Identity as a Service

By Prabath Siriwardena, WSO2

Identity as a Service

IDENTITY goes hand in hand with TRUST

What makes my IDENTITY?

My AGE is part of my IDENTITY

My PHONE NUMBER is part of my IDENTITY

My e-MAIL is part of my IDENTITY

My SSN is part of my IDENTITY

Who needs my IDENTITY?

My HR MANAGER

My FINANCE MANAGER

My PROJECT MANAGER

PARTNERS of my company

LAWS of IDENTITY

Extending internet with an Identity Management Layer

LAWS of IDENTITY

User control & consent

LAWS of IDENTITY

User control & consent

Technical Identity Systems must only reveal information identifying a user with the user’s consent.

LAWS of IDENTITY

Minimal disclosure for a given use

LAWS of IDENTITY

Minimal disclosure for a given use

The solution which discloses the least amount of identifying Information and

best limits its use is the most stable long term solution.

LAWS of IDENTITY

Justifiable parties

LAWS of IDENTITY

Justifiable parties

Digital identity system must be designed so the disclosure of Identifying information is limited

to parties having a necessary And justifiable place in a given identity relationship.

LAWS of IDENTITY

Directed Identity

LAWS of IDENTITY

Directed Identity

A universal identity system must support both ‘Omni-directional’ identifiers for use by public entities

and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing un-necessary

release of correlation handles.

LAWS of IDENTITY

Pluralism of operators & technologies

LAWS of IDENTITY

Pluralism of operators & technologies

A universal identity system must channel and enable the Inter-working of ,multiple identity technologies run by

Multiple identity providers.

LAWS of IDENTITY

Human Integration

LAWS of IDENTITY

Human Integration

The universal Identity Meta-system must define the human user to be a component of the distributed system

integrated through unambiguous human-machinecommunication mechanisms offering

protection against Identity attacks.

LAWS of IDENTITY

Consistent experience across contexts

LAWS of IDENTITY

Consistent experience across contexts

The unifying identity meta-system must guarantee itsUsers a simple consistent experience while enabling

Separation of contexts through multiple operators and technologies.

How do we share data related to IDENTITY ???

DIRECTORY SERVICES : LDAP/AD

DIRECTORY SERVICES : LDAP/AD

IDENTITY attributes maintained in a central repo

DIRECTORY SERVICES : LDAP/AD

IDENTITY attributes shared across multiple applications within the same domain

DIRECTORY SERVICES : LDAP/AD

Enterprise SSO can be established within participating applications

DIRECTORY SERVICES : LDAP/AD

Protocol incompatibilities could lead to silos

DIRECTORY SERVICES : LDAP/AD

Directory awareness at the individual application level

LDAP/Active Directory

HR FINANCE ERP

BUSINESS LOGIC

BUSINESS LOGIC

BUSINESS LOGIC

EXTERNAL

LDAP/Active Directory

HR FINANCE ERP

BUSINESS LOGIC

BUSINESS LOGIC

BUSINESS LOGIC

LDAP/Active Directory

HR FINANCE ERP

Identity Service

LDAP/Active Directory

HR FINANCE ERP

Identity Service

EXTERNAL

IDENTITY as a SERVICE

IDENTITY as a SERVICE

Integrates IDENTITY services into application development

IDENTITY as a SERVICE

Decouples IDENTITY related logic from individual application business logic

IDENTITY as a SERVICE

User, IDENTITY related data externalized from the applications themselves

IDENTITY as a SERVICE

Adheres to SOA standards

IDENTITY SERVICES

AUTHENTICATION

AUTHORIZATION

AUDIT

IDENTITY PROVIDER PROVISIONING

IDENTITY PROVIDER

Externalize IDENTITY attributes

IDENTITY PROVIDER

Information Cards

IDENTITY PROVIDER

OpenID

IDENTITY PROVIDER

Identity Governance Framework [IGF]

AUTHENTICATION

User Name/Password

AUTHENTICATION

User centric identity : CardSpace/OpenID

AUTHORIZATION

Manages authorization logic

AUTHORIZATION

XACML

AUTHORIZATION - XACML

A general purpose authorization policy language

AUTHORIZATION - XACML

Policy Expressions

1. “Anyone can use web servers between 12:00 AM and 4:00 AM”2. “Salespeople can create orders, but if the total cost is greater

that $1M, a supervisor must approve”3. “Anyone view their own 401K information, but nobody else’s”4. “The print formatting service can access printers and temporary

storage on behalf of any user with the print attribute”5. “The primary physician can have any of her patients’ medical

records sent to a specialist in the same”

AUTHORIZATION - XACML

XACML Vs SAML

Here comes

another request…

.

Let me process

the Auth’Z

request…

SAML XACML

PROVISIONING

Supports administration of IDENTITY & ACCESS Management

PROVISIONING

Provides centralized policy administration and controls

PROVISIONING

SPML

PROVISIONING

http://soa.sys-con.com/node/434383

Service Provisioning via SPML in SOASimplifying identity and resource management for distributed servicesBy: Manivannan Gopalan

AUDITING

Audit all IDENTITY events

AUDITING -XDAS

Distribute Audit Service

AUDITING -XDAS

The principle of accountability

AUDITING -XDAS

Detection of security policy violations

AUDITING -XDAS

http://www.opengroup.org/pubs/catalog/p441.htm

IDENTITY SERVICES

AUTHENTICATION[InforCards/OpenID]

AUTHORIZATION[XACML]

AUDIT[XDAS]

IDENTITY PROVIDER[OpenID/InforCards]

PROVISIONING[SPML]

USER CENTRIC IDENTITY

User in control of identity interactions

Service Provider/User/Identity Provider

IDENTITY PROVIDER

SERVICE PROVIDER

Information Cards

OpenID

http://www.slideshare.net/prabathsiriwardena/understanding-openid/

BUILDING FEDERATED IDENTITY WITH OPENID

USER STORE

OpenID PROVIDER

REALMSERVICE

PROVIDER

IDENTITY GOVERNANCE

Establishing policies, controls & enforcement mechanisms

IDENTITY GOVERNANCE

WHY?

1. A fragile and brittle SOA implementation2. Services that cannot easily be reused because they are unknown to developers or because they were not designed with reuse in mind3. Lack of trust and confidence in services as enterprise assets, which results in a “build it myself” mentality 4. Security breaches that cannot easily be traced5. Unpredictable performance

IDENTITY GOVERNANCE

IDENTITY GOVERNANCE FRAMEWORK

1. Identity attribute service - a service that supports access to many different identity sources and enforces administrative policy2. CARML: declarative syntax using which clients may specify their attribute requirements3. AAPML: declarative syntax which enables providers of identity-related data to express policy on the usage of information, 4. Multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes

WSO2 IDENTITY SOLUTION

Questions…

Thank you…!