prabath siriwardena senior software architect. an open source identity & entitlement management...
TRANSCRIPT
![Page 1: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/1.jpg)
WSO2 Identity Server
Prabath SiriwardenaSenior Software Architect
![Page 2: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/2.jpg)
An open source Identity & Entitlement management server
![Page 3: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/3.jpg)
An open source Identity & Entitlement management server
Authentication
ADLDAP JDBC
![Page 4: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/4.jpg)
Authentication
![Page 5: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/5.jpg)
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
SAML2 Kerberos WS-Fed Passive
![Page 6: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/6.jpg)
OpenID
Decentralized Single Sign On Single user profile Widely used for community &
collaboration aspects Multifactor Authentication
[Infocard, XMPP] OpenID relying party
components
![Page 7: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/7.jpg)
SAML2
Single Sign On / Single Logout Widely used *aaS providers [Google Apps, Salesforce] SAML2 Web SSO Profile SAML2 Attribute Profile Distributed Federated SAML2 IdPs Used in WSO2 StratosLive
![Page 8: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/8.jpg)
SharePoint
WS-Fed Passive
Single Sign-On
![Page 9: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/9.jpg)
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
SCIMSPML
![Page 10: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/10.jpg)
Provisioning
![Page 11: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/11.jpg)
Provisioning to heterogeneous systems
Goog
le
Adap
to
r
SF
Adapto
r
![Page 12: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/12.jpg)
Open standards for provisioning
2001 : OASIS PS TC
2003 : SPML 1.02003 : WS-Provisioning
2006 : SPML 2.02010 : SCIM community
2011 : SCIM 1.0
2012 : SCIM 1.1
2011 : RESTPML
![Page 13: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/13.jpg)
Open standards for provisioning
Pro
vis
ion
in
g
Serv
ice
Poin
t
![Page 14: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/14.jpg)
System for Cross-domain Identity Management
SCIM Service Provider
/Users
/GroupsSCIM Consumer
![Page 15: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/15.jpg)
System for Cross-domain Identity Management
{ "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”[email protected]","type":"home"},
{"value":”[email protected]","type":"work"}]}
curl -v -k --user admin:admin -d @add-user.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
add-user.json
curl command
![Page 16: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/16.jpg)
System for Cross-domain Identity Management
{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext",}
curl -v -k --user admin:admin -d @add-group.json --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups
add-group.json
curl command
![Page 17: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/17.jpg)
System for Cross-domain Identity Management
![Page 18: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/18.jpg)
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
One way provisioning
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
![Page 19: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/19.jpg)
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
One way provisioning with broker mode
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
![Page 20: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/20.jpg)
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Bi-directional provisioning
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
![Page 21: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/21.jpg)
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Multi-directional provisioning with a centralized PSP
Provisioning Service Provider
Provisioning Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning Service Provider
![Page 22: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/22.jpg)
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Just-in-time provisioning with SAML2
SAML2 IdP
1
2
3
4
![Page 23: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/23.jpg)
Provisioning Service Provider
Domain A
Domain B
Federated Provisioning Patterns
Just-in-time provisioning with SAML2
SAML2 IdP
1
2
3
5
4
![Page 24: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/24.jpg)
Provisioning Service Provider
Multi-tenancy
SCIM Consumer (facilelogin.com)
SCIM Consumer (wso2.com)
wso2.com
facilelogin.com
![Page 25: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/25.jpg)
WSO2 Charon
![Page 26: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/26.jpg)
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing
XDAS
![Page 27: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/27.jpg)
Auditing
![Page 28: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/28.jpg)
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing Delegation
WS-TRUST
![Page 29: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/29.jpg)
Delegation
![Page 30: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/30.jpg)
OAuth Evolution
![Page 31: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/31.jpg)
OAuth Evolution
![Page 32: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/32.jpg)
OAuth Evolution
![Page 33: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/33.jpg)
OAuth Evolution
![Page 34: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/34.jpg)
OAuth
Identity Delegation Securing RESTful services 2-legged & 3-legged OAuth 1.01 XACML integration with OAuth OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials
![Page 35: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/35.jpg)
An open source Identity & Entitlement management server
AuthenticationSingle Sign On
Provisioning
Auditing DelegationFederation
WS-TRUSTSAML2
![Page 36: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/36.jpg)
Fed
era
tion
![Page 37: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/37.jpg)
Security Token Service
Supports WS-Trust 1.3/1.4 SAML 1.0/1.1/2.0 token profiles Claim management
![Page 38: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/38.jpg)
Security Token Service
Consumer App
Resource
Domain A
Domain B
Federation Patterns
Cross Domain Authentication with WS-Trust
![Page 39: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/39.jpg)
Federation Patterns
Cross Domain Authentication with Kerberos and WS-Trust
![Page 40: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/40.jpg)
Federation Patterns
Decentralized Federated SAML2 IdPs
![Page 41: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/41.jpg)
Federation Patterns
Decentralized Federated SAML2 IdPs
![Page 42: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/42.jpg)
Federation Patterns
Decentralized Federated SAML2 IdPs
![Page 43: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/43.jpg)
An open source Identity & Entitlement management server
Role Based Access Control
![Page 44: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/44.jpg)
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
![Page 45: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/45.jpg)
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
XACML
![Page 46: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/46.jpg)
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
SOAP
XACML / WS-XACML
![Page 47: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/47.jpg)
An open source Identity & Entitlement management server
Role Based Access Control
Attribute Based Access Control
Policy Based Access Control
SOAP
REST
XACML
![Page 48: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/48.jpg)
XACML
The de-facto standard for authorization
XACML 3.0 Support for multiple PIPs Policy distribution Decision / Attribute caching UI wizard for defining policies Notifications on policy updates TryIt tool
![Page 49: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/49.jpg)
XACML
EntitlementService EntitlementPolicyAdminService
Policy Decision Point
Policy Cache
Decision Cache
XACML Engine
ExtensionsPolicy
Administration Point
Attribute Finder
Extensions
Default Finder
LDAP
Attribute Cache
SOAP/Thrift/WS-XACML
SOAP
![Page 50: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/50.jpg)
XACML
![Page 51: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/51.jpg)
XACML
![Page 52: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/52.jpg)
XACML
![Page 53: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/53.jpg)
XACML
![Page 54: Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf387/html5/thumbnails/54.jpg)
What Do We Have Now ?
User stores with LDAP/AD/JDBC Multiple user stores OpenID SAML2 Kerberos Integrated Windows Authentication Information Cards XACML 2.0/3.0 OAuth 1.0a/2.0 Security Token Service with WS-Trust SCIM 1.1 WS-XACML WS-Fed Passive