End-to-End Identity Management

Darshana GunawardanaSenior Software Engineer

Harsha ThirimannaSenior Software Engineer

WSO2 Platform

Agenda

o Need of having,o Centralized authenticationo Single Sign Ono Provisioningo Account managemento Workflowo Authorizationo Federation

for an enterprise

Start from the beginning

o Consider a startup : “Extern Inc.”o Handful of employeeso No internal apps for employeeso No worries :)

o After some timeo Business running goodo Plan to expand the business; going to recruit moreo Have several internal application including HR

system, email service etc.

User Accounts in all systems…

Robert(An employee)

Cloud email Service

Username = “robert”Password = “robert-pass”

Expense Management

SystemHR System

Username = “robert2”Password = “robert2-pass”Username = “robert2”Password = “robert2-pass”

Username = “robert_5”Password = “K67robert2-AB-#2”

Plan for future : Centralized user store

o Which type of user store?o LDAPo Active Directoryo Custom user schema over JDBC Database

Connecting Internal Apps

o Utilize central user store by connecting all internal apps

o How to connect?o Standard authentication protocolso SAML2 SSO, OpenID Connect, OpenID, WS-

Federation (passive)

o Need of the fully functional Identity Provider System

Centralized Identity Provider

Identity Provider

(e.g. WSO2 IS)

Service provider(e.g. HR System)

Robert

Username = “robert”Password = “robert-pass”

Token

Token

Userstore

Standard authentication request

All apps connected..!

Robert

Mail ClientUsername = “robert”Password = “robert-pass”

HR System

Expense Management

System

Username = “robert2”Password = “robert2-pass”Username = “robert”Password = “robert-pass”

Username = “robert”Password = “robert-pass”

Identity Provider

(e.g. WSO2 IS)

User experience

o Re-entering the same password too many timeso Solution : Single Sign On

SSO In General : Initial login

Identity provider(e.g. WSO2 IS)

Service provider(e.g. HR System)

Userdata

1. Log in request

2. Redirect to IDP URL

3. Request token4. Authenticate

5. Redirect to SP with token

6. Send SAML token Session: S1

SSO In General : Subsequent logins

Identity provider(e.g. WSO2 IS)

Service provider 2(e.g. Cloud Mail

Service)

Userdata

1. Log in request

2. Redirect to IDP URL

3. Request token (session: IS1)

5. Redirect to SP with token

6. Send SAML token

Service provider 1(e.g. HR System)

Session: S1

4. Bypass login page

Session: S2

Authentication Protocol Comparison

o SAML2o Most popular protocol with several profileso Supports single logout

o OpenID Connecto Becoming more popularo Having strong supplementary specifications set

o OpenIDo Deprecated by most Identity Providers

o WS Federation (passive)o Widely used with .Net applications

Sync Users to applications

o Many applications handles authorization internally

o Authorization check as post authentication tasko Need to assign relevant attributes\roleso Sync application with the centralized identity

repository

Provisioning

Identity server

Identity server

Extern Inc.

<<< Create User >>>Username: janeEmail: jane@extern.com

Cloud email service

<<< Create User >>>Username: janePassword: jane123Email: jane@extern.com

<<< Create User >>>Username: jane

<<< Create User >>>Username: jane@extern.com

Contacts DirectoryExpense Management System

Enterprise Identity Bus : Provisioning

o De couples inbound\outbound provisioningo Selective provisioningo Rich processing on data

o Subject mappingo Claim mappingo Role mapping

o Inbound provisioning : SCIM & SOAP o Outbound provisioning : SCIM & SPMLo Extensibility to support any protocol

Account Management

o Self Registrationo Password\UserID recoveryo Update profileo Enable two factor authenticationo Associate accounts

o Password policy enforcemento Account locking

Expansion in Extern Inc...

o Extern Inc. has acquired a new company in Europe

o New division to handle sales and marketing in euro

o Identity management perspective:o A new user baseo Different user store \ repository

o Plug-in to current system as a secondary user store

Multiple User Stores

Need More Control?

Identity server

Update roles

Update claims

I need to approve assignments to “Assessor” role

I need to approve all claims

One of us has to approve all new assessors

Get More Control with Workflows

Identityserver

Update claims

Approve claims update

Assigned to “Bob”

Get More Control with Workflows (Ctd..)

Identityserver

Update roles

Approve role assignment

Approve role assignment

Assigned to “supervisors” role

Assigned to “James”

Authorization

o Authenticationo Who is the user

o Authorization o What user can do

What the User Can Do...

Service provider 1(SP1)

/data/files

/data/archives

/data/visualize

/data/details

User = Jane

User = David

User = Tao

What the User Can Do...

Service provider 1(SP1)

User = Jane

User = David

User = Tao

Access control policy

If user = Tao and resource = /data/archives

Permit.

If role = Clark and action = write

Deny.

If role = Manager and resource = /data/files

Permit.

Authorization challenges

o Authorization rules getting changed frequentlyo Fine grain authorization requirements

o Solution : XACMLo Attribute based access control standardo Rule based access controlo De-facto standard for fine grain access control

XACML - Architecture

/data/files

/data/archives

/data/visualize

/data/details

Policy decision Point

If user = jane Permit.

If role = clark andAction = writeDeny.

Policy Store

Policy Administration Point

Policy Enforcement Point(PEP)User = Tao

User = David

User = Jane

o WSO2 ESBo WSO2 API Manager

XACML Policy Enforcement Points

WSO2 ESBProxy

service

Entitlement

Service provider (SP)

On accept

On reject

SendDrop

Property [Set user]

Property [Set resource]

XACML Engine(WSO2 IS)

Connecting with external parties

o Extern Inc. acquires a new company “PlusX” as a subsidiary

o PlusX has their own identity provider and its own internal apps connected to that

o Ability of using Extern Inc. Apps for PlusX Employees?

Connecting with external parties

Identity server

Extern Inc. PlusXJane wants to access ‘Contact Directory’ app

hosted by company Extern Inc.

You are not in my Identity Server!

But I am registered in PlusX

Connecting with external parties

Identity server

Extern Inc. PlusX

Trust local IS

Trust IS in PlusX office

If PlusX says “This is Jane” ,then Extern Inc. believes it.

(Extern Inc. trusts PlusX IdP)

Enterprise Identity Bus : Federation

o Easily connect new Identity Providerso Protocol bridgingo Multi step, multi option authentication flowso Inbuilt support for Social Logino Zero changes on Service providero Rich processing on data

o Subject mappingo Claim transformationo Role transformationo Home realm discovery

Concepts in Reality

o Some external contributors have access to the community portal via self registration

o Employee life cycle the the companyo Employee creationo Going through approvalo Sync up with the required systemso SSO with all applicationso Lock identity upon the resignation

Q&A

Thank You!