As the industry’s first enterprise identity bus (EIB), WSO2 Identity Server is the central backbone that connects and manages multiple identities across applications, APIs, the cloud, mobile, and Internet of Things devices, regardless of the standards on which they are based. The multi-tenant WSO2 Identity Server can be deployed directly on servers or in the cloud, and has the ability to propagate identities across geographical and enterprise borders in a connected business environment.

1. WSO2 Identity Server 5.1.0
Overview

2. Agenda
o Introduction
o Product Overview
o Authentication & SSO
o User Provisioning & Management
o Authorization & Entitlement
o Deployment Options

3. Introduction

4. Security Landscape
Borders
across
systems
don’t
work
anymore

5. Why ?
o Bring Your Own Device
o Bring Your Own Identity
o Identity is maintained in one domain, accessed in other domains
o Social network identities (Facebook, LinkedIN, Google)
o Open APIs
o Ecosystems
o Mergers / Acquisitions
o Value Webs (Composable Enterprises)

6. Introducing Enterprise Identity Bus (EIB)

7. What Does an EIB Do ?
Bridges
Tokens
• OAuth/2
• OpenID/OpenID Connect
• SAML2
• WS-Federation
• Kerberos, etc
Claims & Claim
Dialects
• Email Addresses
• Phone Numbers
• Names, etc
User Stores
• SPML, SCIM, Salesforce,
Google, etc
• Just in Time provisioning,
inbound, outbound

8. Unified SSO Platform

9. How Does it Work ?
o Bridges multiple web applications across multiple
protocols
o Login into Drupal using SAML and get automatically signed
on your Web application, which requires Open ID Connect.
o Connect to Facebook and be automatically connected to
Salesforce
o Bridges across: OpenID Connect, SAML 2.0, OAuth
2.0, OpenID, WS-Federation (Passive)
o Benefits
o Transparent to the application users
o Extensible

10. Federated Identity

11. How Does it Work ?
o Bridge multiple identity providers
o Identity Server serves a central authentication hub for
all applications - Each application continues to use their own
IdP of choice (say OpenID Connect)
o Home Realm Discovery - Identity Server uses the request to
redirect the user to the correct IdentityProvider
o Benefits:
o Client App only need to trust its own Identity Provider
o Authentication protocol at the client side is decoupled from
the Identity Provider
o Trust relationship maintained centrally

12. User Provisioning

13. How Does it Work ?
o Bus serves as central hub to provision identities to
multiple IdPs
o Transforms provisioning requests, from SCIM to SPML
for example
o Provides just-in-time provisioning
o Benefits
o Supports SCIM (System for Cross-Domain Identity
Management) standard
o Supports SPML, JDBC, LDAP, GoogleApps, Salesforce
o Simple extension model

14. Mobile IdP Proxy

15. How Does it Work ?
o IDP proxy application delivers SSO functionality for
native mobile applications
o SDK is used to invoke IdP proxy from the mobile
application
o Allows the application to obtain an OAuth access token
from an identity
o Benefits - Leverage enterprise identity management system for
mobile applications

16. Product Overview

17. WSO2 Identity Server
o 5th Generation Product
o Current version 5.0.0 (released May 2014)
o Why did we build it?
o Federated identity and entitlement is a key part of any distributed
architecture
o Internal security threats, Partnerships
o Mergers, De-mergers
o APIs, Cloud systems
o SSO is important but need to federate and bridge across SSOs
o Open Standards for Identity are changing the industry landscape
o Based on WSO2 Carbon platform, which provides support
for multi-tenancy, logging, clustering, and other common
services

18. Identity Server Landscape

19. Benefits
o Scenario-driven configuration
o Large number of scenarios supported out of the box,
through simple configuration
o Single Sign On
o Federated Identity
o User Provisioning and Management
o Authorization and Entitlements
o Extensible & Customizable - Custom Authenticators

20. Authentication & SSO

21. Authentication
o Extensible user stores integration
o Security for APIs and Web Services
o Web Single Sign On for heterogeneous systems
o Highly configurable and extensible authentication flows
o Federation and Social integration

22. User Stores
o Identity Server supports connecting 1 to N user
repositories to a single server
o One primary and multiple secondary
o Configurable through UI
o Supports following
o Built-in LDAP based on Apache DS
o JDBC - Any data store, tested with Oracle, MySQL, DB2 and
others
o Active Directory

23. Securing SOAP Services
o Security Token Service (STS)
o Supports WS-Trust 1.4
o Issues SAML 1.1 and SAML 2.0 Tokens
o HOK and Bearer subject confirmations
o Configurable Security Policies for the STS
o Kerberos token based
o X509 Certificate based
o User Name password based
o Built on Apache Rampart project

24. Securing REST APIs
o Complete OAuth 2.0 and OAuth 1.0a supported
Authorization Server
o Supported OAuth 2.0 Grants - Authorization Code, Implicit,
Resource Owner Password, Client Credential, SAML Bearer,
IWA-NTLM, Refresh Token
o JWT implementation
o Key Manager for the WSO2 API Manager

25. Authenticators
o Local Authenticators
o Basic Authenticator - Username, password
o IWA Authenticator – Zero password login
o FIDO (Fast Identity Online) - Multifactor authentication
o Federated
o SAML 2.0 Web SSO Authenticator
o OAuth2/OpenID Connect Authenticator
o OpenID Authenticator
o WS-Federation (Passive) Authenticator

26. Configurable Authenticator Flow
o Multi-Step : Add any number of authentication steps
o Multi-Option : Add any number of authenticators for a step
o Configuration per service provider (application)

27. Web Single Sign On
o SAML 2.0 Web Browser SSO
o Basic Attribute Profile
o IDP initiated SSO
o OpenID 2.0
o Simple Registration Extension
o Attribute Exchange
o OpenID Connect
o IDToken
o User Endpoint
o WS-Federation Passive STS
o SAML 1.1 Tokens
o Preferred by Windows Identity Foundation (WIF) based
clients (ASP.NET)
o Based on Apache Rampart project

28. SSO for Heterogeneous Systems
o Web Applications can speak in any identity language
(e.g. SAML2, OpenID, OpenID Connect) to the Identity
Server
o Single Login
o Role transformations
o Claim transformations
o Customizable login screens

29. Federation
o Configure Trusted Identity Providers (IdPs)
o Add Trusted IDPs to application authentication flows to
enable Federation
o Configure Provisioning for Identity Providers
o Just-In-Time (JIT) provisioning
o Outbound provisioning
o Role transformations
o Claims Transformations

30. Home Realm Discovery
o Process of identifying correct federated IDP for an
authentication request
o A key feature of federation
o Uses the information in the authentication request to
identity the IDP
o Logic is pluggable

31. User Provisioning & Management

32. Provisioning and Management
o Just In Time Provisioning
o Highly extensible User Provisioning Framework
o Users and groups management
o Accounts and Policies Management
o Self Service Dashboard
o Logging and Monitoring
o Custom user management workflows – user specific
approvals, multi-step approvals, approvals requiring multiple roles

33. Just-in-time Provisioning
o Federated Identities can be provisioned into the WSO2
Identity Server while federating
o Users can be provisioned to any primary or secondary
user store
o JIT provisioned users can be provisioned to any other
systems instantly

34. Provisioning Framework
o Three inbound provisioning APIs
o System for Cross-Domain Identity Management (SCIM) API
– REST/JSON
o UserAdmin – SOAP/XML
o RemoteUserStoreManagerService – SOAP/XML
o Pluggable outbound provisioning connectors
o Out-of-the-box provisioning connectors : SCIM, SPML,
Google and SalesForce
o Custom connectors (create and drop in !)

35. SCIM Implementation
o System cross-domain identity management -
http://www.simplecloud.info/
o Adopted by many vendors and SaaS applications
(Salesforce for example)
o Supports users
(including bulk creation)
and groups
provisioning, via REST
API
o IS supports SCIM 1.1 -
SCIM 2.0 work ongoing

36. User and Role Management
o Comprehensive Administrative UI for User and Roles
Management
o Add, delete, update user profiles and roles
o Search/list users and roles
o Reset user passwords
o Can manage users / groups in multiple user stores

37. Account and Password Policy Management
o Configure password complexity – E.g. 8 character long,
must include numbers and symbols
o Password expiry configuration
o Failed login attempts and account locking
o Captcha verification
o Self registration and user account verification
o Account recovery, forgotten password

38. Self-service Dashbaord

39. Auditing
o Privileged operations are saved to log files, including
login/logout operations
o Data is saved in XDAS format
o Through extensions, events can be published to our
Data Analytics solutions (BAM and CEP)

40. Authorization & Entitlements

41. Authorization and Entitlement
o Role Based Access Control
o Attribute Based Access Control
o Policy Based Access Control
o XACML 2.0/3.0
o Support for OpenAz
o Hierarchical Resource Profile
o Hierarchical Role Profile
o Multiple Decision Profile

42. Role-based Access Control
o Provisioning UI for assigning permissions for Roles and
assigning users for roles
o SOAP/XML APIs for authorization
o UserAdmin
o RemoteUserStoreManagerService
o RemoteAuthorizationManagerService

43. Scope-based Access Control
o OAuth is a scope based authorization framework
o WSO2 Identity Server supports OAuth version 1.0a
and 2.0
o Users and Permit/Deny granting authorization for
applications
o Access Token is validated over SOAP API - JWT (JSON
Web Token) attached to response, contains information about
token authorized scopes (for back-end consumption)

44. Claim-based Access Control
o Comprehensive UI to manage/configure claim dialects
o Default claim dialects: SCIM, OpenID AX, OpenID
SReg, XML/WSDL, OpenID Connect and WSO2
dialect
o Write XACML policies based on User Claims
o Define WS-Trust/ WS- Security policies based on User
Claims
o Retrieve user claims for authorization over OpenID,
OpenID Connect and SAML

45. Policy-based Access Control
o Fine grained access control with XACML 2.0 and 3.0
o Pluggable and extensible architecture
o Plug-in various PIP and PEP modules
o Plug in policy stores
o Policy Management UI
o Try-it tool to test policies
o Caching and Thrift transport support for high
performance

46. Importing and Publishing

47. Distributed PDP Management

48. TryIt

49. Policy Governance

50. XACML Integration Points
o Entitlement Mediator for WSO2 ESB
o Entitlement Handler for WSO2 API Manager
o Entitlement Servlet Filter for WSO2 Application Server
o Third-party agents
o Java EE Servlet Filter
o Liferay Agent
o Microsoft IIS Agent

51. Deployment Options

52. WSO2 Platform Deployment Options
o Stand-alone servers
o Private clouds:
e.g. Stratos, Kubernetes
o Public Clouds:
e.g. AWS
o Hybrid deployments
o Dedicated hosting of any WSO2-
based solutions
o WSO2 operations team is
managing the deployment and
keeps it running
o 99.99% uptime SLA
o Any AWS region of choice
o Can be VPNed to local network
o Includes monitoring, backups,
patching, updates
o Shared public cloud,
o Currently available for application
and API hosting (hosted API
Manager and App Factory),
o Preset multitenant deployment in
AWS US East run by WSO2,
o Month-to-month credit card
payment

53. Thank
You!
Download
WSO2
Iden/ty
Server
at:
h6p://wso2.com/products/iden/ty-­‐server/