enterprise security requirements
TRANSCRIPT
Enterprise Security Requirements
Dimtuthu Leelarathne Director, Solutions Architecture
A dozen solution patterns for common identity problems
in an enterprise!
Enterprise Security Landscape
Bordersacrosssystemsdon’tworkanymore
Why?
o Open up APIs o Bring your own identity
o Identity maintained in one domain, accessed in other domains o Social network identities
o Bring your own device o Ecosystems o Mergers/Acquisitions
An IAM System
WSO2 Identity Server o 5th Generation Product
o Current version 5.1.0 (released 2015) o Federated identity and entitlement is a key part of any distributed
architecture o Internal security threats, Partnerships o Mergers, De-mergers o APIs, Cloud systems
o SSO is important but need to federate and bridge across SSOs o Open Standards for Identity are changing the industry landscape
o Based on WSO2 Carbon platform, which provides support for multi-tenancy, logging, clustering, and other common services
Identity Server Landscape
Enterprise Identity Bus
Enterprise Identity Bus (EIB)
10
Enterprise Identity Bus
What Does an EIB Do ?
Bridges
Tokens
• OAuth/2
• OpenID/OpenID Connect
• SAML2
• WS-Federation
• Kerberos, etc
Claims & Claim Dialects
• Email Addresses
• Phone Numbers
• Names, etc
User Stores
• SPML, SCIM, Salesforce, Google, etc
• Just in Time provisioning, inbound, outbound
A Story
o Kermit Co is an open-source product development company
o It has employees, customers, open-source community
o It has some internal systems used by employees and some external systems
o Kermit Co is going to upgrade their identity
Kermit Cooperation
Kermit Co has some internal Applications
o Employees use several systems o Office 365 o Redmine o Salesforce o Star Accounts
o Employee LDAP in Kermit Datacenter cannot be synched to Cloud
Problem
o Employees need to access cloud-based and on premise systems
o De-centralized Identities o Password exhaustion, re-login each time à When the employee login to one system he should login
to the rest o Different systems use different protocols – SAML 2.0,
WS-Federation
SSO for Heterogeneous Systems using different Federation Protocols
Problem
o Ginger is from finance team
o Her account is hacked
o All finance data is leaked
à Need to implement Multi-Factor Authentication (MFA) o Something you know, Something you have,
Something you are
o Add FIDO and SMSOTP
MFA in Multi-Steps
Problem
o Customers need to authenticate to several system o Website for product downloads
o JIRA for issue reporting
o Certification portal
o Partner portal
o All customers are in a different LDAP
Handling Different Types of Identities
o Technically can add to the existing WSO2 IS, but customer identities are, o Scale is massive o Control is not within the organization o Self-service registration should be there o Social identities & JIT provisioning o Identity is low assured o Delegated administration o User experience must be excellent and distributed
Managing Internal/External Identities
Problem
o Need to provide social sign-up/sign-in capabilities to the website
o Facebook, Google
o When users sign up via social media Kermit wants to add the user to the External Users DB
à Do just in time provisioning to the External Users DB
Identity Federation and JIT
first_name
FirstName
given_name
Problem
o How are the external users going to manage their profile? o All external users need to
manage their own profiles by logging into the website
o Make website do direct LDAP calls?
o Use APIs in WSO2IS o SCIM – System for Cross-domain Identity
Management o User information recover service o User management Service
IcanuseREST/SOAPcallstodousermanagement
Identity Management APIs
ExternalUsers
Problem
o Kermit employees need to login to external systems – JIRA, Website & Certificate Portal
o Kermit employees are not in the external IdP à Kermit employee identities should be federated from internal IdP to external IdP and SPs
Identity Federation – Custom Authenticator
Problem
o Matrix is a marketing analytics company that does lead identification for Kermit Co
o It is file based batch process that update Kermit’s Salesforce
o Kermit Co wants to automate the process by exposing APIs
o addSQLead, getRawLeads, getUsers
Expose OAuth Protected APIs
Problem
o Kermit Infra team wants to automate provisioning
o Provisioning users to Apps o LDAP synching + LDAP groups give same end result as
provisioning o Per-app roles needs to be managed in central LDAP. Can be quite large
o WSO2IS adaptors can be used for rule-based provisioning
o Same Control Domain à Can use either (automated provisioning and LDAP Synching)
o Different Control Domain à Use provisioning
Rule-Based User Provisioning
Problem
o Kermit HCI expert wants to avoid showing login screen on the IdP
o He wants the Login choices to be displayed on web site itself
à Home Realm Identifier
Federation Hub
Kermit Co has a pretty decent Identity Infrastructure!
Gonzo Group of Companies
o Group of companies with 3 main companies
o Problem – Require centralized, highly controlled IAM program for it’s external users
Multi-tenant Identity Server
Problem
o Gonzo the group of companies wants centralized fine-grained authorization policies
o Render menu items on web site using centralized authorizations
o All internally-developed-apps should comply to centralized policy registry
Fine-grained Centralized Authorization
Problem
o Gonzo wants all distributor registrations through their website to go through an approval process
Workflows
Other Advanced Patterns https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server-16f9fd0c0389
CONTACT US !