Prabath Siriwardena Senior Software Architect

An open source Identity & Entitlement management server

Authentication ADLDAP JDBC

An open source Identity & Entitlement management server Authentication Single Sign On SAML2Kerberos WS-Fed Passive

 Decentralized Single Sign On  Single user profile  Widely used for community & collaboration aspects  Multifactor Authentication [Infocard, XMPP]  OpenID relying party components

 Single Sign On / Single Logout  Widely used *aaS providers [Google Apps, Salesforce]  SAML2 Web SSO Profile  SAML2 Attribute Profile  Distributed Federated SAML2 IdPs  Used in WSO2 StratosLive

SharePoint WS-Fed Passive

An open source Identity & Entitlement management server Authentication Single Sign On Provisioning SCIMSPML

2001 : OASIS PS TC 2003 : SPML : WS-Provisioning 2006 : SPML : SCIM community 2011 : SCIM : SCIM : RESTPML

SCIM Service Provider /Users /Groups SCIM Consumer

{ "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", } curl -v -k --user admin:admin --header "Content-Type:application/json" add-user.json curl command

{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext", } curl -v -k --user admin:admin --header "Content- Type:application/json" add-group.json curl command

Provisioning Service Provider Domain A Domain B One way provisioning Provisioning Service Provider Domain C SCIM Consumer

Provisioning Service Provider Domain A Domain B One way provisioning with broker mode Provisioning Service Provider Domain C SCIM Consumer

Provisioning Service Provider Domain A Domain B Bi-directional provisioning Provisioning Service Provider Domain C SCIM Consumer

Provisioning Service Provider Domain A Domain B Multi-directional provisioning with a centralized PSP Provisioning Service Provider Domain C SCIM Consumer Provisioning Service Provider

Domain A Domain B Just-in-time provisioning with SAML2 SAML2 IdP

Provisioning Service Provider Domain A Domain B Just-in-time provisioning with SAML2 SAML2 IdP

Provisioning Service Provider SCIM Consumer (facilelogin.com) SCIM Consumer (wso2.com) wso2.com facilelogin.com

An open source Identity & Entitlement management server Authentication Single Sign On Provisioning Auditing XDAS

An open source Identity & Entitlement management server Authentication Single Sign On Provisioning AuditingDelegation WS-TRUST

 Identity Delegation  Securing RESTful services  2-legged & 3-legged OAuth 1.01  XACML integration with OAuth  OAuth 2.0 support with Authorization Code, Implicit, Resource Owner Credentials, Client Credentials

An open source Identity & Entitlement management server Authentication Single Sign On Provisioning AuditingDelegation Federation WS-TRUSTSAML2

Federation

 Supports WS-Trust 1.3/1.4  SAML 1.0/1.1/2.0 token profiles  Claim management

Security Token Service Consumer App Resource Domain A Domain B Cross Domain Authentication with WS-Trust

Cross Domain Authentication with Kerberos and WS-Trust

Decentralized Federated SAML2 IdPs

An open source Identity & Entitlement management server Role Based Access Control

An open source Identity & Entitlement management server Role Based Access Control Attribute Based Access Control

An open source Identity & Entitlement management server Role Based Access Control Attribute Based Access Control Policy Based Access Control XACML

An open source Identity & Entitlement management server Role Based Access Control Attribute Based Access Control Policy Based Access Control SOAP XACML / WS-XACML

An open source Identity & Entitlement management server Role Based Access Control Attribute Based Access Control Policy Based Access Control SOAP REST XACML

 The de-facto standard for authorization  XACML 3.0  Support for multiple PIPs  Policy distribution  Decision / Attribute caching  UI wizard for defining policies  Notifications on policy updates  TryIt tool

EntitlementService EntitlementPolicyAdminService Policy Decision Point Policy Cache Decision Cache XACML Engine Extensions Policy Administration Point Attribute Finder Extensions Default Finder LDAP Attribute Cache SOAP/Thrift/WS- XACML SOAP

 User stores with LDAP/AD/JDBC  Multiple user stores  OpenID  SAML2  Kerberos  Integrated Windows Authentication  Information Cards  XACML 2.0/3.0  OAuth 1.0a/2.0  Security Token Service with WS-Trust  SCIM 1.1  WS-XACML  WS-Fed Passive