Presentation is loading. Please wait.

Presentation is loading. Please wait.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Published byAustin Price Modified over 8 years ago

Similar presentations

Presentation on theme: "WSO2 Identity Server. Small company (called company A) had few services deployed on one app server."— Presentation transcript:

1 WSO2 Identity Server

2 Small company (called company A) had few services deployed on one app server

3 Use Trasport level security (HTTPS) Supports Authentication (using certificates, basic auth/digest) Confidantiality (encryption) Intergrity (XML signature)

4 Later …... TLS was not enough because Message secure only in wire Cannot encrypt part of the message So use Message Level Security (WS- Security)

5 How system look likes...

6 Access issues ….. There are both internal users (employees) and external users. Easy to authenticate internal users How can we authenticate external users?...

7 More problems..... Thousands of external user entries. Hard to maintain locally and waste of resource in maintaining duplicate records. Assume Company B needs access to these services and only few employees from B should be given access.

8 WS-Trust Should allow users if the request is signed by truested party IS maintain internal STS connected to ldap to sign requests of internal users

9 STS... User has to authenticate with UT. Provides tokens with required claims Types of tokes Bearer subject confirmation Holder of key subject confirmation Symmetric key Public key

10 Before sample.... How are we going to communicate our security standards to our users? Token should contain email address and last name Standard versions we user Encryption/Signature methods we use Key size What part of message should be encrypted. Use WS – SecurityPolicy

11

12 Message Interceptor Gateway... Mutiple entry points – security hole Authenticate/Authorize users centrally and load balance from that point Can use proxy service as entry point

13 What about authorization..... Some users should not be allowed to access certain resources. So authentication is not enough. Role based access control When application system grows, authorization logic has to be implemented for each and every one. Complexity Need frequent update Maintainance hard

14 Requirements.... Externalized (Not bound to application and all application servers query one system) Policy based (No source code change) Standardized Attribute based X service can be accessed by a user belonging to A.com domain and whose salary is not less than 50000 Fine grained Allow ”manager” user group above age 40, to access a portal on normal business days from 9a.m to 5 p.m a and not on weekends. Real time (Dynamic) Allow money transfer between accounts from 9a.m to 3.pm

15 XACML …. Rule combining algorithms Deny overrides Permit overrides First Applicable Policy combining algorithms Deny overrides Permit overrides First applicable Ordered deny-overrides Ordered permit-overrides Only one applicable

16 Performance Improvements... Thrift protocol Decision cache Cache invalidated when policy cache is updated, attribute cache invlidated and gloabl policy combining algorithm is changed Attribute cache Updated when external attribute stores are changed Policy cache PEP decision cache

17 How to authenticate from FE People hate multiple passwords. Use OpenID Be an openid relying party (IS accept OpenID) logins (yumani.myopenid.com) OpenID provider Infomation Card (based on ws-trust)

18 Proof of Identity... Something you know (password, pin number) Something you have (atm card) Something you are (thumb print) IS provides multifactor authentication (XMPP and infor card)

19

20 Company A uses one of their services to maintain its recent and upcoming events (it's not shared with everyone). Assume there's a free tool/web app which can be used to extract those information and post them on the FB profile. Since the service is secured, should we provide our username/password to an external app?

21 OAuth Delegated autherization protocol Users can, without revealing the credentials, let a client access their data available on a server. This is 3-legged oauth Service provider : A web application that allows access via oauth User : Person who has an account with service provider Consumer : A web site/application that uses oauth to access service provider 2-legged oauth – Typical client-server scenario where client users consumer key and secret to access the resources.

22 Kerberos Network authentication protocol. Traditional authentication methods are not suitable for computer networks (attackers monitor network traffic and intercept passwords) Strong authentication mechanisms don't disclose passwords.

23 WSO2 Identity server is a …. Open source IDENTITY and ENTITLEMENT MANAGEMENT system IDENTITY Authentication (with UT or SOAP against LDAP,AD,JDBC user stores / ws-trust / oauth / openid / information card) Single sign on OpenID SAML2 (Security accertion markup language) Kerberos Provisioning SPML (Service provisioning markup language)

24 SCIM (Simple cloud identity management) Auditing XDAS (principle of accountability, detection of security policy violations) Delegation (ws-trust / oauth)

25 Federation (Linking person's identity and attributes stored accross multiple identity management systems.) OpenID, SAML2, WS-Trust, Information card

26 ENTITLEMENT Role based access control Attribute based access control Policy based access control SOAP ( XACML / WS - Trust) REST (Oauth / XACML) MANAGEMENT Web based management console Soap based API

Download ppt "WSO2 Identity Server. Small company (called company A) had few services deployed on one app server."

Similar presentations

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
W3C Workshop on Web Services Mark Nottingham

W3C Workshop on Web Services Mark Nottingham
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Similar presentations

Ads by Google