SlideShare a Scribd company logo

End-to-End Identity Management

WSO2
WSO2

To view recording of this webinar please use below URL: http://wso2.com/library/webinars/2016/05/end-to-end-identity-management/ In today’s rapidly evolving world, enterprise identity management has proven to be challenging due to the constant changes in associated systems, corporate policies and stakeholder requirements. Therefore, managing identities and their privileges among the systems need to be handled in a flexible manner to save resources when governing identities and controlling access. There are various specifications of industry standards in this domain making it difficult to select the correct one. Some of them may address the same problem with slight variations and some may look similar but address completely different problems. This webinar will discuss The real problems that need to be addressed when managing enterprise identity Key challenges when implementing concepts How to overcome these challenges and build a future proof identity and access management system with WSO2 Identity Server

Technology
1 of 35
Download to read offline
End-to-End Identity Management Darshana Gunawardana Senior Software Engineer Harsha Thirimanna Senior Software Engineer
WSO2 Platform
Agenda o Need of having, o Centralized authentication o Single Sign On o Provisioning o Account management o Workflow o Authorization o Federation for an enterprise
Start from the beginning o Consider a startup : “Extern Inc.” o Handful of employees o No internal apps for employees o No worries :) o After some time o Business running good o Plan to expand the business; going to recruit more o Have several internal application including HR system, email service etc.
User Accounts in all systems… Robert (An employee) Cloud email Service Username = “robert” Password = “robert-pass” Expense Management System HR System Username = “robert2” Password = “robert2-pass” Username = “robert2” Password = “robert2-pass” Username = “robert_5” Password = “K67robert2-AB-#2”
Plan for future : Centralized user store o Which type of user store? o LDAP o Active Directory o Custom user schema over JDBC Database
Connecting Internal Apps o Utilize central user store by connecting all internal apps o How to connect? o Standard authentication protocols o SAML2 SSO, OpenID Connect, OpenID, WS- Federation (passive) o Need of the fully functional Identity Provider System
Centralized Identity Provider Identity Provider (e.g. WSO2 IS) Service provider (e.g. HR System) Robert Username = “robert” Password = “robert-pass” Token Token User store Standard authentication request
All apps connected..! Robert Mail ClientUsername = “robert” Password = “robert-pass” HR System Expense Management System Username = “robert2” Password = “robert2-pass” Username = “robert” Password = “robert-pass” Username = “robert” Password = “robert-pass” Identity Provider (e.g. WSO2 IS)
User experience o Re-entering the same password too many times o Solution : Single Sign On
SSO In General : Initial login Identity provider (e.g. WSO2 IS) Service provider (e.g. HR System) User data 1. Log inrequest 2. Redirect to IDP URL 3. Request token 4. Authenticate 5. Redirect to SP with token 6. Send SAML token Session: S1
SSO In General : Subsequent logins Identity provider (e.g. WSO2 IS) Service provider 2 (e.g. Cloud Mail Service) User data 1. Log in request 2. Redirect to IDP URL 3. Request token (session: IS1) 5. Redirect to SP with token 6. Send SAML token Service provider 1 (e.g. HR System) Session: S1 4. Bypass login page Session: S2
Authentication Protocol Comparison o SAML2 o Most popular protocol with several profiles o Supports single logout o OpenID Connect o Becoming more popular o Having strong supplementary specifications set o OpenID o Deprecated by most Identity Providers o WS Federation (passive) o Widely used with .Net applications
Sync Users to applications o Many applications handles authorization internally o Authorization check as post authentication task o Need to assign relevant attributesroles o Sync application with the centralized identity repository
Provisioning Identity server Identity server Extern Inc. <<< Create User >>> Username: jane Email: jane@extern.com Cloud email service <<< Create User >>> Username: jane Password: jane123 Email: jane@extern.com <<< Create User >>> Username: jane <<< Create User >>> Username: jane@extern.com Contacts Directory Expense Management System
Enterprise Identity Bus : Provisioning o De couples inboundoutbound provisioning o Selective provisioning o Rich processing on data o Subject mapping o Claim mapping o Role mapping o Inbound provisioning : SCIM & SOAP o Outbound provisioning : SCIM & SPML o Extensibility to support any protocol
Account Management o Self Registration o PasswordUserID recovery o Update profile o Enable two factor authentication o Associate accounts o Password policy enforcement o Account locking
Expansion in Extern Inc... o Extern Inc. has acquired a new company in Europe o New division to handle sales and marketing in euro o Identity management perspective: o A new user base o Different user store repository o Plug-in to current system as a secondary user store
Multiple User Stores
Need More Control? Identity server Update roles Update claims I need to approve assignments to “Assessor” role I need to approve all claims One of us has to approve all new assessors
Get More Control with Workflows Identity server Update claims Approve claims update Assigned to “Bob”
Get More Control with Workflows (Ctd..) Identity server Update roles Approve role assignment Approve role assignment Assigned to “supervisors” role Assigned to “James”
Authorization o Authentication o Who is the user o Authorization o What user can do
What the User Can Do... Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details User = Jane User = David User = Tao
What the User Can Do... Service provider 1 (SP1) User = Jane User = David User = Tao Access control policy If user = Tao and resource = /data/archives Permit. If role = Clark and action = write Deny. If role = Manager and resource = /data/files Permit.
Authorization challenges o Authorization rules getting changed frequently o Fine grain authorization requirements o Solution : XACML o Attribute based access control standard o Rule based access control o De-facto standard for fine grain access control
XACML - Architecture /data/files /data/archives /data/visualize /data/details Policy decision Point If user = jane Permit. If role = clark and Action = write Deny. Policy Store Policy Administration Point Policy Enforcement Point (PEP) User = Tao User = David User = Jane
o WSO2 ESB o WSO2 API Manager XACML Policy Enforcement Points WSO2 ESB Proxy service Entitlement Service provider (SP) On accept On reject SendDrop Property [Set user] Property [Set resource] XACML Engine (WSO2 IS)
Connecting with external parties o Extern Inc. acquires a new company “PlusX” as a subsidiary o PlusX has their own identity provider and its own internal apps connected to that o Ability of using Extern Inc. Apps for PlusX Employees?
Connecting with external parties Identity server Extern Inc. PlusXJane wants to access ‘Contact Directory’ app hosted by company Extern Inc. You are not in my Identity Server! But I am registered in PlusX
Connecting with external parties Identity server Extern Inc. PlusX Trust local IS Trust IS in PlusX office If PlusX says “This is Jane” ,then Extern Inc. believes it. (Extern Inc. trusts PlusX IdP)
Enterprise Identity Bus : Federation o Easily connect new Identity Providers o Protocol bridging o Multi step, multi option authentication flows o Inbuilt support for Social Login o Zero changes on Service provider o Rich processing on data o Subject mapping o Claim transformation o Role transformation o Home realm discovery
Concepts in Reality o Some external contributors have access to the community portal via self registration o Employee life cycle the the company o Employee creation o Going through approval o Sync up with the required systems o SSO with all applications o Lock identity upon the resignation
Q&A
Thank You!

Recommended

Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Enterprise Security Requirements
Enterprise Security RequirementsEnterprise Security Requirements
Enterprise Security Requirements
WSO2
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2
WSO2
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
WSO2
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
Mike Reams
 
Oracle Access Manager Overview
Oracle Access Manager OverviewOracle Access Manager Overview
Oracle Access Manager Overview
guestf6dc99b
 

Recommended

Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Enterprise Security Requirements
Enterprise Security RequirementsEnterprise Security Requirements
Enterprise Security Requirements
WSO2
 
Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2Dependency Visualization with WSO2 Governance Registry 5.2
Dependency Visualization with WSO2 Governance Registry 5.2
WSO2
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
WSO2
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
Mike Reams
 
Oracle Access Manager Overview
Oracle Access Manager OverviewOracle Access Manager Overview
Oracle Access Manager Overview
guestf6dc99b
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
Haggai Philip Zagury
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de EntrustISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
Information Security Services SA
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OpenIDFoundation
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
Tamim Khan
 
Identity as a Managed Cloud Service
Identity as a Managed Cloud ServiceIdentity as a Managed Cloud Service
Identity as a Managed Cloud Service
ForgeRock
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OpenIDFoundation
 
Identity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introductionIdentity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introduction
Aidy Tificate
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
OracleIDM
 
Oracle Identity & Access Management
Oracle Identity & Access ManagementOracle Identity & Access Management
Oracle Identity & Access Management
DLT Solutions
 
O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365
NCCOMMS
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
Roger Chien
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
Roger CARHUATOCTO
 
Design Pattern for Federated Single Sign-On Access
Design Pattern for Federated Single Sign-On AccessDesign Pattern for Federated Single Sign-On Access
Design Pattern for Federated Single Sign-On Access
Mike Reams
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
WSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next Decade
WSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next DecadeWSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next Decade
WSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next Decade
WSO2
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2
 

More Related Content

What's hot

Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de EntrustISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
Information Security Services SA
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
Tamim Khan
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
Roger CARHUATOCTO
 

What's hot (20)

Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de EntrustISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
 
Identity as a Managed Cloud Service
Identity as a Managed Cloud ServiceIdentity as a Managed Cloud Service
Identity as a Managed Cloud Service
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
 
Identity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introductionIdentity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introduction
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
 
Oracle Identity & Access Management
Oracle Identity & Access ManagementOracle Identity & Access Management
Oracle Identity & Access Management
 
O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Design Pattern for Federated Single Sign-On Access
Design Pattern for Federated Single Sign-On AccessDesign Pattern for Federated Single Sign-On Access
Design Pattern for Federated Single Sign-On Access
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 

Viewers also liked

WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2
 
WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...
WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...
WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...
WSO2
 
Application development with WSO2 App Factory
Application development with WSO2 App Factory Application development with WSO2 App Factory
Application development with WSO2 App Factory
WSO2
 
WSO2 Product Release Webinar: WSO2 Application Server 5.3
WSO2 Product Release Webinar: WSO2 Application Server 5.3WSO2 Product Release Webinar: WSO2 Application Server 5.3
WSO2 Product Release Webinar: WSO2 Application Server 5.3
WSO2
 
The Private API Economy
The Private API EconomyThe Private API Economy
The Private API Economy
WSO2
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity Webinar
WSO2
 
WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...
WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...
WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...
WSO2
 
Open Source Middleware for the Cloud: WSO2 Stratos
Open Source Middleware for the Cloud: WSO2 StratosOpen Source Middleware for the Cloud: WSO2 Stratos
Open Source Middleware for the Cloud: WSO2 Stratos
WSO2
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
WSO2
 
Bring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity ServerBring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity Server
WSO2
 
WSO2Con ASIA 2016: WSO2 Cloud Strategy Update
WSO2Con ASIA 2016: WSO2 Cloud Strategy UpdateWSO2Con ASIA 2016: WSO2 Cloud Strategy Update
WSO2Con ASIA 2016: WSO2 Cloud Strategy Update
WSO2
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2
 
2016 Year End Webinar - Are You Ready for Digital Transformation?
2016 Year End Webinar - Are You Ready for Digital Transformation?2016 Year End Webinar - Are You Ready for Digital Transformation?
2016 Year End Webinar - Are You Ready for Digital Transformation?
WSO2
 

Viewers also liked (20)

WSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next Decade
WSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next DecadeWSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next Decade
WSO2Con EU 2015: WSO2 Identity Server: Identity Management for the Next Decade
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
 
WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...
WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...
WSO2Con2011: Delivering the Goods? Integrated Order Management & Billing with...
 
Application development with WSO2 App Factory
Application development with WSO2 App Factory Application development with WSO2 App Factory
Application development with WSO2 App Factory
 
Git beyond basics
Git beyond basicsGit beyond basics
Git beyond basics
 
WSO2 Product Release Webinar: WSO2 Application Server 5.3
WSO2 Product Release Webinar: WSO2 Application Server 5.3WSO2 Product Release Webinar: WSO2 Application Server 5.3
WSO2 Product Release Webinar: WSO2 Application Server 5.3
 
WSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
WSO2Con EU 2016: Reinforcing Your Enterprise with Security ArchitecturesWSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
WSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
 
The Private API Economy
The Private API EconomyThe Private API Economy
The Private API Economy
 
Alchemy of the API Economy
Alchemy of the API EconomyAlchemy of the API Economy
Alchemy of the API Economy
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity Webinar
 
WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...
WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...
WSO2Con EU 2016: Identity Management – A Cornerstone for the Connected Enter...
 
Open Source Middleware for the Cloud: WSO2 Stratos
Open Source Middleware for the Cloud: WSO2 StratosOpen Source Middleware for the Cloud: WSO2 Stratos
Open Source Middleware for the Cloud: WSO2 Stratos
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
 
Bring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity ServerBring your own Identity (BYOID) with WSO2 Identity Server
Bring your own Identity (BYOID) with WSO2 Identity Server
 
WSO2Con ASIA 2016: WSO2 Cloud Strategy Update
WSO2Con ASIA 2016: WSO2 Cloud Strategy UpdateWSO2Con ASIA 2016: WSO2 Cloud Strategy Update
WSO2Con ASIA 2016: WSO2 Cloud Strategy Update
 
WSO2Con USA 2017: Identity Solution Patterns
WSO2Con USA 2017: Identity Solution PatternsWSO2Con USA 2017: Identity Solution Patterns
WSO2Con USA 2017: Identity Solution Patterns
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
 
2016 Year End Webinar - Are You Ready for Digital Transformation?
2016 Year End Webinar - Are You Ready for Digital Transformation?2016 Year End Webinar - Are You Ready for Digital Transformation?
2016 Year End Webinar - Are You Ready for Digital Transformation?
 
WSO2Con USA 2017: Hybrid Cloud and Container Architecture with Zero Touch Aut...
WSO2Con USA 2017: Hybrid Cloud and Container Architecture with Zero Touch Aut...WSO2Con USA 2017: Hybrid Cloud and Container Architecture with Zero Touch Aut...
WSO2Con USA 2017: Hybrid Cloud and Container Architecture with Zero Touch Aut...
 
WSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery ChannelWSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery Channel
 

Similar to End-to-End Identity Management

It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
Deloitte Resume December 2016
Deloitte Resume December 2016Deloitte Resume December 2016
Deloitte Resume December 2016
Modesta Key
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ Kiran
Kiran Kumar
 

Similar to End-to-End Identity Management (20)

Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Sso every where
Sso every whereSso every where
Sso every where
 
Waqas Resume - IT(System) Admin
Waqas Resume - IT(System) AdminWaqas Resume - IT(System) Admin
Waqas Resume - IT(System) Admin
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
 
Deloitte Resume December 2016
Deloitte Resume December 2016Deloitte Resume December 2016
Deloitte Resume December 2016
 
Data security and compliancy in Office 365
Data security and compliancy in Office 365Data security and compliancy in Office 365
Data security and compliancy in Office 365
 
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfSplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
JavaResume
JavaResumeJavaResume
JavaResume
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ Kiran
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and Events
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity Management
 

More from WSO2

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 

More from WSO2 (20)

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

End-to-End Identity Management

  • 1. End-to-End Identity Management Darshana Gunawardana Senior Software Engineer Harsha Thirimanna Senior Software Engineer
  • 3. Agenda o Need of having, o Centralized authentication o Single Sign On o Provisioning o Account management o Workflow o Authorization o Federation for an enterprise
  • 4. Start from the beginning o Consider a startup : “Extern Inc.” o Handful of employees o No internal apps for employees o No worries :) o After some time o Business running good o Plan to expand the business; going to recruit more o Have several internal application including HR system, email service etc.
  • 5. User Accounts in all systems… Robert (An employee) Cloud email Service Username = “robert” Password = “robert-pass” Expense Management System HR System Username = “robert2” Password = “robert2-pass” Username = “robert2” Password = “robert2-pass” Username = “robert_5” Password = “K67robert2-AB-#2”
  • 6. Plan for future : Centralized user store o Which type of user store? o LDAP o Active Directory o Custom user schema over JDBC Database
  • 7. Connecting Internal Apps o Utilize central user store by connecting all internal apps o How to connect? o Standard authentication protocols o SAML2 SSO, OpenID Connect, OpenID, WS- Federation (passive) o Need of the fully functional Identity Provider System
  • 8. Centralized Identity Provider Identity Provider (e.g. WSO2 IS) Service provider (e.g. HR System) Robert Username = “robert” Password = “robert-pass” Token Token User store Standard authentication request
  • 9. All apps connected..! Robert Mail ClientUsername = “robert” Password = “robert-pass” HR System Expense Management System Username = “robert2” Password = “robert2-pass” Username = “robert” Password = “robert-pass” Username = “robert” Password = “robert-pass” Identity Provider (e.g. WSO2 IS)
  • 10. User experience o Re-entering the same password too many times o Solution : Single Sign On
  • 11. SSO In General : Initial login Identity provider (e.g. WSO2 IS) Service provider (e.g. HR System) User data 1. Log inrequest 2. Redirect to IDP URL 3. Request token 4. Authenticate 5. Redirect to SP with token 6. Send SAML token Session: S1
  • 12. SSO In General : Subsequent logins Identity provider (e.g. WSO2 IS) Service provider 2 (e.g. Cloud Mail Service) User data 1. Log in request 2. Redirect to IDP URL 3. Request token (session: IS1) 5. Redirect to SP with token 6. Send SAML token Service provider 1 (e.g. HR System) Session: S1 4. Bypass login page Session: S2
  • 13. Authentication Protocol Comparison o SAML2 o Most popular protocol with several profiles o Supports single logout o OpenID Connect o Becoming more popular o Having strong supplementary specifications set o OpenID o Deprecated by most Identity Providers o WS Federation (passive) o Widely used with .Net applications
  • 14. Sync Users to applications o Many applications handles authorization internally o Authorization check as post authentication task o Need to assign relevant attributesroles o Sync application with the centralized identity repository
  • 15. Provisioning Identity server Identity server Extern Inc. <<< Create User >>> Username: jane Email: jane@extern.com Cloud email service <<< Create User >>> Username: jane Password: jane123 Email: jane@extern.com <<< Create User >>> Username: jane <<< Create User >>> Username: jane@extern.com Contacts Directory Expense Management System
  • 16. Enterprise Identity Bus : Provisioning o De couples inboundoutbound provisioning o Selective provisioning o Rich processing on data o Subject mapping o Claim mapping o Role mapping o Inbound provisioning : SCIM & SOAP o Outbound provisioning : SCIM & SPML o Extensibility to support any protocol
  • 17. Account Management o Self Registration o PasswordUserID recovery o Update profile o Enable two factor authentication o Associate accounts o Password policy enforcement o Account locking
  • 18. Expansion in Extern Inc... o Extern Inc. has acquired a new company in Europe o New division to handle sales and marketing in euro o Identity management perspective: o A new user base o Different user store repository o Plug-in to current system as a secondary user store
  • 20. Need More Control? Identity server Update roles Update claims I need to approve assignments to “Assessor” role I need to approve all claims One of us has to approve all new assessors
  • 21. Get More Control with Workflows Identity server Update claims Approve claims update Assigned to “Bob”
  • 22. Get More Control with Workflows (Ctd..) Identity server Update roles Approve role assignment Approve role assignment Assigned to “supervisors” role Assigned to “James”
  • 23. Authorization o Authentication o Who is the user o Authorization o What user can do
  • 24. What the User Can Do... Service provider 1 (SP1) /data/files /data/archives /data/visualize /data/details User = Jane User = David User = Tao
  • 25. What the User Can Do... Service provider 1 (SP1) User = Jane User = David User = Tao Access control policy If user = Tao and resource = /data/archives Permit. If role = Clark and action = write Deny. If role = Manager and resource = /data/files Permit.
  • 26. Authorization challenges o Authorization rules getting changed frequently o Fine grain authorization requirements o Solution : XACML o Attribute based access control standard o Rule based access control o De-facto standard for fine grain access control
  • 27. XACML - Architecture /data/files /data/archives /data/visualize /data/details Policy decision Point If user = jane Permit. If role = clark and Action = write Deny. Policy Store Policy Administration Point Policy Enforcement Point (PEP) User = Tao User = David User = Jane
  • 28. o WSO2 ESB o WSO2 API Manager XACML Policy Enforcement Points WSO2 ESB Proxy service Entitlement Service provider (SP) On accept On reject SendDrop Property [Set user] Property [Set resource] XACML Engine (WSO2 IS)
  • 29. Connecting with external parties o Extern Inc. acquires a new company “PlusX” as a subsidiary o PlusX has their own identity provider and its own internal apps connected to that o Ability of using Extern Inc. Apps for PlusX Employees?
  • 30. Connecting with external parties Identity server Extern Inc. PlusXJane wants to access ‘Contact Directory’ app hosted by company Extern Inc. You are not in my Identity Server! But I am registered in PlusX
  • 31. Connecting with external parties Identity server Extern Inc. PlusX Trust local IS Trust IS in PlusX office If PlusX says “This is Jane” ,then Extern Inc. believes it. (Extern Inc. trusts PlusX IdP)
  • 32. Enterprise Identity Bus : Federation o Easily connect new Identity Providers o Protocol bridging o Multi step, multi option authentication flows o Inbuilt support for Social Login o Zero changes on Service provider o Rich processing on data o Subject mapping o Claim transformation o Role transformation o Home realm discovery
  • 33. Concepts in Reality o Some external contributors have access to the community portal via self registration o Employee life cycle the the company o Employee creation o Going through approval o Sync up with the required systems o SSO with all applications o Lock identity upon the resignation
  • 34. Q&A