WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Slides:



Advertisements
Similar presentations
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah
W3C Workshop on Web Services Mark Nottingham
Lecture 23 Internet Authentication Applications
Authentication & Kerberos
Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Introduction To Windows NT ® Server And Internet Information Server.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Chapter 10: Authentication Guide to Computer Network Security.
Cloud Computing Cloud Security– an overview Keke Chen.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Identity Management Report By Jean Carreon and Marlon Gonzales.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.
Windows CardSpace Martin Parry Developer Evangelist Microsoft
Windows Role-Based Access Control Longhorn Update
Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Internet2 Base CAMP Topics in Middleware: Authentication.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Prabath Siriwardena, Director of Security, WSO2 Twitter
In Vivo Imaging Middleware — Phase 6 Ashish Sharma, Tony Pan, Y. Nadir Saghar.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
Access Policy - Federation March 23, 2016
Identity and Access Management
Secure Single Sign-On Across Security Domains
Azure Active Directory - Business 2 Consumer
Consuming OAuth Services in Alfresco Share
Open standard based Identity Provisioning for Cloud
Cloud Security– an overview Keke Chen
Federation made simple
Module Overview Installing and Configuring a Network Policy Server
Data and Applications Security Developments and Directions
Radius, LDAP, Radius used in Authenticating Users
Chapter 17 Risks, Security and Disaster Recovery
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Dynamic DNS support for EGI Federated cloud
Matthew Levy Azure AD B2B vs B2C Matthew Levy
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
Token-based Authentication
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Advanced Computer Networks
Martin Parry Developer Evangelist Microsoft
Protection Mechanisms in Security Management
Computer Network Information Center, Chinese Academy of Sciences
Presentation transcript:

WSO2 Identity Server

Small company (called company A) had few services deployed on one app server

Use Trasport level security (HTTPS) Supports Authentication (using certificates, basic auth/digest) Confidantiality (encryption) Intergrity (XML signature)

Later …... TLS was not enough because Message secure only in wire Cannot encrypt part of the message So use Message Level Security (WS- Security)

How system look likes...

Access issues ….. There are both internal users (employees) and external users. Easy to authenticate internal users How can we authenticate external users?...

More problems..... Thousands of external user entries. Hard to maintain locally and waste of resource in maintaining duplicate records. Assume Company B needs access to these services and only few employees from B should be given access.

WS-Trust Should allow users if the request is signed by truested party IS maintain internal STS connected to ldap to sign requests of internal users

STS... User has to authenticate with UT. Provides tokens with required claims Types of tokes Bearer subject confirmation Holder of key subject confirmation Symmetric key Public key

Before sample.... How are we going to communicate our security standards to our users? Token should contain address and last name Standard versions we user Encryption/Signature methods we use Key size What part of message should be encrypted. Use WS – SecurityPolicy

Message Interceptor Gateway... Mutiple entry points – security hole Authenticate/Authorize users centrally and load balance from that point Can use proxy service as entry point

What about authorization..... Some users should not be allowed to access certain resources. So authentication is not enough. Role based access control When application system grows, authorization logic has to be implemented for each and every one. Complexity Need frequent update Maintainance hard

Requirements.... Externalized (Not bound to application and all application servers query one system) Policy based (No source code change) Standardized Attribute based X service can be accessed by a user belonging to A.com domain and whose salary is not less than Fine grained Allow ”manager” user group above age 40, to access a portal on normal business days from 9a.m to 5 p.m a and not on weekends. Real time (Dynamic) Allow money transfer between accounts from 9a.m to 3.pm

XACML …. Rule combining algorithms Deny overrides Permit overrides First Applicable Policy combining algorithms Deny overrides Permit overrides First applicable Ordered deny-overrides Ordered permit-overrides Only one applicable

Performance Improvements... Thrift protocol Decision cache Cache invalidated when policy cache is updated, attribute cache invlidated and gloabl policy combining algorithm is changed Attribute cache Updated when external attribute stores are changed Policy cache PEP decision cache

How to authenticate from FE People hate multiple passwords. Use OpenID Be an openid relying party (IS accept OpenID) logins (yumani.myopenid.com) OpenID provider Infomation Card (based on ws-trust)

Proof of Identity... Something you know (password, pin number) Something you have (atm card) Something you are (thumb print) IS provides multifactor authentication (XMPP and infor card)

Company A uses one of their services to maintain its recent and upcoming events (it's not shared with everyone). Assume there's a free tool/web app which can be used to extract those information and post them on the FB profile. Since the service is secured, should we provide our username/password to an external app?

OAuth Delegated autherization protocol Users can, without revealing the credentials, let a client access their data available on a server. This is 3-legged oauth Service provider : A web application that allows access via oauth User : Person who has an account with service provider Consumer : A web site/application that uses oauth to access service provider 2-legged oauth – Typical client-server scenario where client users consumer key and secret to access the resources.

Kerberos Network authentication protocol. Traditional authentication methods are not suitable for computer networks (attackers monitor network traffic and intercept passwords) Strong authentication mechanisms don't disclose passwords.

WSO2 Identity server is a …. Open source IDENTITY and ENTITLEMENT MANAGEMENT system IDENTITY Authentication (with UT or SOAP against LDAP,AD,JDBC user stores / ws-trust / oauth / openid / information card) Single sign on OpenID SAML2 (Security accertion markup language) Kerberos Provisioning SPML (Service provisioning markup language)

SCIM (Simple cloud identity management) Auditing XDAS (principle of accountability, detection of security policy violations) Delegation (ws-trust / oauth)

Federation (Linking person's identity and attributes stored accross multiple identity management systems.) OpenID, SAML2, WS-Trust, Information card

ENTITLEMENT Role based access control Attribute based access control Policy based access control SOAP ( XACML / WS - Trust) REST (Oauth / XACML) MANAGEMENT Web based management console Soap based API

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.