Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management...

55
WSO2 Identity Server Prabath Siriwardena Senior Software Architect

TAGS:

Transcript of Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management...

Page 1: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

WSO2 Identity Server

Prabath SiriwardenaSenior Software Architect

Page 2: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

Page 3: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

Authentication

ADLDAP JDBC

Page 4: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Authentication

Page 5: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

AuthenticationSingle Sign On

SAML2 Kerberos WS-Fed Passive

Page 6: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

OpenID

Decentralized Single Sign On Single user profile Widely used for community &

collaboration aspects Multifactor Authentication

[Infocard, XMPP] OpenID relying party

components

Page 7: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

SAML2

Single Sign On / Single Logout Widely used *aaS providers [Google Apps, Salesforce] SAML2 Web SSO Profile SAML2 Attribute Profile Distributed Federated SAML2 IdPs Used in WSO2 StratosLive

Page 8: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

SharePoint

WS-Fed Passive

Single Sign-On

Page 9: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

AuthenticationSingle Sign On

Provisioning

SCIMSPML

Page 10: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning

Page 11: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning to heterogeneous systems

Goog

le

Adap

to

r

SF

Adapto

r

Page 12: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Open standards for provisioning

2001 : OASIS PS TC

2003 : SPML 1.02003 : WS-Provisioning

2006 : SPML 2.02010 : SCIM community

2011 : SCIM 1.0

2012 : SCIM 1.1

2011 : RESTPML

Page 13: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Open standards for provisioning

Pro

vis

ion

in

g

Serv

ice

Poin

t

Page 14: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

System for Cross-domain Identity Management

SCIM Service Provider

/Users

/GroupsSCIM Consumer

Page 15: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

System for Cross-domain Identity Management

{ "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”[email protected]","type":"home"},

{"value":”[email protected]","type":"work"}]}

curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

add-user.json

curl command

Page 16: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

System for Cross-domain Identity Management

{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext",}

curl -v -k --user admin:admin -d @add-group.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups

add-group.json

curl command

Page 17: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

System for Cross-domain Identity Management

Page 18: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning Service Provider

Domain A

Domain B

Federated Provisioning Patterns

One way provisioning

Provisioning Service Provider

Provisioning Service Provider

Domain C

SCIM Consumer

Page 19: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning Service Provider

Domain A

Domain B

Federated Provisioning Patterns

One way provisioning with broker mode

Provisioning Service Provider

Provisioning Service Provider

Domain C

SCIM Consumer

Page 20: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning Service Provider

Domain A

Domain B

Federated Provisioning Patterns

Bi-directional provisioning

Provisioning Service Provider

Provisioning Service Provider

Domain C

SCIM Consumer

SCIM Consumer

SCIM Consumer

Page 21: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning Service Provider

Domain A

Domain B

Federated Provisioning Patterns

Multi-directional provisioning with a centralized PSP

Provisioning Service Provider

Provisioning Service Provider

Domain C

SCIM Consumer

SCIM Consumer

SCIM Consumer

Provisioning Service Provider

Page 22: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning Service Provider

Domain A

Domain B

Federated Provisioning Patterns

Just-in-time provisioning with SAML2

SAML2 IdP

1

2

3

4

Page 23: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning Service Provider

Domain A

Domain B

Federated Provisioning Patterns

Just-in-time provisioning with SAML2

SAML2 IdP

1

2

3

5

4

Page 24: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Provisioning Service Provider

Multi-tenancy

SCIM Consumer (facilelogin.com)

SCIM Consumer (wso2.com)

wso2.com

facilelogin.com

Page 25: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

WSO2 Charon

Page 26: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

AuthenticationSingle Sign On

Provisioning

Auditing

XDAS

Page 27: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Auditing

Page 28: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

AuthenticationSingle Sign On

Provisioning

Auditing Delegation

WS-TRUST

Page 29: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Delegation

Page 30: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

OAuth Evolution

Page 31: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

OAuth Evolution

Page 32: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

OAuth Evolution

Page 33: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

OAuth Evolution

Page 34: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

OAuth

Identity Delegation Securing RESTful services 2-legged & 3-legged OAuth 1.01 XACML integration with OAuth OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials

Page 35: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

AuthenticationSingle Sign On

Provisioning

Auditing DelegationFederation

WS-TRUSTSAML2

Page 36: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Fed

era

tion

Page 37: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Security Token Service

Supports WS-Trust 1.3/1.4 SAML 1.0/1.1/2.0 token profiles Claim management

Page 38: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Security Token Service

Consumer App

Resource

Domain A

Domain B

Federation Patterns

Cross Domain Authentication with WS-Trust

Page 39: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Federation Patterns

Cross Domain Authentication with Kerberos and WS-Trust

Page 40: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Federation Patterns

Decentralized Federated SAML2 IdPs

Page 41: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Federation Patterns

Decentralized Federated SAML2 IdPs

Page 42: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Federation Patterns

Decentralized Federated SAML2 IdPs

Page 43: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

Role Based Access Control

Page 44: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

Role Based Access Control

Attribute Based Access Control

Page 45: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

Role Based Access Control

Attribute Based Access Control

Policy Based Access Control

XACML

Page 46: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

Role Based Access Control

Attribute Based Access Control

Policy Based Access Control

SOAP

XACML / WS-XACML

Page 47: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

An open source Identity & Entitlement management server

Role Based Access Control

Attribute Based Access Control

Policy Based Access Control

SOAP

REST

XACML

Page 48: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

XACML

The de-facto standard for authorization

XACML 3.0 Support for multiple PIPs Policy distribution Decision / Attribute caching UI wizard for defining policies Notifications on policy updates TryIt tool

Page 49: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

XACML

EntitlementService EntitlementPolicyAdminService

Policy Decision Point

Policy Cache

Decision Cache

XACML Engine

ExtensionsPolicy

Administration Point

Attribute Finder

Extensions

Default Finder

LDAP

Attribute Cache

SOAP/Thrift/WS-XACML

SOAP

Page 50: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

XACML

Page 51: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

XACML

Page 52: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

XACML

Page 53: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

XACML

Page 54: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

What Do We Have Now ?

User stores with LDAP/AD/JDBC Multiple user stores OpenID SAML2 Kerberos Integrated Windows Authentication Information Cards XACML 2.0/3.0 OAuth 1.0a/2.0 Security Token Service with WS-Trust SCIM 1.1 WS-XACML WS-Fed Passive

Page 55: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Thank You…!!!

[email protected]


XML Encryption Prabath Siriwardena Director, Security Architecture.

XML Encryption Prabath Siriwardena Director, Security Architecture.

Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.

Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.

Entitlement Usage & Monitoring

Entitlement Usage & Monitoring

Purchasing and Entitlement - Web · Purchasing and Entitlement Unlock the power of your software entitlement. MKT2807 Business challenge With an increasing variety of suppliers, partners,

Purchasing and Entitlement - Web · Purchasing and Entitlement Unlock the power of your software entitlement. MKT2807 Business challenge With an increasing variety of suppliers, partners,

Despatch of Entitlement Offer Booklet - ReNu Energy …renuenergy.com.au/wp...Despatch-of-Entitlement-Offer-Booklet.pdf · Despatch of Entitlement Offer Booklet ReNu Energy Limited

Despatch of Entitlement Offer Booklet - ReNu Energy …renuenergy.com.au/wp...Despatch-of-Entitlement-Offer-Booklet.pdf · Despatch of Entitlement Offer Booklet ReNu Energy Limited

Entitlement Key Reference

Entitlement Key Reference

Api security-eic-prabath

Api security-eic-prabath

Prabath Siriwardena Director, Security Architecture.

Prabath Siriwardena Director, Security Architecture.

Narcissistic Entitlement Syndrome

Narcissistic Entitlement Syndrome

Entitlement Requirements - | doh

Entitlement Requirements - | doh

The Entitlement Crisis

The Entitlement Crisis

Sense of Entitlement

Sense of Entitlement

Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION

Microservices Security Landscape · [email protected] | [email protected]. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION

OVERVIEW OF ENTITLEMENT PROGRAMScoachjacobson.weebly.com/uploads/5/9/8/2/59821733/2-_entitlemen… · overview of entitlement programs • entitlement: program that guarantees a specific

OVERVIEW OF ENTITLEMENT PROGRAMScoachjacobson.weebly.com/uploads/5/9/8/2/59821733/2-_entitlemen… · overview of entitlement programs • entitlement: program that guarantees a specific

The Admin's Guide to Entitlement Managementresources.docs.salesforce.com/210/17/en-us/sfdc/pdf/...INTRODUCTION TO ENTITLEMENT MANAGEMENT What Is Entitlement Management? EDITIONS Available

The Admin's Guide to Entitlement Managementresources.docs.salesforce.com/210/17/en-us/sfdc/pdf/...INTRODUCTION TO ENTITLEMENT MANAGEMENT What Is Entitlement Management? EDITIONS Available

GMECR0 Gaming machine entitlement transfer – related ... · entitlement / poker machine permits A venue must hold a gaming machine entitlement (GME) or poker machine permit (PMP)

GMECR0 Gaming machine entitlement transfer – related ... · entitlement / poker machine permits A venue must hold a gaming machine entitlement (GME) or poker machine permit (PMP)

National Entitlement Card Scheme Privacy Impact … Privacy Impact... · National Entitlement Card Scheme Privacy Impact ... can reduce the risk of an entitlement being ... National

National Entitlement Card Scheme Privacy Impact … Privacy Impact... · National Entitlement Card Scheme Privacy Impact ... can reduce the risk of an entitlement being ... National

VA GUARANTEED LOAN PROGRAM · Conforming Loan Limit $417,000 Loan Limit 25% $104,250 Maximum Entitlement $104,250 (Entitlement Charged) $ 58,625 Remaining Entitlement $ 45,625 Max

VA GUARANTEED LOAN PROGRAM · Conforming Loan Limit $417,000 Loan Limit 25% $104,250 Maximum Entitlement $104,250 (Entitlement Charged) $ 58,625 Remaining Entitlement $ 45,625 Max

Westpac Banking Corporation Retail Entitlement Offer … · Westpac Banking Corporation Retail Entitlement Offer ... Entitlement Offer which is part of the Entitlement ... the risk

Westpac Banking Corporation Retail Entitlement Offer … · Westpac Banking Corporation Retail Entitlement Offer ... Entitlement Offer which is part of the Entitlement ... the risk

1. niro siriwardena qof transparency

1. niro siriwardena qof transparency