Profesia, Lynx Group, presenta la terza puntata di masterclass sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia. Autenticazione e autorizzazione, riconoscimento e abilitazione all'accesso. L'Identity server è uno strumento in grado di gestire l'autenticazione dei vostri utenti, interni ed esterni , di gestire le sessioni di login e di effettuare autenticazioni mirate al contesto applicativo. È consigliabile prediligere sempre un prodotto on-premise o in cloud compatible GDPR che supporta protocolli SAML e oAuth2 e permette la federazione con i maggiori IDP social. Se stai pensando a una trasformazione digitale per evolvere verso un business agile scrivi a contact@profesia.it e parla con uno dei nostri esperti

2. Iscriviti al gruppo Linkedin WSO2 Italia per entrare nella community italiana,
conoscere la tecnologia WSO2 e condividere strategie di integrazione e use cases

3. WSO2 API Manager
Addresses full API lifecycle management
operations. Open, extensible, customizable.
WSO2 Enterprise Integrator
Hybrid integration platform for quick,
iterative integration of any application,
data, or system.
WSO2 Identity Server
Federates and manages identities across
both cloud service and enterprise
environments.
WSO2 Technology
WSO2 Open Banking
A purpose-built technology platform for
global open banking.
WSO2 Open Healthcare
Towards greater interoperability with a
proven integration platform and FHIR®
.
WSO2 Strategic Consulting
Streamline your business objectives and
rapidly achieve key results.
Together, with hundreds of the world’s largest corporations, leading universities, and governments, we execute in excess of
6 trillion transactions, expose more than 200,000 APIs, and manage over 100 million identities every single year.

4. WSO2 Identity Server
Federates and manages identities across both cloud service and enterprise environments.

5. Analyst Recognition
https://wso2.com/identity-and-access-management/

6. WSO2 Identity & Access Management
The WSO2 Identity Server is the #1 open source
IAM product with comprehensive capabilities
for identity federation, strong customer
authentication, adaptive access control and API
security.
Highlights:
❖ Comprehensive identity federation, single
sign-on & global sign-off capabilities
❖ Extensive set of adaptive access control
capabilities
❖ Comprehensive API and Microservices
Security
❖ Open, extensible architecture for unique
business needs; rich connector ecosystem
❖ Container-friendly deployments

7. High-level Capability Breakdown
Identity Federation and SSO
Identity Bridging
Strong and Adaptive Access Control
Identity Provisioning and Administration
Authorization
API & Microservice Security
Consent Management

8. Authentication

9. Identity Federation & Single Sign-On (SSO)
❖ Business users need access to multiple heterogeneous applications.
➢ Cloud and on-premises applications
➢ Consumers, enterprise customers, partners, workforce applications
➢ Web, mobile web, mobile native, SaaS, IoT device applications
❖ Single Sign-On and Single Logout across identity federation protocols
➢ Claim and Role transformation
➢ Standard identity federation protocols

10. Federation with Identity Providers
❖ Provide access to users from trusted internal identity providers (B2E)
❖ Provide access to partners or customers from trusted external identity providers (B2B)
➢ Example: Authenticate users in ADFS to Salesforce
❖ Provide social login/sign-up for your consumer websites (B2C)
❖ The same set of standard identity federation protocols are available for outbound authentication requests
as well

11. Log-in Journey
The log-in journey of a user to a particular application is defined as a sequence of authentication
steps (MFA). Each authentication step can provide the user with multiple authentication options
(authenticator). A user MUST authenticate successfully AT EACH authentication step using AT LEAST
ONE authentication option.
❖ Classification based on :
➢ responsibility of user authentication
➢ user experience in service provider
➢ user experience
➢ user experience defined by PSD2

12. Request-based Step-up Authentication
❖ Required Level of Assurance (LoA)
➢ Authentication ContextClassRef in SAML2
➢ ‘acr’ in OpenID Connect
➢ custom HTTP parameters
View Balance Fund Transfer

13. Environment-based Step-up Authentication
Region Country

14. Environment-based Step-up Authentication
❖ Location (home/work)
❖ IP / IP-Range
❖ Device (trusted/untrusted/new)

15. Identity-based Step-up Authentication
❖ Group Role
❖ Attributes

16. Risk-based Authentication
❖ Login patterns (time of the day, day of the week, etc.)
❖ Last successful login time
❖ Typing speed
❖ Consecutive incorrect password attempts

17. Adaptive Authentication JavaScript Editor

18. Directory Integration
❖ Support for primary and multiple secondary user stores
❖ Supports read-only user stores

19. Identity Management
❖ User Profile
➢ User attributes
➢ User credentials
➢ User groups
➢ User roles
❖ User Onboarding Workflows
➢ Admin Creation Workflow
➢ Invitation Workflow
➢ Self-Registration Workflow
➢ Just-in-time (JIT) Provisioning Workflow
➢ Bulk user onboarding workflow
❖ Users/Groups/Roles Management
➢ By administrator
➢ Self-service profile management
➢ Inbound Provisioning Endpoints:
■ SCIM 2.0
■ Self-registration API
➢ Outbound provisioning connectors
■ E.g. SCIM 2.0, Google Apps, Microsoft
Azure
■ Rule-based
➢ Identity Verification / Proofing
■ E.g. Evident
➢ Multi-level Approvals
➢ Username recovery
➢ Identity Integration Workflows, Business
❖ Processes and Business Rules with WSO2
❖ Enterprise Integrator

20. Identity Management
❖ Identity Change Events:
➢ USER_UPDATE
➢ USER_DELETION
➢ PASSWORD_UPDATE
➢ GROUP_CHANGE
➢ ROLE_CHANGE
❖ Identity Event Triggers:
➢ Admin-initiated actions
➢ Self-service actions
➢ System-initiated lifecycle state
transitions
❖ Identity Lifecycle
➢ States:
■ PENDING
■ ACTIVE
■ LOCKED
■ INACTIVE
➢ State Transitions Events:
■ ACCOUNT_CREATED
■ ACCOUNT_CONFIRMED
■ ACCOUNT_LOCKED_INVALID_PASSWORD
■ ACCOUNT_LOCKED_INVALID_CHALLENGE_QUESTION_ANSWER
■ ACCOUNT_UNLOCKED_TIMEOUT
■ ACCOUNT_UNLOCKED_ADMIN
■ ACCOUNT_DEACTIVATED_IDLE
❖ Features
➢ Account confirmation via email address and/or mobile number verification
➢ Email address and mobile number verification for existing accounts and on change
event

21. ❖ Admin-initiated
➢ Password reset
➢ Admin-initiated password reset workflow
❖ Password policies
➢ Password complexity
➢ Password rotation
➢ Password history
❖ Self-service
➢ Set password on account confirmation for invitation
workflow
➢ On first log-in:
■ Set password
■ Set challenge questions/answers
➢ Password reset
➢ Challenge questions/answers
➢ Password recovery using:
■ Email address verification
■ Mobile number verification
■ Challenge question answers
Password management

22. Inbound and Outbound Provisioning
❖ Inbound: Users and groups can be provisioned into the WSO2 IS
➢ Outbound: Users and groups can be provisioned from WSO2 IS to external systems
➢ Supports SCIM 2.0 and SOAP (proprietary) APIs for inbound provisioning
➢ Supports SCIM 2.0, Salesforce, Google Apps, Microsoft Azure, etc. for outbound provisioning

23. Just-in-Time (JIT) Account Provisioning
Provision accounts for users from a federated IdP at the time of first login.
User story - A Company wishes to have social login with Facebook and Twitter for its consumer website, but also wishes to
manage a profile-lite for its users for offline communication purposes.

24. Approval Workflows
❖ Multi-step / multi-option approval template (similar to authentication)
❖ Approval option - either a user or a role
❖ Out-of-the-box supports for user or group management operations.
❖ Trigger conditions, e.g. ‘trigger workflow only if user is in the ‘manager’ group.
❖ Out-of-the-box integrates with
❖ WSO2 Business Process Server (BPS)
User story - students who are
added to a particular academic
year group have to be approved by
the administrators of that group.

25. Self-Care Portal
Putting the user at the center of the action

26. Authorization

27. ❖ Coarse-grained entitlements are managed centrally and enforced both centrally and in the application
➢ Create and manage roles
➢ Manage user roles
➢ Manage virtual role mappings for federated users
➢ Conditional log-in managed and enforced centrally via XACML 3.0 authorization policies
➢ Coarse-grained authorization managed centrally and enforced in the application via
■ Sending user roles in the log-in response
■ Querying user roles via SCIM 2.0 API
■ Evaluating user roles via XACML 3.0 Rest/JSON API
Role-Based Access Control (RBAC)

28. Permission-Based Access Control
❖ Fine-grained entitlements are managed centrally
➢ Permission = resource + corresponding action
➢ Fine-grained resources and actions
➢ Hierarchical resources
➢ Typed-Resource-level permissions
➢ Role is a named collection of permissions
➢ Users are assigned to roles
➢ Permissions are assigned to user groups
➢ User entitlements are sent to the application in the log-in response
➢ SCIM 2.0 API to query user entitlements
➢ XACML 3.0 Rest/JSON API to evaluate user entitlements

29. Attribute-Based Access Control (ABAC)
❖ Fined-grained entitlements are managed centrally and enforced in the application
➢ Fine-grained
➢ Instance-level authorization
➢ Policy-based / Rule-based access control (PBAC)
➢ XACML 3.0 Rest/JSON API
➢ Plug-in model available for PIPs, PRPs, functions, combining algorithms and other language constructs

30. OAuth2
❖ OAuth 2.0 is a framework to delegate authorization to resources (APIs)
❖ OAuth 2.0 by design can limit the authorization to resources by,
➢ resource owner (user)
➢ resource owner consent
➢ client (application)
➢ authorization expiry time (token lifetime)
➢ additional Authorization Server policies (via scopes)
❖ Orchestrates an approval interaction between the resource owner and the authorization server
❖ Resource owners can manage and revoke authorization grants at any time

31. OAuth2 Grant Flow
❖ 5 core grant flows
➢ Authorization Code
➢ Implicit
➢ Resource Owner Password
➢ Client Credentials
➢ Refresh Token
❖ Extended grant flows
➢ SAML2 Bearer Assertion
➢ JWT Bearer Assertion
❖ Custom grant flows
➢ Kerberos grant flow
➢ NTLM grant flow

32. Federated Authorization
❖ UMA 2.0 is a federated authorization protocol built on top of OAuth 2.0
➢ UMA defines a workflow that creates authorization policies on a centralized
authorization server for resource owners to control the access to their protected
resources

33. Analytics

34. ❖ Increased attack surface
❖ Authentication and authorization needed at each service
❖ Each microservice is a responsibility of a single team → Data security is also their responsibility
❖ Username/password is an option but self-signed JWT is better
Securing Microservices

35. Analytics, Alerts and Audit-trails

36. Analytics
Integrated with:
❖ Wso2 Analytics
❖ ELK
❖ Splunk

37. GDPR Compliance

38. Multy tenancy
❖ WSO2’s organization model, also technically known as multi-tenancy, is built with the intention of supporting IDaaS
offerings.
❖ In other words, WSO2 Identity Server is capable of hosting multiple organizations in the same runtime instance.
❖ With WSO2’s in-JVM multi-tenancy, you get API level isolation.
❖ With WSO2’s in-JVM multi-tenancy, you don’t get execution or data-level isolation.
❖ While the primary userstore is physically shared but logically separate, the secondary userstores are physically and
logically separate.
❖ With increasing number of tenants, tenant sharding/partitioning deployment models are available to support
horizontal scalability (beyond 1000 tenants).

39. White-labeled Pages & Custom Themes

40. Standards
❖ SAML2 Web Browser SSO, SAML2 Single Logout, SAML2 Artifact Resolution Profile,
❖ SAML2 Assertion Query/Request Profile, SAML2 Basic Attribute Profile, SAML2 SSO Metadata, Electronic
Identification Authentication and Trust Services (eIDAS)
❖ OAuth 2.0, OAuth2 Bearer Token Usage, SAML 2.0 Profile for OAuth 2.0, JWT Profile for OAuth 2.0, OAuth 2.0
Token Revocation, OAuth 2.0 Token Introspection, OAuth 2.0
❖ Form Post Response Mode, Proof Key for Code Exchange, MicroProfile JWT
❖ OpenID Connect 1.0 (except Front Channel Logout)
❖ UMA 2.0
❖ WS Security 1.0/1.1, SAML Token Profile Version 1.1, Kerberos Token Profile Version 1.1, X.509 Certificate Token
Profile Version 1.1, WS-Secure Converstation 1.3,
❖ WS-SecurityPolicy 1.1/1.2
❖ WS-Trust 1.3/1.4
❖ WS-Federation Passive Requestor Profile 1.2 (SAML 1.1), CAS v3.0
❖ Lightweight Directory Access Protocol (LDAP/S) v3, SCIM 1.1/2.0
❖ XACML 2.0/3.0
❖ Fast Identity Online (FIDO) Universal Two Factor (U2F)
❖ General Data Protection Regulation (GDPR)

41. Component Architecture

42. WSO2 Identity Server Connectors
Connectors for:
❖ Outbound federation
❖ Social login
❖ Infrastructure-as-a-Service (IaaS)
❖ Software-as-a-Service (SaaS)
❖ Identity-as-a-Service (IDaaS)
❖ Identity Proofing
❖ Security-as-a-Service (SECaaS)
❖ Outbound provisioning
❖ Hardware and software 2FA
❖ Mobile biometric authentication
❖ Identity Stores
❖ Cloud Directories
❖ Identity Server Rest API Security
❖ Authorization
❖ Hardware Security Module

43. Deployment

44. Deployment Pattern 1
❖ Highly available deployment of WSO2 Identity Server
➢ Minimum recommendation is 2 active/active nodes
❖ Deployment for scalability
➢ TPS based scaling (Single node can handle up to 34 million
authentication requests per day)
➢ Horizontal auto-scaling via AWS/Azure/Google App Engine
or container platforms such as K8S/Docker or OpenShift

45. Deployment Pattern 2
❖ Highly available deployment of WSO2 IS and WSO2 IS Analytics
➢ Minimum recommendation is 2 active/active IS nodes and 2
active/passive IS Analytics nodes
❖ Deployment for scalability
➢ TPS Based Scaling (Single IS Analytics node can handle up to 3000
event per second)
❖ IS Analytics doesn’t support horizontal dynamic scaling but events
published by upto 10 IS nodes

46. WSO2 Reference Architecture for CIAM

47. What's New in Next Releases - WSO2
Identity Server 5.12 and Beyond

48. 48
WSO2 Identity Server Roadmap Summary
Phase I - near term
Make the current product offering API-driven, developer focused and cloud
native. Deploy in the cloud (WSO2 Identity Cloud) to provide core Identity
functionality targeting CIAM.
2020/2021
Phase II - mid term
Expand IAM ecosystem around Identity Server / WSO2 Identity Cloud by
integrating and building technical partnerships with IAM vendors outside the
access management segment (analytics, risk-based authentication, etc)
2021 / 2022
Phase III - long term
Build an integrated CIAM solution in the cloud (WSO2 Identity Cloud).
Out-of-the-box integrations with consent and preference management
systems, CRM systems, marketing platforms/solutions, content
management systems, data management platforms, etc.
2022+
All information pertaining to WSO2 Identity Cloud is strictly confidential until the offering launches in July 2021. At that time, the Identity Cloud roadmap information will be publicly available.

49. 49
● Launch WSO2 Identity Cloud beta on top of Identity Server v5.12.0 as the base version.
● WSO2 Identity Cloud will support connecting to an on-prem identity store from the cloud
● Improved user experience with React based SPAs for self care, console (for devs and admins)
● Authentication SDKs (JS, React, Angular, Java, Android, .Net) and samples
● Authentication agents for Tomcat for SAML 2.0 and OIDC
● Developer tooling (VS Code plugin for adaptive scripts)
● Multiple Attribute login support
● Rest API for Multi Factor Authentication - SMS/Email OTP, TOTP, FIDO2
● Organization Management - B2B business use cases
Phase I: WSO2 Identity Cloud GA and WSO2 IS 5.12 - July 2021

50. 50
Phase II: 2021 Q4/2022
● Provide integration option with identity verification and proofing systems (EvidentID, IDEMEA,
Jumio, Socure)
● Expand strong authentications options with biometric and passwordless authentication provider
integrations (HYPR, Trusona, Typing DNA, Veridium, BehavioSec, etc.)
● Enhance cloudnative ecosystem integrations (log analytics: ELK, key rotation: Hashicorp Vault,
AWS KMS, Azure KMS) and onboard to WSO2 Identity Cloud
● Enhance SIEM integrations ( LogRhythm).
● Evaluate and build deep integrations with Ellucian, AWS, Office365 etc.
● Get the WSO2 Identity Cloud audited for SOC 2, HIPAA and PCI DSS, and build regional
deployments of WSO2 Identity Cloud to be compliant with regulatory requirements.
● Integrate with fraud detection systems (ThreatMetrix etc.)
● Integrate bot detection and mitigation systems (Imperva etc), to protect WSO2 Identity Cloud
● Deploy connectors/extensions as Docker containers

51. 51
Phase III: 2022+
● Provide integration options with 3rd party consent and preference management vendors: Consent
Systems, Didomi, KnowNow Information, Tealium, TrustArc.
● A web form designer for progressive profiling, that can be embedded into content management
systems
● Templated data orchestration flows between identity stores, CRM systems, CDM systems,
marketing automation platforms.
● Build out-of-the-box data-level integrations with MailChimp, Google Analytics, and Salesforce
Pardot (marketing platforms) in WSO2 Identity Cloud.
● Build out-of-the-box data-level integrations with Shopify, Magneto, Oracle Micros (ecommerce
platforms) in WSO2 Identity Cloud.
● Build out-of-the-box data-level integrations with SharePoint, Drupal, WordPress, and Joomla
(content management systems) in out-of-the-box.

52. Q&A?

53. GRAZIE!!!
Prossimo appuntamento:

54. Contatti
DOVE SIAMO
Milano - Torino - Padova - Roma
TELEFONO
Torino +39-011-0120371
EMAIL
wso2.sales@profesia.it
@