SlideShare uma empresa Scribd logo

Identity Federation Patterns with WSO2 Identity Server​

WSO2
WSO2

The rapid growth of organizations, ever changing company policies, mergers and acquisitions often lead to the need for complex identity solutions that require integration with multiple heterogeneous systems. This makes traditional centralized identity management systems no longer viable. Identity federation is now adopted as a solution for such complex systems. It allows you to link multiple identities that belong to different trust domains by means of a common set of policies, practices and protocols. Join Darshana and Omindu in this webinar as they explore The challenges of introducing identity federation with use cases How to leverage identity federation patterns to overcome these challenges

Tecnologia
1 de 35
Baixar para ler offline
Identity Federation Patterns with WSO2 Identity Server​ June 18, 2017 Darshana Gunawardana Omindu Rathnaweera 1
2017 Summer School Webinar Series 2
About WSO2 ▪ All WSO2 products 100% free and open source ▪ Licensed under Apache 2.0 ▪ Based on WSO2 Carbon platform ▪ Componentized, modular architecture ▪ Founded in 2005 3
WSO2 Platform 4
▪ Currently in its 5th generation ▪ Latest release - WSO2 Identity Server 5.3.0 ▪ Addresses critical IAM needs both in customer IAM and workforce IAM spaces ▪ Extensive support for open standards - no vendor locking ▪ Large scale deployments over millions of users ▪ Rich eco system with 40+ connectors (https://store.wso2.com/store/assets/isconnector/list) ▪ Support for multi-tenancy ▪ Extensible product architecture to address complex IAM needs About WSO2 Identity Server 5
Identity Federation Patterns with WSO2 Identity Server 6
Agenda ▪ Need of the Identity Federation in reality ▪ Identity Federation is the solution! ▪ Capabilities of an Identity Broker ▪ Federation Problems & Patterns ▪ Q&A 7
Need of the Identity Federation in reality 8
Evolution of the web ▪ Web 1.0 Static content Limited users-sites interaction Identity was not portable ▪ Web 2.0 Interactive data Allows users-sites interaction User Centric Identity ▪ Web 3.0 Predicted content Identity of things 9
▪ For an consumer Ability to access the services with minimum effort ▪ For an enterprise Ability to quickly adopt to new business demands Adhere with complex corporate policies of, ▪ password policies ▪ strong authentication ▪ login policies etc. ▪ to comply with regulations ▪ In general: provide seamless user experience for a better productivity without compromising security IAM Requirements 10
Identity Federation is the Solution! 11
What “Identity Federation” means Connecting, a person's digital identity and attributes, stored across multiple distinct trust domains 12
Elevated Security ▪ Identity federation leverages widely adopted standard, secure and mature protocols (SAML, OpenID and OAuth) ▪ Eliminate maintaining multiple credentials ▪ Enables Single Sign-On (SSO) ▪ Can introduce Multi-Factor Authentication (MFA) Benefits of Identity Federation 13
Cost Benefits ▪ Introduce standard access control for enterprise apps with minimum effort with a shortest possible time ▪ Eliminates the requirement of implementing proprietary SSO mechanism ▪ Secure legacy apps with modern security specification without additional development effort ▪ Adaptation to latest security trends and organizational security requirements with minimum effort Benefits of Identity Federation 14
▪ Protocol Agnostic ▪ Claim Transformation ▪ Multi-option Multi-step authentication ▪ Trust brokering ▪ Home Realm Discovery ▪ Adaptive Authentication Capabilities of an Identity Broker 15
▪ Account Association ▪ Multiple Attribute Stores ▪ Just In Time Provisioning ▪ Manage Identity Relationships ▪ Centralized Access Control ▪ Centralized Monitoring & Analytics Capabilities of an Identity Broker 16
Federation Problems & Patterns 17
Problem 1: Utilize a Single Identity Across Multiple Heterogeneous Service Providers ▪ The business users need to access multiple service providers supporting multiple heterogeneous identity federation protocols. 18
Pattern 1: Identity Federation between Multiple Heterogeneous Identity Federation Protocols Pros ▪ Single Sign On ▪ Separate user authentication from application code ▪ Hides user credentials from applications ▪ Removes administrative overhead from applications ▪ Improves user experience Cons ▪ Introduce a single point where the security of the system can be breached 19
Problem 2: Consuming Multiple Services Across Different Trust Domains ▪ The business users need to utilize services beyond enterprise borders. The cross border interaction typically implies interacting with services residing under a different trust domain. The interaction may need to be done with or without having dependencies with the external trust domain entities. 20
Pattern 2.1: Inter-Domain Token Exchange ▪ Establish a trust relationship between the two Identity Providers residing in each trust domain. 21
Pattern 2.1: Inter-Domain Token Exchange Pros ▪ Flexible in maintaining trust domains ▪ Facilitates federated interactions between consumers and services across trust domains ▪ Same model can be extended to address more complex federation scenarios Cons ▪ Introduces certain level of dependency between the consumer and the Identity Provider in the other trust domain 22
Pattern 2.2: Intra-Domain Token Exchange ▪ Interact with a service developed in a federated trust domain, without any dependencies to entities in the other trust domain. 23
Pattern 2.2: Intra-Domain Token Exchange Pros ▪ Removes dependencies between consumers and service in different trust domains ▪ Can handle different token claim representations Cons ▪ Adds complexity to the mechanism used to model the trust relationship with the Identity Provider in the other trust domain ▪ Makes the services to accept messages that are not issued by the Identity Provider that they trusts 24
Problem 3: Identity Silos and Spaghetti Identity ▪ Localized groups of service providers operating in different protocols Introduces difficulties when it requires interoperability between the service provider groups ▪ Each service provider has to trust each identity provider ▪ Not scalable and hard to manage 25 Spaghetti Identity Identity Silos
Pattern 3: Identity Bus Pros ▪ Simplicity introducing new trusted domains / service providers ▪ Loosely coupled ▪ Reduces deployment complexity Cons ▪ Increased latency due to the intermediate bus ▪ Single point of failure 26
Problem 4: Need of Dynamic and Fine-Grained Authorization Policies ▪ Organizational policies may require securing services beyond typical authorization mechanisms ▪ Service provider needs to define a complex authorization policy to decide whether a given user is eligible to access a certain resource 27
▪ Federated authorization caters complex authorization requirement ▪ XACML can be used to define complex policies and evaluated authorization requests 28 Pattern 4: Federated Authorization
Pattern 4: Federated Authorization Pros ▪ Authorization implementation is decoupled from the application code base ▪ Supports securing services with complex authorization policies ▪ Avoid duplication of authorization policies across all the applications Cons ▪ Not widely adapted compared to federated authentication. 29
Problem 5: Lack of Support for Federated Authorization ▪ Even if the authentication is federated, most systems does not support authorization in a federated manner. Hence, the SP requires to persist user information up to a certain degree in order to perform authorization 30
Pattern 5.1: Federated Unidirectional Provisioning ▪ User interaction is directly with the identity provider ▪ IdP initiates the outbound provisioning for service providers ▪ Service providers receives a bare minimum amount of information. 31
Pattern 5.2: Federated Bidirectional Provisioning ▪ Built on top of unidirectional provisioning ▪ User can interact directly with either service provider or the identity provider ▪ Service provider or identity provider initiates outbound provisioning 32
Q&A 33
What next? 34
OPEN TECHNOLOGY FOR YOUR AGILE DIGITAL BUSINESS THANK YOU 35

Recomendados

Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...
Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...
Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...
Amazon Web Services
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?
Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?
Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?
Aventis Systems, Inc.
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety Case
IQPC
 
Tratamiento jurídico del polizonaje
Tratamiento jurídico del polizonajeTratamiento jurídico del polizonaje
Tratamiento jurídico del polizonaje
Alejandro Díez Fernández
 
WebRTC presentation
WebRTC presentationWebRTC presentation
WebRTC presentation
Veselin Pizurica
 

Recomendados

Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...
Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...
Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...
Amazon Web Services
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?
Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?
Answers to Your IT Nightmares - SAS, iSCSI, or Fibre Channel?
Aventis Systems, Inc.
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety Case
IQPC
 
Tratamiento jurídico del polizonaje
Tratamiento jurídico del polizonajeTratamiento jurídico del polizonaje
Tratamiento jurídico del polizonaje
Alejandro Díez Fernández
 
WebRTC presentation
WebRTC presentationWebRTC presentation
WebRTC presentation
Veselin Pizurica
 
TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
Robb Boyd
 
SOA in banking issues and remedies
SOA in banking issues and remediesSOA in banking issues and remedies
SOA in banking issues and remedies
Debajani Mohanty
 
Software Defined WAN – SD-WAN
Software Defined WAN – SD-WANSoftware Defined WAN – SD-WAN
Software Defined WAN – SD-WAN
MarketingArrowECS_CZ
 
GRC
GRCGRC
GRC
Maryam Hidayatallah CPFA,MIPA,MA,CICA
 
IT Service Catalog: Build a Service Taxonomy in 4 Easy Steps
IT Service Catalog: Build a Service Taxonomy in 4 Easy StepsIT Service Catalog: Build a Service Taxonomy in 4 Easy Steps
IT Service Catalog: Build a Service Taxonomy in 4 Easy Steps
Evergreen Systems
 
Industrial strength - Natural Language Processing
Industrial strength - Natural Language ProcessingIndustrial strength - Natural Language Processing
Industrial strength - Natural Language Processing
Jeffrey Williams
 
IT Service Catalog Taxonomy Essentials
IT Service Catalog Taxonomy EssentialsIT Service Catalog Taxonomy Essentials
IT Service Catalog Taxonomy Essentials
Evergreen Systems
 
Catalog busbar Legrand
Catalog busbar LegrandCatalog busbar Legrand
Catalog busbar Legrand
CTY TNHH HẠO PHƯƠNG
 
What is a Service Taxonomy and Why Do I Need One?
What is a Service Taxonomy and Why Do I Need One?What is a Service Taxonomy and Why Do I Need One?
What is a Service Taxonomy and Why Do I Need One?
Evergreen Systems
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
VMware Tanzu
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Apigee | Google Cloud
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
Martin Bratina
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
Ivan Rosolen
 
Sid integration view
Sid integration viewSid integration view
Sid integration view
Soumya Mukherjee
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal template
Moti Sagey מוטי שגיא
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
The Open Group SA
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
Mahzad Zahedi
 
Introduction to Kafka Cruise Control
Introduction to Kafka Cruise ControlIntroduction to Kafka Cruise Control
Introduction to Kafka Cruise Control
Jiangjie Qin
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gateway
WSO2
 

Mais conteúdo relacionado

Mais procurados

TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
Robb Boyd
 
SOA in banking issues and remedies
SOA in banking issues and remediesSOA in banking issues and remedies
SOA in banking issues and remedies
Debajani Mohanty
 
Industrial strength - Natural Language Processing
Industrial strength - Natural Language ProcessingIndustrial strength - Natural Language Processing
Industrial strength - Natural Language Processing
Jeffrey Williams
 
What is a Service Taxonomy and Why Do I Need One?
What is a Service Taxonomy and Why Do I Need One?What is a Service Taxonomy and Why Do I Need One?
What is a Service Taxonomy and Why Do I Need One?
Evergreen Systems
 

Mais procurados (20)

TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
TechWiseTV Workshop: Cisco Catalyst 9100 Access Points for Wi-Fi 6
 
SOA in banking issues and remedies
SOA in banking issues and remediesSOA in banking issues and remedies
SOA in banking issues and remedies
 
Software Defined WAN – SD-WAN
Software Defined WAN – SD-WANSoftware Defined WAN – SD-WAN
Software Defined WAN – SD-WAN
 
GRC
GRCGRC
GRC
 
IT Service Catalog: Build a Service Taxonomy in 4 Easy Steps
IT Service Catalog: Build a Service Taxonomy in 4 Easy StepsIT Service Catalog: Build a Service Taxonomy in 4 Easy Steps
IT Service Catalog: Build a Service Taxonomy in 4 Easy Steps
 
Industrial strength - Natural Language Processing
Industrial strength - Natural Language ProcessingIndustrial strength - Natural Language Processing
Industrial strength - Natural Language Processing
 
IT Service Catalog Taxonomy Essentials
IT Service Catalog Taxonomy EssentialsIT Service Catalog Taxonomy Essentials
IT Service Catalog Taxonomy Essentials
 
Catalog busbar Legrand
Catalog busbar LegrandCatalog busbar Legrand
Catalog busbar Legrand
 
What is a Service Taxonomy and Why Do I Need One?
What is a Service Taxonomy and Why Do I Need One?What is a Service Taxonomy and Why Do I Need One?
What is a Service Taxonomy and Why Do I Need One?
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
 
Sid integration view
Sid integration viewSid integration view
Sid integration view
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal template
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 

Destaque

Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gateway
WSO2
 

Destaque (6)

Introduction to Kafka Cruise Control
Introduction to Kafka Cruise ControlIntroduction to Kafka Cruise Control
Introduction to Kafka Cruise Control
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gateway
 
[WSO2Con EU 2017] Keynote: Mobile Identity in the Digital Economy
[WSO2Con EU 2017] Keynote: Mobile Identity in the Digital Economy[WSO2Con EU 2017] Keynote: Mobile Identity in the Digital Economy
[WSO2Con EU 2017] Keynote: Mobile Identity in the Digital Economy
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache Kafka
 
Handle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaHandle Large Messages In Apache Kafka
Handle Large Messages In Apache Kafka
 
[WSO2Con EU 2017] The Win-Win-Win of Water Authority HHNK
[WSO2Con EU 2017] The Win-Win-Win of Water Authority HHNK[WSO2Con EU 2017] The Win-Win-Win of Water Authority HHNK
[WSO2Con EU 2017] The Win-Win-Win of Water Authority HHNK
 

Semelhante a Identity Federation Patterns with WSO2 Identity Server​

Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Securing Access to SaaS Apps with WSO2 Identity Server
Securing Access to SaaS Apps with WSO2 Identity ServerSecuring Access to SaaS Apps with WSO2 Identity Server
Securing Access to SaaS Apps with WSO2 Identity Server
WSO2
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Standards Customer Council
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Cloud Standards Customer Council
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Cloud Customer Architecture for Blockchain
Cloud Customer Architecture for BlockchainCloud Customer Architecture for Blockchain
Cloud Customer Architecture for Blockchain
Cloud Standards Customer Council
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013
David Linthicum
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 

Semelhante a Identity Federation Patterns with WSO2 Identity Server​ (20)

Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
Securing Access to SaaS Apps with WSO2 Identity Server
Securing Access to SaaS Apps with WSO2 Identity ServerSecuring Access to SaaS Apps with WSO2 Identity Server
Securing Access to SaaS Apps with WSO2 Identity Server
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
 
MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 
Service Mesh Talk for CTO Forum
Service Mesh Talk for CTO ForumService Mesh Talk for CTO Forum
Service Mesh Talk for CTO Forum
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
 
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesSecurely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
Webinar: Simplifying Cloud Connectivity for Your Clients
Webinar: Simplifying Cloud Connectivity for Your ClientsWebinar: Simplifying Cloud Connectivity for Your Clients
Webinar: Simplifying Cloud Connectivity for Your Clients
 
Cloud Customer Architecture for Blockchain
Cloud Customer Architecture for BlockchainCloud Customer Architecture for Blockchain
Cloud Customer Architecture for Blockchain
 
IT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptxIT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptx
 
Productive Expansion on Amazon Web Services with BlazeClan
Productive Expansion on Amazon Web Services with BlazeClan Productive Expansion on Amazon Web Services with BlazeClan
Productive Expansion on Amazon Web Services with BlazeClan
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 

Mais de WSO2

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 

Mais de WSO2 (20)

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Identity Federation Patterns with WSO2 Identity Server​

  • 1. Identity Federation Patterns with WSO2 Identity Server​ June 18, 2017 Darshana Gunawardana Omindu Rathnaweera 1
  • 2. 2017 Summer School Webinar Series 2
  • 3. About WSO2 ▪ All WSO2 products 100% free and open source ▪ Licensed under Apache 2.0 ▪ Based on WSO2 Carbon platform ▪ Componentized, modular architecture ▪ Founded in 2005 3
  • 5. ▪ Currently in its 5th generation ▪ Latest release - WSO2 Identity Server 5.3.0 ▪ Addresses critical IAM needs both in customer IAM and workforce IAM spaces ▪ Extensive support for open standards - no vendor locking ▪ Large scale deployments over millions of users ▪ Rich eco system with 40+ connectors (https://store.wso2.com/store/assets/isconnector/list) ▪ Support for multi-tenancy ▪ Extensible product architecture to address complex IAM needs About WSO2 Identity Server 5
  • 7. Agenda ▪ Need of the Identity Federation in reality ▪ Identity Federation is the solution! ▪ Capabilities of an Identity Broker ▪ Federation Problems & Patterns ▪ Q&A 7
  • 8. Need of the Identity Federation in reality 8
  • 9. Evolution of the web ▪ Web 1.0 Static content Limited users-sites interaction Identity was not portable ▪ Web 2.0 Interactive data Allows users-sites interaction User Centric Identity ▪ Web 3.0 Predicted content Identity of things 9
  • 10. ▪ For an consumer Ability to access the services with minimum effort ▪ For an enterprise Ability to quickly adopt to new business demands Adhere with complex corporate policies of, ▪ password policies ▪ strong authentication ▪ login policies etc. ▪ to comply with regulations ▪ In general: provide seamless user experience for a better productivity without compromising security IAM Requirements 10
  • 12. What “Identity Federation” means Connecting, a person's digital identity and attributes, stored across multiple distinct trust domains 12
  • 13. Elevated Security ▪ Identity federation leverages widely adopted standard, secure and mature protocols (SAML, OpenID and OAuth) ▪ Eliminate maintaining multiple credentials ▪ Enables Single Sign-On (SSO) ▪ Can introduce Multi-Factor Authentication (MFA) Benefits of Identity Federation 13
  • 14. Cost Benefits ▪ Introduce standard access control for enterprise apps with minimum effort with a shortest possible time ▪ Eliminates the requirement of implementing proprietary SSO mechanism ▪ Secure legacy apps with modern security specification without additional development effort ▪ Adaptation to latest security trends and organizational security requirements with minimum effort Benefits of Identity Federation 14
  • 15. ▪ Protocol Agnostic ▪ Claim Transformation ▪ Multi-option Multi-step authentication ▪ Trust brokering ▪ Home Realm Discovery ▪ Adaptive Authentication Capabilities of an Identity Broker 15
  • 16. ▪ Account Association ▪ Multiple Attribute Stores ▪ Just In Time Provisioning ▪ Manage Identity Relationships ▪ Centralized Access Control ▪ Centralized Monitoring & Analytics Capabilities of an Identity Broker 16
  • 18. Problem 1: Utilize a Single Identity Across Multiple Heterogeneous Service Providers ▪ The business users need to access multiple service providers supporting multiple heterogeneous identity federation protocols. 18
  • 19. Pattern 1: Identity Federation between Multiple Heterogeneous Identity Federation Protocols Pros ▪ Single Sign On ▪ Separate user authentication from application code ▪ Hides user credentials from applications ▪ Removes administrative overhead from applications ▪ Improves user experience Cons ▪ Introduce a single point where the security of the system can be breached 19
  • 20. Problem 2: Consuming Multiple Services Across Different Trust Domains ▪ The business users need to utilize services beyond enterprise borders. The cross border interaction typically implies interacting with services residing under a different trust domain. The interaction may need to be done with or without having dependencies with the external trust domain entities. 20
  • 21. Pattern 2.1: Inter-Domain Token Exchange ▪ Establish a trust relationship between the two Identity Providers residing in each trust domain. 21
  • 22. Pattern 2.1: Inter-Domain Token Exchange Pros ▪ Flexible in maintaining trust domains ▪ Facilitates federated interactions between consumers and services across trust domains ▪ Same model can be extended to address more complex federation scenarios Cons ▪ Introduces certain level of dependency between the consumer and the Identity Provider in the other trust domain 22
  • 23. Pattern 2.2: Intra-Domain Token Exchange ▪ Interact with a service developed in a federated trust domain, without any dependencies to entities in the other trust domain. 23
  • 24. Pattern 2.2: Intra-Domain Token Exchange Pros ▪ Removes dependencies between consumers and service in different trust domains ▪ Can handle different token claim representations Cons ▪ Adds complexity to the mechanism used to model the trust relationship with the Identity Provider in the other trust domain ▪ Makes the services to accept messages that are not issued by the Identity Provider that they trusts 24
  • 25. Problem 3: Identity Silos and Spaghetti Identity ▪ Localized groups of service providers operating in different protocols Introduces difficulties when it requires interoperability between the service provider groups ▪ Each service provider has to trust each identity provider ▪ Not scalable and hard to manage 25 Spaghetti Identity Identity Silos
  • 26. Pattern 3: Identity Bus Pros ▪ Simplicity introducing new trusted domains / service providers ▪ Loosely coupled ▪ Reduces deployment complexity Cons ▪ Increased latency due to the intermediate bus ▪ Single point of failure 26
  • 27. Problem 4: Need of Dynamic and Fine-Grained Authorization Policies ▪ Organizational policies may require securing services beyond typical authorization mechanisms ▪ Service provider needs to define a complex authorization policy to decide whether a given user is eligible to access a certain resource 27
  • 28. ▪ Federated authorization caters complex authorization requirement ▪ XACML can be used to define complex policies and evaluated authorization requests 28 Pattern 4: Federated Authorization
  • 29. Pattern 4: Federated Authorization Pros ▪ Authorization implementation is decoupled from the application code base ▪ Supports securing services with complex authorization policies ▪ Avoid duplication of authorization policies across all the applications Cons ▪ Not widely adapted compared to federated authentication. 29
  • 30. Problem 5: Lack of Support for Federated Authorization ▪ Even if the authentication is federated, most systems does not support authorization in a federated manner. Hence, the SP requires to persist user information up to a certain degree in order to perform authorization 30
  • 31. Pattern 5.1: Federated Unidirectional Provisioning ▪ User interaction is directly with the identity provider ▪ IdP initiates the outbound provisioning for service providers ▪ Service providers receives a bare minimum amount of information. 31
  • 32. Pattern 5.2: Federated Bidirectional Provisioning ▪ Built on top of unidirectional provisioning ▪ User can interact directly with either service provider or the identity provider ▪ Service provider or identity provider initiates outbound provisioning 32
  • 35. OPEN TECHNOLOGY FOR YOUR AGILE DIGITAL BUSINESS THANK YOU 35