identity-serverx - WSO2

basheddockΛογισμικό & κατασκευή λογ/κού

21 Φεβ 2014 (πριν από 3 χρόνια και 1 μήνα)

73 εμφανίσεις

Prabath Siriwardena

Senior Software Architect

An open source Identity & Entitlement
management server

An open source Identity & Entitlement
management server

Authentication

AD

LDAP

JDBC

An open source Identity & Entitlement
management server

Authentication

Single Sign On

SAML2

Kerberos

WS
-
Fed Passive


Decentralized Single Sign On


Single user profile


Widely used for community &
collaboration aspects


Multifactor Authentication
[Infocard, XMPP]


OpenID relying party components



Single Sign On / Single Logout


Widely used *aaS providers



[Google Apps, Salesforce]



SAML2 Web SSO Profile


SAML2 Attribute Profile


Distributed Federated SAML2 IdPs


Used in WSO2 StratosLive


SharePoint

An open source Identity & Entitlement
management server

Authentication

Single Sign On

Provisioning

SCIM

SPML

2001 : OASIS PS TC

2003 : SPML 1.0

2003 : WS
-
Provisioning

2006 : SPML 2.0

2010 : SCIM community

2011 : SCIM 1.0

2012 : SCIM 1.1

2011 : RESTPML

SCIM Service
Provider

/Users

/Groups

SCIM Consumer

{


"schemas":[],


"name":{"familyName"
:”siriwardena"
,"givenName"
:”prabath"
},


"userName"
:”prabath"
,"password"
:”prabath123"
,


"emails":[{"primary":true,"value"
:”prabath@yahoo.com
","type":"home"}
,





{
"value"
:”prabath@wso2.com"
,"type":"work"}]

}

curl
-
v
-
k
--
user admin:admin
-
d @add
-
user.json
--
header "Content
-
Type:application/json"
https://localhost:9443/wso2/scim/Users

add
-
user.json

c
url command

{


"schemas": ["urn:scim:schemas:core:1.0"],


"id": "idnext",


"displayName": "IdentityNext",

}

curl
-
v
-
k
--
user admin:admin
-
d @add
-
group.json
--
header "Content
-
Type:application/json" https://localhost:9443/wso2/scim
/Groups

a
dd
-
group.json

c
url command


Provisioning
Service Provider

Domain A

Domain B

One way provisioning


Provisioning
Service Provider


Provisioning
Service Provider

Domain C

SCIM Consumer


Provisioning
Service Provider

Domain A

Domain B

One way provisioning with broker
m
ode


Provisioning
Service Provider


Provisioning
Service Provider

Domain C

SCIM Consumer


Provisioning
Service Provider

Domain A

Domain B

Bi
-
directional provisioning


Provisioning
Service Provider


Provisioning
Service Provider

Domain C

SCIM Consumer

SCIM Consumer

SCIM Consumer


Provisioning
Service Provider

Domain A

Domain B

Multi
-
directional provisioning with a centralized PSP


Provisioning
Service Provider


Provisioning
Service Provider

Domain C

SCIM Consumer

SCIM Consumer

SCIM Consumer


Provisioning
Service Provider


Provisioning
Service Provider

Domain A

Domain B

Just
-
in
-
time provisioning with SAML2


SAML2 IdP

1

2

3

4


Provisioning
Service Provider

Domain A

Domain B

Just
-
in
-
time provisioning with SAML2


SAML2 IdP

1

2

3

5

4


Provisioning
Service Provider

SCIM Consumer (facilelogin.com)

SCIM Consumer (wso2.com)

wso2.com

facilelogin.com

An open source Identity & Entitlement
management server

Authentication

Single Sign On

Provisioning

Auditing

XDAS

An open source Identity & Entitlement
management server

Authentication

Single Sign On

Provisioning

Auditing

Delegation

WS
-
TRUST



Identity Delegation


Securing RESTful services



2
-
legged & 3
-
legged OAuth 1.01



XACML integration with OAuth


OAuth 2.0
support with



Authorization Code, Implicit,



Resource Owner Credentials,



Client Credentials

An open source Identity & Entitlement
management server

Authentication

Single Sign On

Provisioning

Auditing

Delegation

Federation

WS
-
TRUST

SAML2

Federation


Supports WS
-
Trust 1.3/1.4


SAML 1.0/1.1/2.0 token profiles



Claim management


Security Token
Service

Consumer App

Resource

Domain A

Domain B

Cross Domain Authentication with WS
-
Trust

Cross Domain Authentication with Kerberos and WS
-
Trust

Decentralized Federated SAML2 IdPs

Decentralized Federated SAML2 IdPs

Decentralized Federated SAML2 IdPs

An open source Identity & Entitlement
management server

Role
B
ased Access Control

An open source Identity & Entitlement
management server

Role
B
ased Access Control

Attribute
B
ased Access Control

An open source Identity & Entitlement
management server

Role
B
ased Access Control

Attribute
B
ased Access Control

Policy
B
ased Access Control

XACML

An open source Identity & Entitlement
management server

Role
B
ased Access Control

Attribute
B
ased Access Control

Policy
B
ased Access Control

SOAP

XACML / WS
-
XACML

An open source Identity & Entitlement
management server

Role
B
ased Access Control

Attribute
B
ased Access Control

Policy
B
ased Access Control

SOAP

REST

XACML


The de
-
facto standard for authorization


XACML 3.0


Support for multiple PIPs


Policy distribution


Decision / Attribute caching


UI wizard for defining policies


Notifications on policy updates


TryIt tool

EntitlementService

EntitlementPolicyAdminService

Policy Decision Point

Policy Cache

Decision
Cache

XACML
Engine

Extensions

Policy
Administration
Point

Attribute Finder

Extensions

Default Finder

LDAP

Attribute Cache

SOAP/Thrift/WS
-
XACML

SOAP


User stores with LDAP/AD/JDBC


Multiple user stores


OpenID



SAML2



Kerberos


Integrated Windows
Authentication



Information Cards



XACML 2.0/3.0



OAuth 1.0a/2.0



Security Token Service with WS
-
Trust


SCIM 1.1


WS
-
XACML


WS
-
Fed Passive