wso2con usa 2014 - identity server tutorial
DESCRIPTION
WSO2Con USA 2014 - Identity Server TutorialTRANSCRIPT
WSO2 Identity ServerAn open source Identity and Entitlement Management Server
Prabath Siriwardena, Director of Security ArchitectureJohann Nallathamby, Product Lead – Identity Server
An open source Identity & Entitlement management server
An open source Identity & Entitlement management server
Authentication
ADLDAP JDBC
Authentication
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
SAML2 Kerberos WS-Fed Passive
OpenID
Decentralized Single Sign On Single user profile Widely used for community &
collaboration aspects Multifactor Authentication
[Infocard, XMPP] OpenID relying party
components
SAML2
Single Sign On / Single Logout Widely used *aaS providers [Google Apps, Salesforce] SAML2 Web SSO Profile SAML2 Attribute Profile Distributed Federated SAML2 IdPs Used in WSO2 StratosLive
SharePoint
WS-Fed Passive
Single Sign-On
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
SCIMSPML
Provisioning
Heterogeneous systems
Goog
le
Adap
to
r
SF
Adapto
r
Open standards for provisioning
2001 : OASIS PS TC
2003 : SPML 1.02003 : WS-Provisioning
2006 : SPML 2.02010 : SCIM community
2011 : SCIM 1.0
2012 : SCIM 1.1
2011 : RESTPML
Open standards for provisioning
Pro
vis
ion
in
g
Serv
ice
Poin
t
System for Cross-domain Identity Management
SCIM Service Provider
/Users
/GroupsSCIM Consumer
System for Cross-domain Identity Management
{ "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”[email protected]","type":"home"},
{"value":”[email protected]","type":"work"}]}
curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
add-user.json
curl command
System for Cross-domain Identity Management
{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext",}
curl -v -k --user admin:admin -d @add-group.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups
add-group.json
curl command
System for Cross-domain Identity Management
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
One way provisioning
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
One way provisioning with broker mode
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Bi-directional provisioning
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Multi-directional provisioning with a centralized PSP
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning Service Provider
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Just-in-time provisioning with SAML2
SAML2 IdP
1
2
3
4
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Just-in-time provisioning with SAML2
SAML2 IdP
1
2
3
5
4
Provisioning Service Provider
Multi-tenancy
SCIM Consumer (facilelogin.com)
SCIM Consumer (wso2.com)
wso2.com
facilelogin.com
WSO2 Charon
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing Delegation
WS-TRUST
Delegation
OAuth Evolution
OAuth Evolution
OAuth Evolution
OAuth Evolution
OAuth
Identity Delegation Securing RESTful services 2-legged & 3-legged OAuth 1.01 XACML integration with OAuth OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing DelegationFederation
WS-TRUSTSAML2
Fed
era
tion
Security Token Service
Supports WS-Trust 1.3/1.4 SAML 1.0/1.1/2.0 token profiles Claim management
Security Token Service
Consumer App
Resource
Domain A
Domain B
Federation Patterns
Cross Domain Authentication with WS-Trust
Federation Patterns
Cross Domain Authentication with Kerberos and WS-Trust
Federation Patterns
Decentralized Federated SAML2 IdPs
Federation Patterns
Decentralized Federated SAML2 IdPs
Federation Patterns
Decentralized Federated SAML2 IdPs
Identity Bus
Identity BusO
pera
tors
Serv
ice P
rovid
ers
Identity BusO
pera
tors
Serv
ice P
rovid
ers
SAML 2.0
OpenID Connect / SAML 2.0
Op
en
ID C
on
nect
Op
en
ID C
on
nect
Identity Bus
SAML 2.0
OpenID Connect / SAML 2.0
Identity Bus
SAML 2.0
SAML 2.0
SAML 2.0
SAML 2.0
Identity BusO
pera
tors
Serv
ice P
rovid
ers
Identity Bus
1Scenario - 1
http://ebuy.federationdemo.com:9766/ebuy/
Identity Bus
2
OpenID ConnectRequest
Scenario - 1
1502808989
Identity Bus
3
OpenID ConnectRequest
Scenario - 1
Identity Bus
4
< credentials >
Scenario - 1
User : tom_imobilePassword: tom_imobile
Identity Bus
4Scenario - 1
Identity Bus
5
OpenID ConnectResponse
Scenario - 1
Identity Bus
6
OpenID ConnectResponse
Scenario - 1
Identity Bus
7Scenario - 1
Identity Bus
1Scenario - 2
http://azone.federationdemo.com:9766/azone/
9477808989
Identity Bus
2
OpenID Connect Request
Scenario - 2
Identity Bus
3
SAML2.0 Request
Scenario - 2
Identity Bus
3
OAuth 2.0
Scenario - 2
Identity Bus
4
< credentials >
Scenario - 2
Identity Bus
4
OAuth 2.0 response
Scenario - 2
Identity Bus
5
SAML2 Response
Scenario - 2
Identity Bus
6
OpenID ConnectResponse
Scenario - 2
Identity Bus
7Scenario - 2
Provisioning Bus
Federation Silos
Spaghetti Identity
Why Identity Bus?
• Introducing a new service provider is extremely easy. • Removing an existing service provider is extremely easy. • Introducing an new identity provider is extremely easy. • Removing an existing identity provider is extremely easy. You only
need to remove the identity provider from the identity bus.• Enforcing new authentication protocols is extremely easy. • Claim transformations. • Role mapping. • Just-in-time provisioning. • Centralized monitoring and auditing.• Introducing a new federation protocol needs minimal changes.
An open source Identity & Entitlement management server
Role Based Access Control
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
XACML
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
SOAP
XACML / WS-XACML
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
SOAP
REST
XACML
XACML
The de-facto standard for authorization
XACML 3.0 Support for multiple PIPs Policy distribution Decision / Attribute caching UI wizard for defining policies Notifications on policy updates TryIt tool
XACML
EntitlementService EntitlementPolicyAdminService
Policy Decision Point
Policy Cache
Decision Cache
XACML Engine
ExtensionsPolicy
Administration Point
Attribute Finder
Extensions
Default Finder
LDAP
Attribute Cache
SOAP/Thrift/WS-XACML
SOAP
XACML
XACML
XACML
XACML
XACML – Reverse Lookup
XACML – Policy Governance
XACML – Access Monitoring
Identity Server 5.0.0 Architecture
Identity Broker Interop with ADFS
Identity Broker Interop with ADFS
Identity Broker Interop with ADFS
Mobile IdP Proxy
What Do We Have Now ?
User stores with LDAP/AD/JDBC Multiple user stores OpenID SAML2 Kerberos Integrated Windows Authentication Information Cards XACML 2.0/3.0 OAuth 1.0a/2.0 Security Token Service with WS-Trust SCIM 1.1 WS-XACML WS-Fed Passive
