program
We had two very interesting games during the orientation program and one of them was a team
building activity where the other was to get an understanding about the company and its
structure. The team building activity was held in the WSO2 gymnasium where all the interns
took part in it. It was done by one of the members from the Human Resources Team and it was
really interesting and fun when the game was carried out.
The second game, was a team activity where teams were separated from the house names, and
we were given a set of tasks to finish within one hour. All these tasks were related to the culture
of WSO2, and it was really fun and interesting because we actually learned something at the
end of the game. We learned about the people at WSO2 and the cultures which are currently
happening in the company. We mentioned this to Mr. Charitha Bandara (Lead HR and

19. 14
Administration) to do similar kind of events for interns because the outcome of it was really
effective.
2.2.2.4 WSO2 Harassment Policy
This was something new for all of us, because for most of us, WSO2 was the first employment
opportunity and had not seen anything like this before. I have heard that many companies have
policies like this to stop harassments happening inside the company, but the fact that a separate
session of about two hours being allocated to talk about the WSO2 harassment policy, made
me wonder, whether it is something really serious.
The harassment policy mentioned a lot of important factors that we see in many companies
today and I assume that the reason for WSO2 being one of the leading companies in the industry
with a comfortable working environment is because of this policy being enforced strictly on
the employees. This policy covers aspects related to all work areas and I could not see any
other method to make it more accurate in terms of protecting the right of each employees. From
what I think, the main reason for this company to have a flat hierarchy, where everyone can
openly communicate is also because of this harassment policy which is available in the
company today.
This policy was discussed on the very last day of the internship program and it was conducted
by Mr. Charitha Bandara, who is the Lead Human Resources and Administration.
2.2.2.5 WSO2 Carbon Kernel Workshop
During the orientation program, a workshop was carried out by the WSO2 Carbon team, to get
us all aware regarding the WSO2 Carbon Kernel which is being used today. This was actually
a five-hour hands-on session where we got laptops and carried out tasks on the WSO2 Carbon
Platform. According to what was mentioned, the WSO2 Carbon Platform is the platform that
makes all the WSO2 products run and it was one of the core components that everyone at
WSO2 should learn about.
WSO2 Carbon Kernel 5.0.0 is the core of the next-generation WSO2 Carbon platform. It is
completely re-architected from the ground up using the latest technologies and patterns. It is
now streamlined into a more powerful middleware platform, which is a lightweight, general-
purpose OSGi runtime, specialized in hosting servers that provide key functionalities for server

20. 15
developers. The diagram below, depicts an abstract view of how the requests go through the
WSO2 Carbon kernel and where the OSGI framework lies in the overall architecture of the
WSO2 carbon kernel.
Figure 2.1 WSO2 Carbon Kernel Modules
During the workshop, I gained a lot of information from what was taught to us, and I realized
why all the WSO2 products were running smoothly and in a flexible manner.
End of the orientation program
Two weeks from commencement of the orientation program, we were all asked to select a
project for our internship period and it was based on our very own interest. The projects I chose
where related to machine learning and security architectures. I was really interested in the
project named, “Mobile Connect Federated Authenticator for the WSO2 Identity Server”
because this project was a new project and I knew that the final outcome of this project is a
product and that it is not only a small connector or an upgrade like most other projects which
were available.
The “Mobile Connect” project, was led by Mr. Prabath Siriwadena who is the Director of
Security Architecture at WSO2. And I did a background research on him before selecting the
project, and I found out that he was known as the father of WSO2 Identity Server and that he

21. 16
has published some books and conducted many workshops, here and abroad. With the interest
I had with him and the project, I wanted to work under him and for this project. So I selected
the “Mobile Connect” project.
2.2.3 Joining the Identity Server Team
I started working at the WSO2 Identity Server Team on the 8th
of August 2016, and four other
members joined with me. So, we were all put to the same place at the beginning, and we were
welcome by Mr. Darshana Gunawardena who is the Associate Technical Lead of the WSO2
Identity Server Team. He sent us some documents to read on and some other forms that we
were supposed to fill when coming into a team at WSO2. On the same day, we were welcome
by Mr. Waruna De Silva who is the Director of Engineering and he asked us all to blend in
with the team and get into the culture of WSO2 as soon as possible. At the very beginning, I
sat next to Mr. Maduranga Siriwardena, who was a Software Engineer at the WSO2 Identity
Server Team.
During the first two weeks at the Identity Server Team, we were asked to go through the
documentation available in the WSO2 official site and to work with the Identity Server, so that
we can be easily familiarized with the product, before moving in with the projects allocated to
each of us. The WSO2 Identity Server Management Console, is a very descriptive and user
friendly interface where all the functionalities are given just by simple interactions with the
system. The following image, depicts the main menu interface of the WSO2 Management
Console.
Whilst learning all the functionalities provided by the Identity Server, we had to consult almost
everyone in the team, to get the relevant information needed. I got most of the help from Mr.
Pulasthi Mahawithana, who is a Senior Software Engineer at WSO2. In the meantime, I got
help from another team member as well.

22. 17
Figure 2.2 Identity Server Management Console Main Menu
My mentor for my project was, Mr. Prabath Siriwardena (Director of Security Architecture)
and he was working abroad in the WSO2 United States office. I contacted him via Google
Hangouts during some weeks to get to know more information about the project. Since he was
abroad, I had to work under Mr. Johann Nallathamby, who is the Tech Lead of the WSO2
Identity Server team. He was really helpful in signing documents and giving relevant approvals
for the meetings and other requirements.
In the meantime, a separate mentor was assigned to me and his name is Harsha Thirimanne,
who is an Associate Technical Lead for the WSO2 Identity Server team. He has a sound
knowledge on the entire Identity Server, and he helped me a lot on figuring out the major
aspects of the system within a few days’ time.

23. 18
2.2.3.1 Identity Server Team Culture
The WSO2 Identity Server Team is a separate family and it has its very own culture different
from the WSO2 main culture. The people in the team, are really helpful and motivated to do
work as a team and achieve its goals within the given deadline. The following picture shows
the Identity Server team, and this picture was taken on the last day at WSO2.
Figure 2.3 Identity Server Team with Interns
Friendly Environment
The Identity Server Team has a very friendly culture where you feel very comfortable to work
in. When I entered the team, I felt accepted and warmly welcome by everyone, because of the
friendly environment they maintain with everyone. Normally when you go to a new workplace
or office, it takes a long time to get to know everyone and become friendly with them. But at
the WSO2 Identity Server Team, everyone came and talked to us, even though we felt reluctant
to talk with them. They came to us and asked about all our details, and cracked jokes about
themselves all the time. Something I really adored about this was that fact that they never let
us get separated from the team culture, and they constantly kept on asking us to talk to them
all the time, no matter how reluctant we feel.
Normally the interns used to sit together during lunch time and go to tea with the interns only.
But with time, they used to drag us along for lunch and tea, which made us feel like we are
really part of that team. Sometimes they get together and talk about team members and other

24. 19
stuff. Whenever something like this happens, they ask us also to join their conversations, and
it was really fun to be a part of the team within a short period of time.
IS Choco Times
This is something that is very unique to the WSO2 Identity Server Team, where whenever
someone brings chocolates to the team, they announce a chat saying “Choco time” and
everyone will come running to the floor toe at the chocolates, because the Choco time will not
last for long. Normally this happens every day because there is at least one person who would
bring chocolates or something else. Even if it is something else, they will always share it with
the entire team by announcing a Choco time or some other time.
IS Funday
IS Funday is a chat group, which contains all the members from the Identity Server Team,
where all the fun discussions are happening in this chat. It is actually a Google hangouts
conversation, where everyone is involved and we all talk about various fun stuff and bug each
other. It is actually like a family chat where we all share everything and have fun in it.
Whenever we find something interesting about someone in the team, we use to share it on the
chat, and everyone comments on it. This is why I mentioned that the WSO2 Identity Server
team culture is a very different culture and it is really interesting to work in a team like this.
IS Musical Nights
This is also a separate tradition that only the Identity Server team carries out, and this happens
once every night. And also, whenever there is a separate function within the team, we normally
stay overnight at WSO2 and sing songs with the entire team for hours till the next day morning.
This is a very fun activity, where most of us get together and talk about stories and record
videos all the time.
The team has a separate theme song, and we all sing that every time we go for a musicals
session. Most of the times, we record all these videos and put them live on Facebook, so that
everyone else can see and enjoy the live sessions. This is something that I enjoyed very much,
I am currently missing it a lot.

25. 20
Figure 2.4 IS Musical Nights
2.2.3.2 Basics of the WSO2 Identity Server System
As the industry's first Enterprise Identity Bus (EIB), WSO2 Identity Server is the central
backbone that connects and manages multiple identities across applications, APIs, the cloud,
mobile, and Internet of Things devices, regardless of the standards on which they are based. It
could be any given standard in the industry where the WSO2 Identity Server is directly
applicable, which makes it more flexible and adaptable to any kind of system available today.
There are many components packed with the WSO2 Identity Server, and some of them are
User Management, Authentication, Security, Communication, Analytics and Service provider
management. The multi-tenant WSO2 Identity Server can be deployed directly on servers or
in the cloud, and has the ability to propagate identities across geographical and enterprise
borders in a connected business environment [3].
Some of the main features available today in the latest WSO2 Identity Server are as follows.

26. 21
 Enterprise/Cloud Single Sign-On and Federation
 Strong Authentication
 Identity Governance and Administration (IGA)
 Entitlements and Access Control
 Monitoring, Reporting and Auditing
 Connectors to Extend the Identity Ecosystem
 Deployment Flexibility
 Pluggable, Extensible and Themable
From what I learnt, the WSO2 Identity Server is a product built on top of WSO2 Carbon. Based
on the OSGI specification, it enables easy customization and extension through it flexible
architecture.
Identity Server – User Management
User management functionality is provided by default in all WSO2 Carbon-based products.
User management involves defining and managing users, roles, and their access levels in a
system. A user management dashboard or console provides system administrators with a high-
level view of a system's active user sessions, their log-in statuses, the privileges of each user,
and their activity in the system, enabling system admins to make business-critical, real-time
security decisions [4]. I attended some of the important meetings related to user management
and I made not of the following diagram, which shows how the virtual user store is directly
pluggable with mane other user stores which run on many different standards.
A typical user management implementation involves a wide range of functionality such as
adding/deleting users, controlling user activity through permissions, managing user roles,
defining authentication policies, managing external user stores, manual/automatic log-out, and
resetting user passwords.
This was actually discussed at a meeting held within the team, and the team was asked to figure
out an easy mechanism to paginate the list of users. Using this architecture, the system was to
display the list of users, in separate pages so that each page contains a fixed number of users,

27. 22
and the purpose was to have an efficient way to show page 2 for example, with a set of users,
instead of retrieving all users and filtering the page 2 users.
Figure 2.5 WSO2 Virtual User Store
Identity Server – User Authentication
The user authentication framework of WSO2, was built by the team member themselves during
the early days of the WSO2 Identity Server. The architecture is so flexible, that it supports any
other authentication protocol and converts it to standard protocol and makes sure that the user
gets authenticated without any hassle, as needed by the system.
The user authentication architecture of the WSO2 Identity Server can be separated into three
main authenticators and they are as follows. This knowledge was gained by myself during the
inception phase of my project, where I had to dig deep into the Identity Server Architecture to
figure out how to integrate my project into it.
Inbound Authenticator: Inbound Authentitcator of the Identity Server is what captures
incoming authentication requests from different service providers. No matter what the request
protocol is, the inbound authenticator will standardize it so that the Identity Server can process
it with ease.

28. 23
Local Authenticator: The local Authenticator is what uses the traditional username, password
approach where, this is also known as the basic authenticator. The general idea is to do the
authentication process using local mechanisms, rather than using the support of an external
party.
Federated Authenticator: This is one of the interesting features in the WSO2 Identity Server. It
can redirect the authentication process to an external party like, social media, mobile connect
and so on. By this, what happens is, the external party will authenticate the user and sends back
a confirmation so that the System can authenticate the user from the system with that
confirmation. The following diagram was figured out by me, and I validated its correctness
with the seniors as well.
Figure 2.6 Authentication Framework
2.2.4 My Project – The Mobile Connect Federated Authenticator
What was discussed in the section 2.2.3.2 is directly related to my project I was supposed to
finish within the given time period. It was a novel idea, where the concept was out there, but
no one had implemented it within the WSO2 Identity Server. The documentation available
online regarding mobile connect as not sufficient and most of those online documentations
were inaccurate and outdated. My mentor, Mr. Parabath Siriwardena (Director of Security
Architecture), had written a well described blog regarding this, and I read that to get the general
idea on what I was supposed to implement.
In the meantime, since my mentor was abroad, Mr. Harsha Thirimanne (Associate Technical
Lead) was the one who helped me throughout the process. He practically learned about mobile
connect where one I learned from him, and the next day I was teaching him. He stood by my
side and helped me understand everything and if not for him, I would have been stuck halfway,

29. 24
a long time back. Despite all his work, he never rejected any of my help requests, where I can
remember, once he was sick at home, but came online for a discussion with me and stayed on
the discussion for over three hours, just to get the matters sorted as soon as possible. I was
wondering, if it was someone else, he would have probably asked me to wait till tomorrow to
discuss about it. But Mr. Harsha was the one who pushed me to complete this project, and I am
still thankful for the way he helped me.
All the findings about mobile connect which will be explained in the following sections, are
all my research because there was no proper documentation available online. I remember, once
I felt like giving up everything because it practically felt impossible to carry out something
which no one even knows. But with effort and motivation, I tried my best and achieved the
completion within the given time period, where Mobile Connect is one the main functionalities
that is being used by many users around the world.
2.2.4.1 Initial Mobile Connect Meeting
The initial mobile connect meeting was held in WSO2 Engineering building where my mentor,
Mr. Prabath Siriwardena (Director Security Architecture), Mr. Vernura Mendis (Chief
Technical Officer – WSO2 Telco), Mr. Johann Nallathamby (Technical Lead WSO2 Identity
Server), Mr. Harsha Thirimanne (Assistant Technical Lead – WSO2 Identity Server) and
myself being present at the meeting.
This went over an hour, where we discussed about the resources available within the company
to implement this kind of a product. My mentor gave me a set of guidelines to follow, in order
to finalize it within the given date, and publish it as one of the main connectors for the WSO2
Identity Server. The Chief Technical Officer of WSO2 Telco, Mr. Venura Mendis worked
alongside my project and gave me a lot of help in achieving the success of it.
At the end of the first meeting, it was discussed to get help from the WSO2 Telco, and finalize
a federated authenticator for the WSO2 Identity Server.
2.2.4.2 What is Mobile Connect?
This section explains what I, as an intern learned about mobile connect after all my researching.
I have written many blogs thanks to Mr. Prabath Siriwardena (Director Security Architecture),
because he was the one who encouraged me to write blogs about everything I learned. Since

30. 25
there was no proper resource available online, I decided to write a resource so that everyone
can use my documentation to learn about this upcoming technology.
Mobile connect is the mobile operator facilitated authentication solution, that provides simple,
secure and convenient access to online services. It is the convenient alternative to passwords
that protect customer privacy. This is a concept introduced by the GSMA (GSM Association),
which provides a global and secure authentication platform, by combining the user's unique
mobile number and PIN, to verify and authenticate the user, anywhere anytime. It also allows
the user to log into swiftly, without the need of any usernames or passwords [5].
2.2.4.3 How Does Mobile Connect Work?
Figure 2.7 How Mobile Connect Works
The given sequence above depicts the mobile connect flow, from signup/login to the complete
authentication in just 4 steps. The authentication process is carried out through your mobile
device rather than your personal device.
Step 1: Click on the "Sign up" or "Log in" button
Step 2: Enter your mobile number (optional)
Step 3: Confirm your authentication via the mobile device (USSD, SMS etc)
Step 4: Log in process is complete

31. 26
2.2.4.4 Why Mobile Connect?
The 21st century is a Digital Era where cyber-attacks have become a critical problem and many
organizations are still concerned on how secure their systems and products are. The levels of
security needed for data and information provided today, has made the access to these resources
unavailable without proper registration with the resource provider. Therefore, it becomes
mandatory for users to Sign Up with the system which results in remembering numerous
usernames and passwords. What if we had a simple and secure mechanism to carry out the
authentication process without much hassle, in just seconds?
By reducing the need for remembering the number of usernames and passwords, Mobile
Connect eliminates the frustration of the end user, drives more repeat business and ensures less
abandoned transactions.
The following statistics were obtained by the "GSMA’s 2015 Consumer Research" which is
related to user's perspective on Cyber Security. From overall number of users,
87% - Would prefer just one Strong Password to remember
86% - Have left websites when asked to register or signup
86% - Are concerned about security when online
88% - Want reduced risk of identity theft and credit card frauds
81% - Don't feel that they are getting much value from their personal data as third parties do
68% - Are more likely to return to a site that remembers them without a username or a password
This gives a much stronger argument as to why Mobile Connect will dominate the Digital
Authentication industry in the near future.
2.2.4.5 Mobile Connect Flow
The following diagram depicts the high-level view of how the sequence of activities occur in
terms of Mobile Connect Authentication.

32. 27
Figure 2.8 Mobile Connect Flow
 End user clicks on Mobile Connect button to access service
 Application requests end user operator details from the Discovery service
 Discovery responds with the operator details
 Application makes an authentication request to the end user operator, using OpenID with
Mobile Connect profile
 Operator sends authentication request to end user
 End user authenticates themselves using their mobile device
 A PCR specifying a specific end user is returned
 Access granted
2.2.4.6 What is Discovery API
The Discovery API service contains information related to many Mobile Network Operators
and its purpose is to provide necessary details of the Mobile Network Operators (MNOs) and
also provide the relevant endpoints of each MNO, which can be used to contact each MNO's
Mobile Connect API.
Every Mobile Network Operator has a MNC (Mobile Network Code) , and a MCC (Mobile
Country Code). The Discovery API service will identify the relevant MNO and identifies the
MNC and MCC required to proceed with the authentication process.

33. 28
The Discovery API requires details related to the user's MSISDN (Mobile Station International
Subscriber Directory Number) or MCC_MNC. The Service will automatically identify these
details if the user is using a Mobile Internet Connection (i.e. GPRS, 3G, 4G etc.). This scenario
is called "On-Net Mobile Connect".
If the user is using any other connection like a WiFi connection or a Broadband connection,
then the user will be prompted for the MSISDN or the name of the MNO. The Discovery API
will redirect to its own UI called " Operator Selection User Interface". This scenario is called
"Off-Net Mobile Connect".
This is a web based user interface provided by the Discovery API the determine the user's home
operator (MNO). This interface also supports multi languages to provide flexibility to users all
around the globe. This interface will be prompted by the service whenever it cannot
automatically identify the Mobile Network Operator of the user. Upon a successful lookup
from the information provided by the user, it will provide the MNO's MCC and the MNC to
the redirect URL that we specify at the application registration. To enable this functionality,
the Mobile Network Operator has to implement this feature by injecting custom Http headers
and other relevant information.
Following are some use cases of the Discover API
 Mobile Internet Connection + Mobile Device - The authentication process will
happen seamlessly. No user interaction at all
 Mobile Internet Connection + Computer - The service will try the retrieve the relevant
information from the sim. If failed, it will prompt for the user information, and
manual authorization is required
 Broadband/ WiFi Connection + Computer/Mobile - The user will have to input
relevant information and manual authorization is also required.
2.2.4.7 What is Mobile Connect API
Mobile Connect API is a service which is based OpenID Connect and it is an extension which
includes more flexibility to the entire process. And this extended version is called the Mobile
Connect Profile or the Mobile Connect API. The Mobile Connect API is normally an
implementation done from an IDP (Identity Provider) and instead of the normal Authorization
mechanism which uses the traditional username and password, this uses the mobile number to
access the mobile device for authorization.

34. 29
2.2.4.8 Social Media vs Mobile Connect Authentication
After crunching all the numbers and information, you must be wondering, how is this different
from Social Media Federated Authenticators. Almost in most of the web services and service
providers, "Log in with Social Media" plays a major role.
The collaboration and sharing made possible by Web 2.0 also comes with a specific set of risks,
in terms of privacy. Social networking sites are user hubs, where it is meant for collecting a set
of users to one place. And this is like the jackpot for attackers where they can use the
information to earn a lot of return on investment, if they are going after the social media users.
Mobile Connect is a powerful tool that can be used to move us all away from using social
media as an easier way to log in, which is tagged along with a lot of unnecessary risks. Even
though social networks can eliminate the need for passwords, there is no assurance that this
information is secure. But with mobile connect and its privacy policies, empowered by the
GSMA, no information is available to the service providers, without the user's consent, making
logging in and signing up much safer and private.
2.2.4.9 Safety of Mobile Connect
The levels of security in each application is different from its environment and purpose of use.
For example, a bank or a e-payment site would need a higher level of security than an ordinary
information system. Considering these possibilities, Mobile Connect provides the developer
with options on selecting a level of Security, which is also known as the Level of Assurance
(LoA).
LoA or the Level of Assurance, describes the degree of confidence, in various security
processes including authentication. (According to the ISO/IEC 29115 Standard). It provides
assurance that the entity claiming a particular identity, is the entity to which that identity was
assigned.
During the Mobile Connect Authorization process, the application declares the degree of
confidence required in the returned identity (For more: read Mobile Connect for Developers).
The greater the risk associated with an erroneous authentication, the higher the Level of
Assurance recommended.
There are four Levels of Assurance (LoA)

35. 30
1) Level of Assurance 1 (not supported by Mobile Connect)
2) Level of Assurance 2 (Requires a simple key press)
3) Level of Assurance 3 (Requires a simple key press)
4) Level of Assurance 4 (not supported by Mobile Connect)
Each and every operator, should implement at least one type of authenticator per LoA. MNO's
define authenticators in order to confirm that the user is who he/she claims to be. Following
are the mechanisms used by the Mobile Connect API as authentications.
 SMS + URL: SMS sent to the user's device with a unique one-time only URL (LoA 2)
 USSD: The operator will push a message to the terminal and can require a response
(LoA 3)
 SIM Applet: A binary SMS will be sent to trigger the SIM applet (LoA 3)
2.2.4.10 Mobile Connect Credentials
The Mobile Connect process flow consists of two main APIs, namely, "Discovery API" and
the "Mobile Connect API" (see image below). To access the "Discovery API" the developer
needs a pair of "client_id" and "client_secret" which can be used to gain authorization to the
"Discovery API". On the other hand, the "Mobile Connect API" runs on top of the OpenID
Connect Protocol and it contains three main endpoints that need credentials to access them. So,
the main question now is, "which credentials do we really need?"
In the Mobile Connect process flow, the credentials required to access the "Discovery API"
should be obtained from the GSMA or the Official Mobile Connect Developer site. In the
response sent back by the "Discovery API", we will receive a set of credentials to access the
"Mobile Connect API". This set of credentials will be used to access all three endpoints of the
"Mobile Connect API". Therefore, once we obtain the "Discovery API" credentials, that is
more than enough for us to proceed with the "Mobile Connect Authentication" process flow.
Refer to Mobile Connect Specifications for more details.
2.2.4.11 Mobile Connect Application On-Boarding Process
The "Application On-boarding Process" refers to the registration of the relevant service
provider with the Official Mobile Connect Developer Website.

36. 31
2.2.4.12 How to Get UserInfo Endpoint Access?
The claims supported by the "UserInfo Endpoint" are "email", "address", "phone" and
"offline_access". But all of this information are sensitive information and it contains
information about the relevant MSISDN users. Therefore most "Mobile Network Operators"
do not provide access to any of the claims mentioned above. The Mobile Connect API of each
MNO, will only provide a field named as "sub" which is a default response from the "UserInfo
Endpoint" according to the OpenID Connect Protocol.
But you must be wondering, whether this scenario will comply with the "Mobile Connect
Privacy Principles". Yes, all the projects that will be using Mobile Connect should be able to
agree to the "Privacy Principles". But at first, even though we promote our application and
obtain "Production Credentials" it doesn't necessarily mean that the "MNO"s believe the fact
that our application can be trusted in terms of "Sensitive Information". Therefore if you need
to gain access to the "Mobile Connect UserInfo Endpoint" of the respective MNO, you need to
contact the "MNO" separately.
2.2.5 Assisting Project – OpenID Connect Protocol
While working under the Mobile Connect project, I came up with this concept named OpenID
Connect, where the Mobile Connect Protocol, was written on top of OpenID Connect. These
are all my findings, where I had to do a lot of research and write blogs related to these. Some
information about these projects are given below. From statistics, I see today, there are lots of
visitors reading my blog even today and I am really happy about it. All of this was possible
because I picked the “Mobile Connect” project under the WSO2 internships.
2.2.5.1 What is OpenID Connect?
OpenID Connect is a simple authentication protocol, built on top of the OAuth2 protocol as a
separate identity layer. OAuth2 is an authorization protocol, which is being extended by the
OIDC, to implement its authentication mechanism. OIDC allows the applications to
authenticate and verify the end users based on the authentication performed by an
Authorization Server, which supports OIDC. This also allows the application to obtain basic
profile information, about the end-user in an inter-operable and REST-like manner. It uses
straightforward REST/JSON message flows with a design goal of “making simple things
simple and complicated things possible” [6].

37. 32
(Identity, Authentication) + (OAuth 2.0) = (OpenID Connect)
The OpenID Connect protocol is very flexible in which it gives the power to the client, to easily
customize the authentication process according to their needs. OIDC gives the power to clients
of all types, including Web-Based, mobile and JavaScript clients, to request and receive
information regarding the authenticated sessions and end users. The main extensible features
provided by the OIDC protocol are,
1) Encryption of Identity Data
2) Discovery of OpenID Providers
3) Session Management
2.2.5.2 History of OpenID Connect
OpenID Connect is the third generation of OpenID Technology. The original OpenID
authentication protocol was developed by Brad Fitzpatick in May 2005. This was more like a
visionary's tool which never got much commercial adoption, but it got people to think of its
possibilities and extensions. In the meantime, OpenID and OAuth were focused on two
different aspects of internet identity, whilst OpenID played the role of authentication, whereas
the OAuth played the role of authorization. Since these two extensions were playing a huge
role in each of its domains, the need to combine both these protocols arose.
As the second generation of OpenID, it came as an extension for OAuth, which was named as
OpenID 2.0. This was better than the earlier version, and it provided much more security and
worked seamlessly when implemented properly. Even though it had some design limitations,
the implementation of OpenID 2.0 was fully thought through.
The third generation of OpenID is the "OpenID Connect." Unlike OpenID 2.0, this was built
on top of the OAuth 2.0 as a separate identity layer. The "OpenID Connect's goal is to be much
more developer friendly, and providing a wide range of use cases where it can be implemented.
Currently this has been very successful and deployments are happening in huge scales.
2.2.5.3 Mobile Network Operators and OpenID Connect
In the modern digital era, we can see a considerable increase in the number of users using
online services via mobile devices and due to this reason, there is an increase in identity thefts
all around the world. The GSMA created a valuable business proposal for Mobile Network

38. 33
Operators so that they can join hands with OIDC to implement and render many services to its
customers. This business model states that MNO's, with their differentiated identity and
authentication assets, have the ability to provide sufficient authentication to enable consumers,
businesses, and governments to interact in private, trusted and secure environment and enable
access to services.
MNOs increasingly are interested in identity services currently being used online (i.e. login,
marketing, post sales engagement, payments, etc.), to mitigate some of the pain points
encountered in existing services, in order to meet the rapidly increasing market demand for
mobile identity services.
2.2.5.4 OpenID Connect vs OpenID 2.0
The functionalities available in the OIDC and OpenID 2.0 are pretty much the same whereas
the OIDC provides a much more API-friendly and usable implementation for native mobile
applications. "OpenID Connect" defines optional capabilities for robust signing and
encryption. To integrate OpenID 2.0 and OAuth 1.0, we require an extension, whereas in
OIDC, OAuth 2.0 protocols, OAuth 2.0 functionalities are integrated within the protocols itself.
OpenID 2.0 used XML and custom message signature scheme that in practice, sometimes
proved to be difficult for developers to implement. But in OAuth 2.0, the OIDC outsources the
necessary encryption to the web's built-in TLS (also called HTTPS or SSL) infrastructure,
which is universally implemented on both client and server platforms. OIDC uses standard
JSON Web Tokens (JWT) when signatures are required. Since JWT is more familiarized and
easier to use, this makes OIDC dramatically easier for developers to implement, and practically
has resulted in much better inter-operability.
2.2.5.5 About the OpenID Connect Foundation
The OpenID Foundation was formed in June 2007, and it is an international non-profit
organization of individuals and companies committed to enabling, promoting and protecting
OpenID technologies. The OIDF serves as a public trust organization representing the open
community of developers, vendors, and users.
This foundation provides much needed infrastructure to the community and helps in promoting
and expanding OpenID technologies. This entails managing intellectual property and brand
marks as well as fostering viral growth and global participation in the proliferation of OpenID.

39. 34
Contributors included a diverse international representation of industry, academia and
independent technology leaders: AOL, Deutsche Telekom, Facebook, Google, Microsoft,
Mitre Corporation, mixi, Nomura Research Institute, Orange, PayPal, Ping Identity, Salesforce,
Yahoo! Japan, among other individuals and organizations.
2.2.5.6 OpenID Connect Flow
OpenID Connect in abstract, follows the following sequence of steps.
 RP - Relying Party
 OP - OpenID Provider
(1) The RP (Client) sends a request to the OpenID Provider (OP)
(2) The OP authenticates the End-User and obtains authorization
(3) The OP responds with an ID Token and usually an Access Token
(4) The RP can send a request with the Access Token to the UserInfo Endpoint
(5) The UserInfo Endpoint returns Claims about the End-User
2.2.6 WSO2 Mobile Connect Webinar
One of my major achievement during the time of internships, is the chance to do a webinar at
WSO2. A webinar is a seminar conducted over the Internet. WSO2 normally conducts a lot of
webinars as part of their marketing campaigns, and whenever there is a release or a new product
coming in, the company will do a webinar and pass the message to all the customers and
interested parties of the company.
I did a webinar at WSO2 and it was based on my project Mobile Connect. The webinar was
titled, ‘Securing Access to SaaS Apps with GSMA Mobile Connect’. The following three
members were the speakers for the Webinar, and I am proud that I am also in it.

40. 35
Figure 2.9 Presenters of Webinar titled Securing Access to SaaS Apps with GSMA Mobile Connect
The following description is about the webinar, I was the one who demonstrated my product at
the webinar. Normally for WSO2 webinars, we expect a crowd of around 20 to 30 listeners,
whereas for my webinar, there were over 50 listeners and I was really proud of that.
Mobile Connect is an initiative by GSM Association (GSMA). GSMA represents the interests
of mobile operators worldwide, uniting nearly 800 operators with more than 250 companies in
the broader mobile ecosystem. The Mobile Connect initiative focuses on building a standard
for user authentication and identity services between mobile network operators and service
providers.
SAML, OpenID Connect and WS-Federation have become the most popular ways of
implementing identity federation and single sign-on (SSO) for many service providers. This
webinar will explore an approach to help service providers migrate from their existing
protocols to Mobile Connect in a zero-code-change approach, with the WSO2 Identity Server.
It will also discuss how to secure access to your most precious SaaS applications with Mobile
Connect [7].
The following parts were discussed during the webinar.
 Introduction to Mobile Connect
 Introduction to WSO2 Telco and the WSO2 Identity Server

41. 36
 How to migrate from OpenID Connect or SAML to Mobile Connect
 How to login to Salesforce/Google Apps via Mobile Connect
This opportunity to present in the WSO2 Webinar, was given to me by, Mr. Prabath
Siriwardena (Director Security Architecture) and I am really thankful for it.
2.3 Life at WSO2
The life at WSO2 is a wording brought up by the company itself, where the whole purpose is
to let everyone know what kind of an environment is present within the WSO2 culture. There
are a lot of fun activities happening around the company and most of them are directly related
to the unique culture that WSO2 has, despite its professional environment. Following are the
main events that I came across during my stay as an intern at WSO2. All of these activities
made me love the current working environment that WSO2 has.
2.3.1 Inter House Tea Time Championships
WSO2 has four houses within the company and every year, they organize a session of games
for all the houses to compete in during the tea time. It includes games like carom, table tennis,
foosball and pool. It was really fun because most of the time, when we come down for tea, we
normally play all these for fun, but now, we had to play with some copetition in order to bring
the reputation of the house up in the ladder.
I myself took part in almost all of these competitions made my house win, which is CloudBots
and I was really entertaining.
2.3.2 Inter House Badminton Tournament
The company has booked a badminton court in Colombo every week on Thursdays and Fridays,
where employees can go and play in those courts. I didn’t actually get a chance to go there and
play on a regular day, but I took part in the inter house badminton tournament and it was held
on a Saturday where most of the employees took part in it.
It was also a day filled with fun and entertainment, where most of the interns actually took part
in it.

42. 37
Figure 2.10 WSO2 Interhouse Badminton Tournament
2.3.3 WSO2 Smart Ass Quiz
This is also an inter house quiz where questions on general knowledge were asked during the
team time a selected set of team. I also took part in this, and it was more like a fun activity
where everyone was laughing and enjoying during the time of the quiz. The quiz was based on
different areas like, movies, music, food, wine and so on.
At first I thought that this would be a very technical quiz but when I got there, I was really
happy to know that it was actually a fun quiz based on general knowledge. Our house came
first place in that competition.
2.3.4 Secret Santa
This is a tradition that is being continued every year at WSO2 and the whole purpose it to
exchange gifts during the Christmas time, and to keep the person who gives the gift a secret,
hence the name “Secret Santa”. I heard that this tradition is being carried out by other
companies from time to time, but not consistently like at WSO2.
It was really fun, where we collected a lot of chocolates when the santas came to our floor, and
we managed to snatch a selfie with both the santas as well.

43. 38
Figure 2.11 Selfie with the Santas
2.3.5 Karaoke Session
This is a session where we all select a song to sing, and sing it during the tea time where
everyone would listen to. It was also a fun activity. Even though I didn’t take part in it, I enjoyed
listening to those songs during the tea time. Most of all, the funny part was when some of the
singers started to dance, where it was really entertaining and fun.
2.3.6 Whack Internal Hackathon
This was a hackathon conducted by WSO2 itself and it was only open to employees in the
company. The purpose of this hackathon was to get the competitors to compete with a given
data set and come up with a plan to increase sales and marketing of the company.
This was a really fun session where most of the interns took part in it, and I also took part with
a team of my own. It was an overnight hackathon where we had to analyze the given data set,
and come up with a very strong plan to increase sales of the company.
We had a lot of workshops, fun activities during the time of the hackathon and it was a new
experience for all of us. The best part was, after we presented the presentation and the
demonstration of the product, Mr Sanjiva Weerawarana (CEO and Founder of WSO2) called
us gave us an honourable mentions award for the hard work and dedication we had put into the
product.

44. 39
Figure 2.12 After getting the award from the Whack Hackathon
A diagram of the work done at the hackathon is as follows.
Figure 2.13 Whack Work Diagram of our team
2.3.7 WSO2 Intern Life
The WSO2 intern life is very extraordinary and it was really fun to work in a company like
this. Not only the interns from University of Moratuwa, but we became friends with other
interns and bonded up really quickly. It was very diverse but we managed to win everyone
heart and become a loved bunch within the other interns and within the company as well.
During the last day of our program, the WSO2 interns gave us a small ceremony because we
all were leaving on that day. It was a big surprise where we never knew that they had organized
something like this, especially for us. They gifted us with a mug and gave us speeches and talks

45. 40
where we really missed the fact that we are leaving a bunch of friends like this, and it was
really sad, even though we were happy for the surprise.
2.3.7.1 WSO2 Interns Trip
This was a new tradition started by the University of Moratuwa interns where we organized a
trip for all the interns at WSO2 to go on a trip with us. We see people going on trips and that
is mostly within the team where only 1 percent of the team actually takes part in these. Our trip
was organized for all the interns at WSO2 and as a count, there were around 60 interns currently
training at WSO2 at that time. And out of all of them, we were really happy to see 50 of them
turning up and it was a really turning point where we all bonded up with other university
students and became friendly with them.
We went to see the Aberdeen Falls and came back by one day. The purpose of the trip was to
make a recognition within the company to show that, the interns from University of Moratuwa
are a really friendly sent of interns, and as well as to unite all the interns at WSO2 despite
where they came from or what their university is.
Figure 2.14 WSO2 Interns Trip

46. 41
2.3.8 WSO2 Year End Party
This is the year end party of the company where everyone gets together and says goodbye to
the current year and enter a new year. This party always happens in a very grand style where
every employee takes part and enjoys the party.
The theme for the year 2016 was, neon, and all of tried our best to shine and be colourful as
possible at the party. During the party, there were plenty of games wehre we took part in most
of them and enjoyed the night.
At the entrance of the party, there were neon face painters where we drew stuff on our faces
and hands so that it will shine when the lights go out.
Figure 2.15At the WSO2 year-end party

47. 42
3 Conclusion
This training report is based on the experience I had when was working at WSO2 as an intern
during my internship period of University of Moratuwa. This report contains three chapters
where the first chapter explains about the training establishment and its core functions. This
chapter contains information about the training establishment, its main functions,
organizational structure and hierarchical levels. The information about the training
establishment contains information like what this company is all about and the history of the
company. In the mid-section of the chapter, it explains the core functionalities of the company
and the platform that the company uses, alongside its main products. And in the latter part of
the chapter, it mentions a SWOT analysis and my suggestions to improve its overall
performance, with the contribution of the company towards the IT industry of Sri Lanka.
The second chapter includes information related to the training experience I had, during my
time of stay at the training establishment. This chapter emphasizes on the work carried out at
the training establishment as an intern. It includes information regarding how I saw the
company from my perspective and what I experienced as an intern. From the first day itself, I
was well treated by the company and I really loved the culture of WSO2 where it was really
friendly and relaxed. The orientation program we had was also very interesting, where we
learned a lot about the company within just two weeks.
When I joined the Identity Server team of WSO2, I felt like I’m entering a different culture.
All the activities and fun stuff which was unique to that team only, was a different experience
that I had never felt before. I was working on a project named, “Mobile Connect Federated
Authenticator for Identity Server” and it gave me a different perspective to my career. I had to
start and research from scratch where I gained a lot of knowledge on Mobile Connect, as well
as the OpenID Connect Protocol.
During my intern life at WSO2, I met many friends from different backgrounds and different
attitudes, but all them were very helpful all the time. I really enjoyed my training period at
WSO2 and it all finished with a bang, with the WSO2 year-end party where we all attended
and enjoyed the end of the year.

48. 43
3.1 A different exposure from university life
During the time spent inside the university, our lives were mainly focused on the aspects of
gaining marks for the final exam and getting a good grade for the subjects we sit in. Most of
the interns who went to WSO2 with me, did not have any prior working experience and it was
a whole new level of exposure for all of us.
During the training period, I felt that the life was getting simpler and comfortable, because we
didn’t have any assignment deadlines or exams like in the university. So, we used to call all
the interns and go for tea breaks, lunch breaks and game sessions at the beginning of the training
period. But even with time, after getting assigned to projects, it was not that stressful from my
experience, because I was able to finish work on time, and get help from proper people when
needed.
When doing my project at WSO2, what I realized was, it was way different from the projects
we do at university. In the university, our main target is to finish the project and get the marks
from the lecturers. But here there was a much bigger risk at hand, because we had to deploy
this project to the customers of WSO2, and a simple mistake would cause the entire system to
go down. Therefore, we used to have meetings every day at work, discuss the code lines and
inform everyone about the work I’m doing actually reduced that risk and stress because it was
methodical in some manner.
Something new I learned by working at WSO2, is the transparency of work. We had to email
and inform everyone about our progress and keep everyone updated on the work we are
currently carrying out. This made me feel comfortable and easy when working, because I used
to get a lot of replies and comments on the work I was doing.
Also, the flat hierarchy of the company gave a different perspective to my communication skills
where professionalism was needed in the emailing and informality was needed when talking
with someone face to face. I even have had chats with the senior management whenever they
came down for tea. The way we communicate in university and at office showed two different
perspectives it was great to have that diverse perspective during our training period.
3.2 How to improve my final year at university?
 Do every work in a methodical manner so it does not feel complicated and stressful

49. 44
 Transparency in the work we do when we work with team members, because having
every team member updated is always beneficial
 Communicating everyone in a professional manner when at meetings and
presentations.
 Keep meeting minutes for all the meetings I have, so that everyone can keep track of
the content that was explained during the meeting
 Write blogs about everything you learn, so that someone else also can gain from
whatever I do.
 Have a friendly perspective on everyone and help other team members when you are
working in a team, because the team should move together as one to achieve its
milestones.
 Before starting any project, set milestones and deadlines, so that you have self-
conscious about the work and timeline to finish your project.
3.3 Quality of the training I received
From the six month stay at WSO2, I never felt any discomfort or stress because of the
environment I had to work in. If I am to rate the training I receives, I would give it ten out of
ten because I don’t have any complaints to report. Starting from the orientation program, it was
really fun and enthusiastic to learn about the WSO2 culture and gain industry exposure as we
all were expecting to have. I was actually eagerly waiting for the orientation to finish, because
I was really interested in working under a team with a new project of my own.
Before going for internships, I heard rumors where most of the companies, give simple stuff
like bug fixing, code checking and feature updates as intern projects. And I was a bit
demotivated by this story, but after coming to WSO2, all the projects which were presented to
us were new projects which were not actually any side projects, but projects that actually
contribute to the overall functionality of WSO2.
My mentor was Mr. Prabath Siriwardena who was the director of security architecture at
WSO2, helped me a lot in completing my product within the given time period. At first I
thought that he would not have time to communicate with me because I heard that he was a
very busy person in the team. But, despite the fact that he was working abroad, he always
checked on me and progress and helped me in every step possible. He was a really good mentor,
and he was the one who encouraged me to write blogs on everything I learn. I would

50. 45
recommend him as a good mentor because I felt lucky to have him as a mentor, as a guide and
as a friend.
The other aspects like, food, environment, friendly people and fun activities also caught my
attention and all I wanted to do was to take part in all of them and be social as much as possible.
I was able to do that within a few days’ time. The quality of the overall training period is great
and on the very last day of my training period, I was actually wishing to have more time with
the company, because it was very sad to leave all that experience and fun.
3.4 Comments on the training program organized by the university and NAITA
The training program organized by the university was really good, and I can proudly mention
that it is one of the best times of my university career so far. Unlike other universities, I prefer
to have the training period as we are having now, and 24 weeks of training is the ideal time for
us to learn about the industry exposure and gain what we really need to achieve at the end of
the program.
We all had to submit monthly training reports to the industrial training division of the university
and I found that a little troublesome because most of us were not actually staying near the
university during the internship period. I prefer it to be online, because that would have made
the submission process a lot faster than the manual process.
NAITA visited our training place on the last week of the training program, and only one person
came to assess all 30 training undergraduates. It took a very long time and I prefer if they had
sent some more to assess the students, which would have made the overall process a lot faster.
Nevertheless, the advices given to us and the guidance we got from NAITA should be
appreciated because the person who assessed us gave some real practical examples to all the
advices he mentioned.

51. 46
4 References
[1] "WSO2 - Wikipedia," Wikipedia, [Online]. Available:
https://en.wikipedia.org/wiki/WSO2.
[2] "WSO2 Platform," WSO2, [Online]. Available: http://wso2.com/platform.
[3] "WSO2 Identity Server," WSO2, [Online]. Available: http://wso2.com/products/identity-
server/.
[4] "WSO2 IS User Management Architecture," WSO2, [Online]. Available:
https://docs.wso2.com/display/IS510/User+Management+Architecture.
[5] "Keet Malin - What is Mobile Connect," Keet Malin Sugathadasa, [Online]. Available:
http://keetmalin.wixsite.com/keetmalin/single-post/2016/09/30/What-is-Mobile-Connect.
[6] "What is OpenID Connect - Keet Malin," Keet Malin Sugathadasa, [Online]. Available:
http://keetmalin.wixsite.com/keetmalin/single-post/2016/11/17/What-is-OpenID-
Connect-OIDC.
[7] "securing-access-to-saas-apps-with-gsma-mobile-connect Webinar," WSO2, [Online].
Available: http://wso2.com/library/webinars/2016/11/securing-access-to-saas-apps-with-
gsma-mobile-connect/.

52. 47
5 Table of Figures
Figure 1.1 WSO2 Platform ........................................................................................................3
Figure 1.2 Company Hierarchy of WSO2 .................................................................................6
Figure 2.1 WSO2 Carbon Kernel Modules..............................................................................15
Figure 2.2 Identity Server Management Console Main Menu ................................................17
Figure 2.3 Identity Server Team with Interns..........................................................................18
Figure 2.4 IS Musical Nights...................................................................................................20
Figure 2.5 WSO2 Virtual User Store.......................................................................................22
Figure 2.6 Authentication Framework.....................................................................................23
Figure 2.7 How Mobile Connect Works..................................................................................25
Figure 2.8 Mobile Connect Flow.............................................................................................27
Figure 2.9 Presenters of Webinar titled Securing Access to SaaS Apps with GSMA Mobile
Connect ....................................................................................................................................35
Figure 2.10 WSO2 Interhouse Badminton Tournament..........................................................37
Figure 2.11 Selfie with the Santas ...........................................................................................38
Figure 2.12 After getting the award from the Whack Hackathon............................................39
Figure 2.13 Whack Work Diagram of our team ......................................................................39
Figure 2.14 WSO2 Interns Trip ...............................................................................................40
Figure 2.15At the WSO2 year-end party.................................................................................41