By Prabath Siriwardena, WSO2
Identity as a Service
IDENTITY goes hand in hand with TRUST
What makes my IDENTITY?
My AGE is part of my IDENTITY
My PHONE NUMBER is part of my IDENTITY
My e-MAIL is part of my IDENTITY
My SSN is part of my IDENTITY
Who needs my IDENTITY?
My HR MANAGER
My FINANCE MANAGER
My PROJECT MANAGER
PARTNERS of my company
LAWS of IDENTITY
Extending internet with an Identity Management Layer
LAWS of IDENTITY
User control & consent
LAWS of IDENTITY
User control & consent
Technical Identity Systems must only reveal information identifying a user with the user’s consent.
LAWS of IDENTITY
Minimal disclosure for a given use
LAWS of IDENTITY
Minimal disclosure for a given use
The solution which discloses the least amount of identifying Information and
best limits its use is the most stable long term solution.
LAWS of IDENTITY
Justifiable parties
LAWS of IDENTITY
Justifiable parties
Digital identity system must be designed so the disclosure of Identifying information is limited
to parties having a necessary And justifiable place in a given identity relationship.
LAWS of IDENTITY
Directed Identity
LAWS of IDENTITY
Directed Identity
A universal identity system must support both ‘Omni-directional’ identifiers for use by public entities
and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing un-necessary
release of correlation handles.
LAWS of IDENTITY
Pluralism of operators & technologies
LAWS of IDENTITY
Pluralism of operators & technologies
A universal identity system must channel and enable the Inter-working of ,multiple identity technologies run by
Multiple identity providers.
LAWS of IDENTITY
Human Integration
LAWS of IDENTITY
Human Integration
The universal Identity Meta-system must define the human user to be a component of the distributed system
integrated through unambiguous human-machinecommunication mechanisms offering
protection against Identity attacks.
LAWS of IDENTITY
Consistent experience across contexts
LAWS of IDENTITY
Consistent experience across contexts
The unifying identity meta-system must guarantee itsUsers a simple consistent experience while enabling
Separation of contexts through multiple operators and technologies.
How do we share data related to IDENTITY ???
DIRECTORY SERVICES : LDAP/AD
DIRECTORY SERVICES : LDAP/AD
IDENTITY attributes maintained in a central repo
DIRECTORY SERVICES : LDAP/AD
IDENTITY attributes shared across multiple applications within the same domain
DIRECTORY SERVICES : LDAP/AD
Enterprise SSO can be established within participating applications
DIRECTORY SERVICES : LDAP/AD
Protocol incompatibilities could lead to silos
DIRECTORY SERVICES : LDAP/AD
Directory awareness at the individual application level
LDAP/Active Directory
HR FINANCE ERP
BUSINESS LOGIC
BUSINESS LOGIC
BUSINESS LOGIC
EXTERNAL
LDAP/Active Directory
HR FINANCE ERP
BUSINESS LOGIC
BUSINESS LOGIC
BUSINESS LOGIC
LDAP/Active Directory
HR FINANCE ERP
Identity Service
LDAP/Active Directory
HR FINANCE ERP
Identity Service
EXTERNAL
IDENTITY as a SERVICE
IDENTITY as a SERVICE
Integrates IDENTITY services into application development
IDENTITY as a SERVICE
Decouples IDENTITY related logic from individual application business logic
IDENTITY as a SERVICE
User, IDENTITY related data externalized from the applications themselves
IDENTITY as a SERVICE
Adheres to SOA standards
IDENTITY SERVICES
AUTHENTICATION
AUTHORIZATION
AUDIT
IDENTITY PROVIDER PROVISIONING
IDENTITY PROVIDER
Externalize IDENTITY attributes
IDENTITY PROVIDER
Information Cards
IDENTITY PROVIDER
OpenID
IDENTITY PROVIDER
Identity Governance Framework [IGF]
AUTHENTICATION
User Name/Password
AUTHENTICATION
User centric identity : CardSpace/OpenID
AUTHORIZATION
Manages authorization logic
AUTHORIZATION
XACML
AUTHORIZATION - XACML
A general purpose authorization policy language
AUTHORIZATION - XACML
Policy Expressions
1. “Anyone can use web servers between 12:00 AM and 4:00 AM”2. “Salespeople can create orders, but if the total cost is greater
that $1M, a supervisor must approve”3. “Anyone view their own 401K information, but nobody else’s”4. “The print formatting service can access printers and temporary
storage on behalf of any user with the print attribute”5. “The primary physician can have any of her patients’ medical
records sent to a specialist in the same”
AUTHORIZATION - XACML
XACML Vs SAML
Here comes
another request…
.
Let me process
the Auth’Z
request…
SAML XACML
PROVISIONING
Supports administration of IDENTITY & ACCESS Management
PROVISIONING
Provides centralized policy administration and controls
PROVISIONING
SPML
PROVISIONING
http://soa.sys-con.com/node/434383
Service Provisioning via SPML in SOASimplifying identity and resource management for distributed servicesBy: Manivannan Gopalan
AUDITING
Audit all IDENTITY events
AUDITING -XDAS
Distribute Audit Service
AUDITING -XDAS
The principle of accountability
AUDITING -XDAS
Detection of security policy violations
AUDITING -XDAS
http://www.opengroup.org/pubs/catalog/p441.htm
IDENTITY SERVICES
AUTHENTICATION[InforCards/OpenID]
AUTHORIZATION[XACML]
AUDIT[XDAS]
IDENTITY PROVIDER[OpenID/InforCards]
PROVISIONING[SPML]
USER CENTRIC IDENTITY
User in control of identity interactions
Service Provider/User/Identity Provider
IDENTITY PROVIDER
SERVICE PROVIDER
Information Cards
OpenID
http://www.slideshare.net/prabathsiriwardena/understanding-openid/
BUILDING FEDERATED IDENTITY WITH OPENID
USER STORE
OpenID PROVIDER
REALMSERVICE
PROVIDER
IDENTITY GOVERNANCE
Establishing policies, controls & enforcement mechanisms
IDENTITY GOVERNANCE
WHY?
1. A fragile and brittle SOA implementation2. Services that cannot easily be reused because they are unknown to developers or because they were not designed with reuse in mind3. Lack of trust and confidence in services as enterprise assets, which results in a “build it myself” mentality 4. Security breaches that cannot easily be traced5. Unpredictable performance
IDENTITY GOVERNANCE
IDENTITY GOVERNANCE FRAMEWORK
1. Identity attribute service - a service that supports access to many different identity sources and enforces administrative policy2. CARML: declarative syntax using which clients may specify their attribute requirements3. AAPML: declarative syntax which enables providers of identity-related data to express policy on the usage of information, 4. Multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes
WSO2 IDENTITY SOLUTION
Questions…
Thank you…!