2. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
3. Trends in user centric identities
• User in the middle of the identity transaction
• Governed by Seven Laws of Identity
• OpenID/Information Cards
4. Trends in user centric identities -
OpenID
• Decentralized Single Sign On +
• Single profile across different domains +
• Easy profile maintenance +
• Authenticates once at the OpenID Provider +
• Phishing ???
• Different user experience
• Requires HTTPS + user education
5. Trends in user centric identities –
Information Cards
• Phishing resistant authentication+
• Based on WS-* standards +
• Highly cryptographic solution+
• Authenticates only at the Identity Provider +
• Single user profile
• Different user experience
6. Trends in user centric identities
It’s NOT OpenID vs. Information Cards, but –
OpenID with Information Cards
7. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
9. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
10. Sri Lanka Country Portal
• Provides access to backend services through
portlets [a single eService, several eServices
from a specific project or transactional /
mashup combination of eServices across
several projects]
• Users log in to the country portal and
authorized functionality will be available.
• How authentication takes place ???
• How authorization takes place ???
11. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
12. Identity as a Service
• Integrates identity services into application
development
• Decouples identity related logic from
individual application business logic
• User, identity related data externalized from
the applications themselves
• Breaks identity silos
13. Identity as a Service
Identity Management Service
User Store
14. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
15. Securing Sri Lanka Country Portal -
Authentication
Identity Provider
[WSO2 Identity
Solution]
Identity
Management IdMRealm
Service
Country Portal
User
Store
16. Securing Sri Lanka Country Portal -
Authentication
Identity Provider
WS- [WSO2 Identity
Security Solution]
Identity HTTPS
Management IdMRealm
Service
HTTPS
Country Portal
User
Store HTTPS
White/black
listing OPs
17. Securing Sri Lanka Country Portal -
Authentication
Username/password
Identity Provider
Self-issued InfoCard [WSO2 Identity
Solution]
Client certificate
18. Securing Sri Lanka Country Portal -
Authorization
Country Portal
Driving License Management
Portlet
Passport management Portlet
EPF/ETF Management Portlet
19. Securing Sri Lanka Country Portal -
Authorization
Country Portal
Driving License Management
Passport management Portlet
Portlet
Request Driving License
Request Passport Track Status
Track Status EPF/ETF Management Portlet
View EPF/ETF
Claim EPF/ETF
20. Securing Sri Lanka Country Portal -
Authorization
Country Portal
Driving License Management
Passport management Portlet
Portlet
Request Driving License
Issue Passport
Track Status
Reject Passport Requests
EPF/ETF Management Portlet
List Pending Requests
View EPF/ETF
Claim EPF/ETF
21. Securing Sri Lanka Country Portal -
Authorization
Country Portal
Driving License Management
Passport management Portlet
Portlet
Issue Driving License
Request Passport List Pending Requests
Track Status EPF/ETF Management Portlet
View EPF/ETF
Claim EPF/ETF
22. Securing Sri Lanka Country Portal -
Authorization
Country Portal
Driving License Management
Passport management Portlet
Portlet
Request Driving License
Request Passport Track Status
Track Status EPF/ETF Management Portlet
List Pending Claims
23. Securing Sri Lanka Country Portal -
Authorization
• Authorization logic should be handled by the
corresponding service(s) – behind the portlet. [or
may be by the LIX]
Driving License
Management Service
Passport Management
Service
getPortlet(user)
getPortlet(user)
EPF/ETF Management
Service
getPortlet(user)
24. Securing Sri Lanka Country Portal –
Summary
• User store will be managed centrally through
Identity Management Service
• Country Portal will use OpenIDs for
authentication with a white-listed OpenID
Provider
• Once a user authenticated, his authorized
functionality will be decided by evaluating
authorization logic at the corresponding
backend service.
25. Securing Sri Lanka Country Portal –
Handling Authorization
• Each backend service needs to evaluate user
rights.
• Application specific authorization handling/
standard based authorization handling.
• Standard based authorization with XACML
26. Securing Sri Lanka Country Portal –
Authorization with XACML
• Defining policies
• “Passport service administrators can list all
the pending passport requests”
Policy Administration
Point/PAP
Define
[WSO2 Identity
Solution]
Policy Store
[WSO2 Registry]
27. Securing Sri Lanka Country Portal –
Authorization with XACML
WS-
Security
• Evaluating policies Identity
Policy Information
Management
Point/PIP
Service
[WSO2 Identity
Solution]
Policy Decision Policy Retrieval
Point/PDP Point/PRP
Request [WSO2 Identity [WSO2 Identity
Solution] Solution]
Policy Store
[WSO2 Registry]
28. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
29. Securing Backend Services
Lanka Interoperability Exchange
WS-
WS- WS-
Security
Security Security
EPF/ETF
Passport Driving License
Management
Management Management
Service
Service Service
30. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
31. Other security aspects
• Auditing
– Every authentication and authorization decision
has to generate an audit event
– Identity Management Service / PDP
– Secure logging – audit trails should preserve
integrity
– XDAS - OpenXDAS
32. Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion