Kermit Co. is upgrading its identity management system to address several problems: 1) employees need single sign-on across internal and cloud applications using different protocols; 2) strengthening security by adding multi-factor authentication; 3) managing external identities at scale including social logins and just-in-time provisioning; 4) exposing APIs securely and automating provisioning using rules. The WSO2 Identity Server provides an enterprise identity bus to federate identities across systems using various protocols while allowing management of internal and external identities at different assurance levels through APIs.
4. Why?
o Open up APIs
o Bring your own identity
o Identity maintained in one domain, accessed in other domains
o Social network identities
o Bring your own device
o Ecosystems
o Mergers/Acquisitions
6. WSO2 Identity Server
o 5th Generation Product
o Current version 5.1.0 (released 2015)
o Federated identity and entitlement is a key part of any distributed
architecture
o Internal security threats, Partnerships
o Mergers, De-mergers
o APIs, Cloud systems
o SSO is important but need to federate and bridge across SSOs
o Open Standards for Identity are changing the industry landscape
o Based on WSO2 Carbon platform, which provides support for
multi-tenancy, logging, clustering, and other common services
11. What Does an EIB Do ?
Bridges
Tokens
• OAuth/2
• OpenID/OpenID Connect
• SAML2
• WS-Federation
• Kerberos, etc
Claims & Claim
Dialects
• Email Addresses
• Phone Numbers
• Names, etc
User Stores
• SPML, SCIM, Salesforce,
Google, etc
• Just in Time provisioning,
inbound, outbound
12. A Story
o Kermit Co is an open-source product
development company
o It has employees, customers, open-source
community
o It has some internal systems used by
employees and some external systems
o Kermit Co is going to upgrade their identity
14. Kermit Co has some internal Applications
o Employees use several systems
o Office 365
o Redmine
o Salesforce
o Star Accounts
o Employee LDAP in Kermit Datacenter cannot be
synched to Cloud
15. Problem
o Employees need to access cloud-based and on premise
systems
o De-centralized Identities
o Password exhaustion, re-login each time
à When the employee login to one system he should login
to the rest
o Different systems use different protocols – SAML 2.0,
WS-Federation
17. Problem
o Ginger is from finance team
o Her account is hacked
o All finance data is leaked
à Need to implement Multi-Factor
Authentication (MFA)
o Something you know, Something you have,
Something you are
o Add FIDO and SMSOTP
19. Problem
o Customers need to authenticate to several system
o Website for product downloads
o JIRA for issue reporting
o Certification portal
o Partner portal
o All customers are in a different LDAP
20. Handling Different Types of Identities
o Technically can add to the existing WSO2 IS, but
customer identities are,
o Scale is massive
o Control is not within the organization
o Self-service registration should be there
o Social identities & JIT provisioning
o Identity is low assured
o Delegated administration
o User experience must be excellent and distributed
22. Problem
o Need to provide social sign-up/sign-in capabilities to the
website
o Facebook, Google
o When users sign up via social media Kermit wants to
add the user to the External Users DB
à Do just in time provisioning to the External Users DB
24. Problem
o How are the external users
going to manage their
profile?
o All external users need to
manage their own profiles by
logging into the website
o Make website do direct LDAP
calls?
o Use APIs in WSO2IS
o SCIM – System for Cross-domain Identity
Management
o User information recover service
o User management Service
I can use REST/
SOAP calls to do
user management
26. Problem
o Kermit employees need to login to external systems –
JIRA, Website & Certificate Portal
o Kermit employees are not in the external IdP
à Kermit employee identities should be federated from
internal IdP to external IdP and SPs
28. Problem
o Matrix is a marketing analytics company that does lead
identification for Kermit Co
o It is file based batch process that update Kermit’s
Salesforce
o Kermit Co wants to automate the process by exposing
APIs
o addSQLead, getRawLeads, getUsers
30. Problem
o Kermit Infra team wants to automate provisioning
o Provisioning users to Apps
o LDAP synching + LDAP groups give same end result as
provisioning
o Per-app roles needs to be managed in central LDAP. Can be quite large
o WSO2IS adaptors can be used for rule-based provisioning
o Same Control Domain à Can use either (automated
provisioning and LDAP Synching)
o Different Control Domain à Use provisioning
32. Problem
o Kermit HCI expert wants to avoid showing
login screen on the IdP
o He wants the Login choices to be
displayed on web site itself
à Home Realm Identifier
34. Kermit Co has a pretty decent Identity
Infrastructure!
35.
36. Gonzo Group of Companies
o Group of companies with 3 main companies
o Problem – Require centralized, highly controlled IAM
program for it’s external users
38. Problem
o Gonzo the group of companies wants centralized fine-
grained authorization policies
o Render menu items on web site using centralized
authorizations
o All internally-developed-apps should comply to
centralized policy registry