Download
wso2 identity server n.
Skip this Video
Loading SlideShow in 5 Seconds..
WSO2 Identity Server PowerPoint Presentation
Download Presentation
WSO2 Identity Server

WSO2 Identity Server

342 Views Download Presentation
Download Presentation

WSO2 Identity Server

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. WSO2 Identity Server Prabath Siriwardena Director – Security Architecture

  2. An open source Identity & Entitlement management server

  3. An open source Identity & Entitlement management server Authentication LDAP AD JDBC

  4. Authentication

  5. An open source Identity & Entitlement management server Authentication Single Sign On SAML2 Kerberos WS-Fed Passive

  6. OpenID • Decentralized Single Sign On • Single user profile • Widely used for community & collaboration aspects • Multifactor Authentication [Infocard, XMPP] • OpenID relying party components

  7. SAML2 • Single Sign On / Single Logout • Widely used *aaS providers [Google Apps, Salesforce] • SAML2 Web SSO Profile • SAML2 Attribute Profile • Distributed Federated SAML2 IdPs • Used in WSO2 StratosLive

  8. Single Sign-On WS-Fed Passive SharePoint

  9. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On SPML SCIM

  10. Provisioning

  11. Provisioning to heterogeneous systems Google Adaptor SF Adaptor

  12. Open standards for provisioning 2012 : SCIM 1.1 2011 : SCIM 1.0 2011 : RESTPML 2010 : SCIM community 2006 : SPML 2.0 2003 : SPML 1.0 2003 : WS-Provisioning 2001 : OASIS PS TC

  13. Open standards for provisioning Provisioning Service Point

  14. System for Cross-domain Identity Management /Users SCIM Service Provider /Groups SCIM Consumer

  15. System for Cross-domain Identity Management add-user.json { "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”prabath@yahoo.com","type":"home"}, {"value":”prabath@wso2.com","type":"work"}] } curl command curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

  16. System for Cross-domain Identity Management add-group.json { "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext", } curl command curl -v -k --user admin:admin -d @add-group.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups

  17. System for Cross-domain Identity Management

  18. Federated Provisioning Patterns Domain A Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C One way provisioning

  19. Federated Provisioning Patterns Domain A Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C One way provisioning with broker mode

  20. Federated Provisioning Patterns Domain A Provisioning Service Provider SCIM Consumer Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C SCIM Consumer Bi-directional provisioning

  21. Federated Provisioning Patterns Domain A Provisioning Service Provider SCIM Consumer Provisioning Service Provider Provisioning Service Provider Domain B Provisioning Service Provider SCIM Consumer Domain C SCIM Consumer Multi-directional provisioning with a centralized PSP

  22. Federated Provisioning Patterns Domain A Provisioning Service Provider 3 SAML2 IdP 2 4 1 Domain B Just-in-time provisioning with SAML2

  23. Federated Provisioning Patterns Domain A 4 Provisioning Service Provider 3 SAML2 IdP 2 5 1 Domain B Just-in-time provisioning with SAML2

  24. Multi-tenancy Provisioning Service Provider facilelogin.com wso2.com SCIM Consumer (wso2.com) SCIM Consumer (facilelogin.com)

  25. WSO2 Charon

  26. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Auditing XDAS

  27. Auditing

  28. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Auditing Delegation WS-TRUST

  29. Delegation

  30. OAuth Evolution

  31. OAuth Evolution

  32. OAuth Evolution

  33. OAuth Evolution

  34. OAuth • Identity Delegation • Securing RESTful services • 2-legged & 3-legged OAuth 1.01 • XACML integration with OAuth • OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials

  35. An open source Identity & Entitlement management server Provisioning Authentication Single Sign On Federation Auditing Delegation SAML2 WS-TRUST

  36. Federation

  37. Security Token Service • Supports WS-Trust 1.3/1.4 • SAML 1.0/1.1/2.0 token profiles • Claim management

  38. Federation Patterns Resource Security Token Service Consumer App Domain A Domain B Cross Domain Authentication with WS-Trust

  39. Federation Patterns Cross Domain Authentication with Kerberos and WS-Trust

  40. Federation Patterns Decentralized Federated SAML2 IdPs

  41. Federation Patterns Decentralized Federated SAML2 IdPs

  42. Federation Patterns Decentralized Federated SAML2 IdPs

  43. An open source Identity & Entitlement management server Role Based Access Control

  44. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control

  45. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control Policy Based Access Control XACML

  46. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control SOAP Policy Based Access Control XACML / WS-XACML

  47. Attribute Based Access Control An open source Identity & Entitlement management server Role Based Access Control REST SOAP Policy Based Access Control XACML

  48. XACML • The de-facto standard for authorization • XACML 3.0 • Support for multiple PIPs • Policy distribution • Decision / Attribute caching • UI wizard for defining policies • Notifications on policy updates • TryIt tool

  49. XACML EntitlementService EntitlementPolicyAdminService SOAP/Thrift/WS-XACML SOAP Policy Administration Point Policy Decision Point Attribute Finder Extensions Decision Cache Extensions Attribute Cache XACML Engine Default Finder Policy Cache LDAP

  50. XACML