wso2con eu 2016: end-to-end identity management
TRANSCRIPT
Robert(An employee)
Cloud email Service
Username = “robert”Password = “robert-pass”
Expense Management
SystemHR System
Username = “robert2”Password = “robert2-pass”Username = “robert2”Password = “robert2-pass”
Username = “robert_5”Password = “K67robert2-AB-#2”
Robert
Mail ClientUsername = “robert”Password = “robert-pass”
HR System
Expense Management
System
Username = “robert2”Password = “robert2-pass”Username = “robert”Password = “robert-pass”
Username = “robert”Password = “robert-pass”
Userstore
Identity Broker(e.g. WSO2 IS)
Service provider(e.g. HR System)
Robert
Username = “robert”Password = “robert-pass”
Token
Token
Userstore
Standard authentication request
Robert
Mail ClientUsername = “robert”Password = “robert-pass”
HR System
Expense Management
System
Username = “robert2”Password = “robert2-pass”Username = “robert”Password = “robert-pass”
Username = “robert”Password = “robert-pass”
Identity Broker(e.g. WSO2 IS)
Identity Broker(e.g. WSO2 IS)
Service provider(e.g. HR System)
Userdata
1. Log in request
2. Redirect to IDP
3. Request token4. Authenticate
5. Redirect to SP
6. Response token Session: S1
Identity Broker(e.g. WSO2 IS)
Service provider 2(e.g. Cloud Mail
Service)
Userdata
1. Log in request
2. Redirect to IDP
3. Request token (session: IS1)
5. Redirect to SP2
6. Response token
Service provider 1(e.g. HR System)
Session: S1
4. Bypass login page
Session: S2
eXtensible Access Control Markup Language (XACML)
/data/files
/data/archives
/data/visualize
/data/details
Policy decision Point
If user = jane Permit.
If role = clark andAction = writeDeny.
Policy Store
Policy Administration Point
Policy Enforcement Point(PEP)User = Tao
User = David
User = Jane
Identity server
Extern Inc.
<<< Create User >>>Username: janeEmail: [email protected]
Cloud email service
<<< Create User >>>Username: janePassword: jane123Email: [email protected]
<<< Create User >>>Username: jane
<<< Create User >>>Username: [email protected]
Contacts DirectoryExpense Management System
Identityserver
Update roles
Approve role assignment
Approve role assignment
Assigned to “supervisors” role
Assigned to “James”
IdentityBroker
Identity Broker
Username: janePassword: jane123Email: [email protected]
1. Access request
2 .Auth request
3. Auth request
4. Auth response
User Directory
5. Add user
IdentityBroker
Identity Broker
Username: janePassword: jane123Email: [email protected]
1. Access request
2 .Auth request
3. Auth request
4. Auth response5. Add user