To view recording of this webinar please use below URL:
http://wso2.com/library/webinars/2016/05/end-to-end-identity-management/
In today’s rapidly evolving world, enterprise identity management has proven to be challenging due to the constant changes in associated systems, corporate policies and stakeholder requirements. Therefore, managing identities and their privileges among the systems need to be handled in a flexible manner to save resources when governing identities and controlling access.
There are various specifications of industry standards in this domain making it difficult to select the correct one. Some of them may address the same problem with slight variations and some may look similar but address completely different problems.
This webinar will discuss
The real problems that need to be addressed when managing enterprise identity
Key challenges when implementing concepts
How to overcome these challenges and build a future proof identity and access management system with WSO2 Identity Server
3. Agenda
o Need of having,
o Centralized authentication
o Single Sign On
o Provisioning
o Account management
o Workflow
o Authorization
o Federation
for an enterprise
4. Start from the beginning
o Consider a startup : “Extern Inc.”
o Handful of employees
o No internal apps for employees
o No worries :)
o After some time
o Business running good
o Plan to expand the business; going to recruit more
o Have several internal application including HR
system, email service etc.
5. User Accounts in all systems…
Robert
(An employee)
Cloud email Service
Username = “robert”
Password = “robert-pass”
Expense
Management
System
HR System
Username = “robert2”
Password = “robert2-pass”
Username = “robert2”
Password = “robert2-pass”
Username = “robert_5”
Password = “K67robert2-AB-#2”
6. Plan for future : Centralized user store
o Which type of user store?
o LDAP
o Active Directory
o Custom user schema over JDBC Database
7. Connecting Internal Apps
o Utilize central user store by connecting all
internal apps
o How to connect?
o Standard authentication protocols
o SAML2 SSO, OpenID Connect, OpenID, WS-
Federation (passive)
o Need of the fully functional Identity Provider
System
11. SSO In General : Initial login
Identity provider
(e.g. WSO2 IS)
Service provider
(e.g. HR System)
User
data
1. Log inrequest
2. Redirect to IDP URL
3. Request token
4. Authenticate
5. Redirect to SP with token
6. Send SAML token Session: S1
12. SSO In General : Subsequent logins
Identity provider
(e.g. WSO2 IS)
Service provider 2
(e.g. Cloud Mail
Service)
User
data
1. Log in request
2. Redirect to IDP URL
3. Request token (session: IS1)
5. Redirect to SP with token
6. Send SAML token
Service provider 1
(e.g. HR System)
Session: S1
4. Bypass login page
Session: S2
13. Authentication Protocol Comparison
o SAML2
o Most popular protocol with several profiles
o Supports single logout
o OpenID Connect
o Becoming more popular
o Having strong supplementary specifications set
o OpenID
o Deprecated by most Identity Providers
o WS Federation (passive)
o Widely used with .Net applications
14. Sync Users to applications
o Many applications handles authorization
internally
o Authorization check as post authentication task
o Need to assign relevant attributesroles
o Sync application with the centralized identity
repository
15. Provisioning
Identity server
Identity server
Extern Inc.
<<< Create User >>>
Username: jane
Email: jane@extern.com
Cloud email service
<<< Create User >>>
Username: jane
Password: jane123
Email: jane@extern.com
<<< Create User >>>
Username: jane
<<< Create User >>>
Username: jane@extern.com
Contacts Directory
Expense Management
System
16. Enterprise Identity Bus : Provisioning
o De couples inboundoutbound provisioning
o Selective provisioning
o Rich processing on data
o Subject mapping
o Claim mapping
o Role mapping
o Inbound provisioning : SCIM & SOAP
o Outbound provisioning : SCIM & SPML
o Extensibility to support any protocol
17. Account Management
o Self Registration
o PasswordUserID recovery
o Update profile
o Enable two factor authentication
o Associate accounts
o Password policy enforcement
o Account locking
18. Expansion in Extern Inc...
o Extern Inc. has acquired a new company in
Europe
o New division to handle sales and marketing in
euro
o Identity management perspective:
o A new user base
o Different user store repository
o Plug-in to current system as a secondary user
store
20. Need More Control?
Identity server
Update roles
Update claims
I need to approve assignments
to “Assessor” role
I need to approve
all claims
One of us has to approve
all new assessors
21. Get More Control with Workflows
Identity
server
Update claims
Approve claims
update
Assigned to “Bob”
22. Get More Control with Workflows (Ctd..)
Identity
server
Update roles
Approve role
assignment
Approve role
assignment
Assigned to
“supervisors” role
Assigned to “James”
24. What the User Can Do...
Service provider 1
(SP1)
/data/files
/data/archives
/data/visualize
/data/details
User = Jane
User =
David
User = Tao
25. What the User Can Do...
Service provider 1
(SP1)
User = Jane
User =
David
User = Tao
Access control policy
If user = Tao and
resource = /data/archives
Permit.
If role = Clark and
action = write
Deny.
If role = Manager and
resource = /data/files
Permit.
26. Authorization challenges
o Authorization rules getting changed frequently
o Fine grain authorization requirements
o Solution : XACML
o Attribute based access control standard
o Rule based access control
o De-facto standard for fine grain access control
28. o WSO2 ESB
o WSO2 API Manager
XACML Policy Enforcement Points
WSO2 ESB
Proxy
service
Entitlement
Service provider
(SP)
On
accept
On
reject
SendDrop
Property [Set user]
Property [Set resource]
XACML Engine
(WSO2 IS)
29. Connecting with external parties
o Extern Inc. acquires a new company “PlusX” as
a subsidiary
o PlusX has their own identity provider and its
own internal apps connected to that
o Ability of using Extern Inc. Apps for PlusX
Employees?
30. Connecting with external parties
Identity server
Extern Inc. PlusXJane wants to access
‘Contact Directory’ app
hosted by company
Extern Inc.
You are not in my Identity Server!
But I am registered in PlusX
31. Connecting with external parties
Identity server
Extern Inc. PlusX
Trust local
IS
Trust IS in
PlusX office
If PlusX says “This is Jane” ,then Extern Inc. believes it.
(Extern Inc. trusts PlusX IdP)
32. Enterprise Identity Bus : Federation
o Easily connect new Identity Providers
o Protocol bridging
o Multi step, multi option authentication flows
o Inbuilt support for Social Login
o Zero changes on Service provider
o Rich processing on data
o Subject mapping
o Claim transformation
o Role transformation
o Home realm discovery
33. Concepts in Reality
o Some external contributors have access to the
community portal via self registration
o Employee life cycle the the company
o Employee creation
o Going through approval
o Sync up with the required systems
o SSO with all applications
o Lock identity upon the resignation