Enterprise Security Requirements

Dimtuthu Leelarathne Director, Solutions Architecture

A dozen solution patterns for common identity problems

in an enterprise!

Enterprise Security Landscape

Bordersacrosssystemsdon’tworkanymore

Why?

o  Open up APIs o  Bring your own identity

o  Identity maintained in one domain, accessed in other domains o  Social network identities

o  Bring your own device o  Ecosystems o  Mergers/Acquisitions

An IAM System

WSO2 Identity Server o  5th Generation Product

o  Current version 5.1.0 (released 2015) o  Federated identity and entitlement is a key part of any distributed

architecture o  Internal security threats, Partnerships o  Mergers, De-mergers o  APIs, Cloud systems

o  SSO is important but need to federate and bridge across SSOs o  Open Standards for Identity are changing the industry landscape

o  Based on WSO2 Carbon platform, which provides support for multi-tenancy, logging, clustering, and other common services

Identity Server Landscape

Enterprise Identity Bus

Enterprise Identity Bus (EIB)

10

Enterprise Identity Bus

What Does an EIB Do ?

Bridges

Tokens

•  OAuth/2

•  OpenID/OpenID Connect

•  SAML2

•  WS-Federation

•  Kerberos, etc

Claims & Claim Dialects

•  Email Addresses

•  Phone Numbers

•  Names, etc

User Stores

•  SPML, SCIM, Salesforce, Google, etc

•  Just in Time provisioning, inbound, outbound

A Story

o  Kermit Co is an open-source product development company

o  It has employees, customers, open-source community

o  It has some internal systems used by employees and some external systems

o  Kermit Co is going to upgrade their identity

Kermit Cooperation

Kermit Co has some internal Applications

o  Employees use several systems o  Office 365 o  Redmine o  Salesforce o  Star Accounts

o  Employee LDAP in Kermit Datacenter cannot be synched to Cloud

Problem

o  Employees need to access cloud-based and on premise systems

o  De-centralized Identities o  Password exhaustion, re-login each time à  When the employee login to one system he should login

to the rest o  Different systems use different protocols – SAML 2.0,

WS-Federation

SSO for Heterogeneous Systems using different Federation Protocols

Problem

o  Ginger is from finance team

o  Her account is hacked

o  All finance data is leaked

à  Need to implement Multi-Factor Authentication (MFA) o  Something you know, Something you have,

Something you are

o  Add FIDO and SMSOTP

MFA in Multi-Steps

Problem

o  Customers need to authenticate to several system o  Website for product downloads

o  JIRA for issue reporting

o  Certification portal

o  Partner portal

o  All customers are in a different LDAP

Handling Different Types of Identities

o  Technically can add to the existing WSO2 IS, but customer identities are, o  Scale is massive o  Control is not within the organization o  Self-service registration should be there o  Social identities & JIT provisioning o  Identity is low assured o  Delegated administration o  User experience must be excellent and distributed

Managing Internal/External Identities

Problem

o  Need to provide social sign-up/sign-in capabilities to the website

o  Facebook, Google

o  When users sign up via social media Kermit wants to add the user to the External Users DB

à Do just in time provisioning to the External Users DB

Identity Federation and JIT

first_name

FirstName

given_name

Problem

o  How are the external users going to manage their profile? o  All external users need to

manage their own profiles by logging into the website

o  Make website do direct LDAP calls?

o  Use APIs in WSO2IS o  SCIM – System for Cross-domain Identity

Management o  User information recover service o  User management Service

IcanuseREST/SOAPcallstodousermanagement

Identity Management APIs

ExternalUsers

Problem

o  Kermit employees need to login to external systems – JIRA, Website & Certificate Portal

o  Kermit employees are not in the external IdP à Kermit employee identities should be federated from internal IdP to external IdP and SPs

Identity Federation – Custom Authenticator

Problem

o  Matrix is a marketing analytics company that does lead identification for Kermit Co

o  It is file based batch process that update Kermit’s Salesforce

o  Kermit Co wants to automate the process by exposing APIs

o  addSQLead, getRawLeads, getUsers

Expose OAuth Protected APIs

Problem

o  Kermit Infra team wants to automate provisioning

o  Provisioning users to Apps o  LDAP synching + LDAP groups give same end result as

provisioning o  Per-app roles needs to be managed in central LDAP. Can be quite large

o  WSO2IS adaptors can be used for rule-based provisioning

o  Same Control Domain à Can use either (automated provisioning and LDAP Synching)

o  Different Control Domain à Use provisioning

Rule-Based User Provisioning

Problem

o  Kermit HCI expert wants to avoid showing login screen on the IdP

o  He wants the Login choices to be displayed on web site itself

à Home Realm Identifier

Federation Hub

Kermit Co has a pretty decent Identity Infrastructure!

Gonzo Group of Companies

o  Group of companies with 3 main companies

o  Problem – Require centralized, highly controlled IAM program for it’s external users

Multi-tenant Identity Server

Problem

o  Gonzo the group of companies wants centralized fine-grained authorization policies

o  Render menu items on web site using centralized authorizations

o  All internally-developed-apps should comply to centralized policy registry

Fine-grained Centralized Authorization

Problem

o  Gonzo wants all distributor registrations through their website to go through an approval process

Workflows

Other Advanced Patterns https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server-16f9fd0c0389

CONTACT US !