Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
1. Enterprise Security & SOI
Identity and Access Management in the Organizations with WSO2 IS
ver 1.0
2. Roger CARHUATOCTO
SOA, BPM, ECM, Portal and Security.
You can reach me on:
http://holisticsecurity.wordpress.com
@Chilcano
http://www.linkedin.com/in/rcarhuatocto
roger [at] chakray.com
+34 629292125
3. 1. A tipical Ecosystem in the Organizations
Service-‐oriented
Infraestructure
(SOI)
as
best
prac7ce
(1/2)
Portal B2C
Authentication
Web
Collaboration
Presentation
Layer
Portal B2B
Portlets
Mobile
B2B
API
Dashboard
OpenData
Security and Identity Management
SECURITY
Authorization
GOVERNED SERVICES
Single Sign-On
BAM, BI
& BigData
Social Login
Enterprise Service Bus
DB, KPI,
Logs, Docs
Federation of
Identities
Consolidation
of Identities
Orchestration
Layer
CONTROLLER
SERVICES
Users Management
Users Provisioning
VIEW
New Business
Application
Systems
Existing Business
Applications
BPM Applications
(Bonita BPM)
ERP
BPM Designer
CRM
Workflow
Engine
CMS, ECM
PHP, Ruby, Python,
Java
BPM Portal
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
Business Service
Layer
MODEL
4. 1. A tipical Ecosystem in the Organizations
Service-‐oriented
Infraestructure
(SOI)
as
best
prac7ce
(2/2)
Identity Management
(WSO2 IS)
Authentication,
Authorization
Portal B2C (Liferay Portal)
Web
Collaboration
Portlets
Portal B2B (WSO2 UES, BAM, AM, ES)
Mobile
B2B
API
Dashboard
BAM, BI
& BigData
SECURITY
Social Login
Enterprise Service Bus (WSO2 ESB)
User Management
(WSO2 SS,
BAM, CEP)
Orchestration
Layer
CONTROLLER
SERVICES
New Business
Application
Systems
Existing Business
Applications
BPM Applications
(Bonita BPM)
Bonita Studio
Bonita Workflow
Engine
Alfresco ECM
PHP, Ruby, Python,
Java
Openbravo ERP
Openia CRM
Consolidation
of Identities
VIEW
GOVERNED SERVICES
Single Sign-On
Federated User
Management
(Penrose Virtual
Directory)
OpenData
Presentation
Layer
Bonita UX Portal
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
Business Service
Layer
MODEL
5. 2. Enterprise Security - IAM
Spreading
Security
in
the
Organiza7on
using
SOI
10
Identity Management
(WSO2 IS)
SECURITY
*
9
*
*
*
*
*
*
*
*
*
Portal B2C (Liferay Portal)
Web, Collab, Mobile, Portlets
B2B
Dashboard
OpenData
BAM, BI
& BigData
8
(WSO2 ESB)
VIEW
(WSO2 SS,
BAM, CEP)
Orchestration
Layer
CONTROLLER
SERVICES
Existing Business
Applications
New Business
Application
Systems
Federated User
Management
API
Presentation
Layer
GOVERNED SERVICES
1
(Penrose Virtual
Directory)
Portal B2B (WSO2 UES, BAM, AM, ES)
PHP, Ruby, Python,
Java
2
BPM Applications
(Bonita BPM)
5
Bonita Studio
6
Bonita Workflow
Engine
3
4
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
7 Bonita UX Portal
Business Service
Layer
MODEL
6. 3. Identity and Access Management - uses cases
1.
User
Creden7als
Management
•
WSO2 Identity Server:
•
•
User Storage using LDAP embeded, LDAP
external and external DB.
•
Authentication, Authorization and SSO.
•
Exposes complete API to user
management.
•
Provisioning via SCIM.
•
•
Multiples User Storages.
Policies
Penrose Virtual Directory
•
Can integrated existing LDAP and DB
storing user credentials.
•
Exposes a LDAP interface that can be used
as external LDAP for WSO2 IS.
•
Bidirectional sync (LDAP in read/write
mode)
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
7. 3. Identity and Access Management - uses cases
2.
AuthN
and
AuthZ
for
Ad-‐hoc
Applica7ons
•
WSO2 Identity Server exposes API to user
management.
•
•
Change password.
•
•
Recovery.
Update profile.
WSO2 IS exposes AutheN/AuthZ Services
using serveral strategies/protocols:
•
OpenID, SAML, OAuth, XACML, RBAC, etc.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
8. 3. Identity and Access Management - uses cases
3.
AuthN
and
AuthZ
for
exis7ng
ERP
and
ECM
•
Centralized User Management.
•
•
•
Openia CRM is a module for Openbravo
ERP. Openbravo ERP already have
functionalities to user management, then
Openbravo should be configurated pointing
to the embeded LDAP of WSO2 IS or
Penrose Virtual Directory.
In similar way, Alfresco ECM should be
configures with this LDAP.
Authentication and Authorization.
•
It is not necessary if you extend ERP or
ECM because user credentials and roles
are in LDAP storage.
•
Calling Services of Openbravo ERP or
Alfresco ECM requires HTTP Basic
Authentication. Try it using HTTP over SSL.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
9. 3. Identity and Access Management - uses cases
5.
AuthN
and
AuthZ
for
Bonita
BPM
•
Any BPM Suite has 3 components:
•
Designer (Bonita Studio)
•
•
•
In time of processes modeling, obtain
representation of hierarchy of users,
groups, roles is a great help for
business process expert.
Bonita Studio is based in Eclipse IDE
and It is possible to model following
this representation of hierarchy of
users, groups and roles using “Bonita’s
Actor Filter”.
Workflow engine (Bonita Workflow
Engine)
•
•
In this case we should cofigure
Workflow engine to get hierarchy from
external LDAP server.
TaskList Portal (Bonita UX Portal)
•
AuthN and AuthZ process is delegated
to external LDAP. Bonita UX Portal has
to configure pointing to LDAP server.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
10. 3. Identity and Access Management - uses cases
4.
AuthN
and
AuthZ
for
exis7ng
Services
•
User Storage in WSO2 IS can be used as User Storage
for WSO2 ESB.
•
Authentication and Authorization:
•
•
In WSO2 ESB you can enable/disable security over the
exposed services.
WSO2 IS offers several protocols and strategies as a
Trusted-third-party, of this way, you can reach SSO and
Federation of Identities.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
11. 3. Identity and Access Management - uses cases
7.
AuthN
and
AuthZ
for
the
Presenta7on
Layer
•
Any Web Portal server commonly has a
LDAP connector to sync users, groups
and/or roles. Also, any Web Portal has
connectors to do authentication and
authorization, for example, Liferay has
tools for these purposes.
•
WSO2 IS provides OpenID functionality
that can be used with Liferay Portal easily.
•
Review the strategies to authentication,
authorization and SSO of WSO2IS
suitable to our environment.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
12. 4. Identity and Access Management – flow diagram
Deploy WSO2
Identity Server,
create several users
and roles.
Consolidate user
credentials (Penrose
Virtual Directory) and
Deploy LDAP WSO2 IS
Configure LDAP
Authentication in
Liferay pointing to
the embedded
LDAP of WSO2 IS.
Enable Users and
Roles (Group) sync.
In this step is possible to
do LDAP Authentication
and User syncronization.
2.
Configure LDAP
Authentication and
users sync in Bonita
pointing to the
embedded LDAP of
WSO2 IS.
Right now this
functionality is available
in Bonita BPM Teamwork
version (http://
www.bonitasoft.com/
products/productcomparison).
3.
4.
5.
Configure LDAP
Authentication and
users sync in
OpenBravo pointing
to the embedded
LDAP of WSO2 IS.
Check the
authentication flow
and user sync flow
in all the system.
WSO2IS
BONITA
OPENBRAVO
LIFERAY
1.
LIFERAY
WSO2IS
BONITA
OPENBRAVO
Authentication in Liferay
1.
2.
3.
4.
Start login process
Validate credentials
WSO2IS sends response
Liferay receives response
Authentication in Bonita
Configure LDAP
Authentication and User
syncronization of
OpenBravo with
embedded LDAP of
WSO2 IS.
1.
2.
3.
4.
5.
6.
Start login process
Pass login process to Bonita
Validate credentials
WSO2IS sends response
Bonita redirects response
Liferay receives response
Authentication in Openbravo
1.
2.
3.
4.
5.
6.
7.
8.
Start login process
Pass login process to Bonita
Bonita passes login process
OB passes login process
WSO2IS sends response
OB redirects response
Bonita redirects response
Liferay receive response
Testining authentication
an sync of users.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
13. 5. Enterprise Security & SOI - summary
1
2
3
4
5
6
7
8
9
10
• Process integration and consolidation of different sources of user identities.
• Bi-directional synchronization, the goal is to build a centralized database of identities and attributes.
• WSO2 Identity Server exposes API to user management: recovery, change password, update
profile.
• WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: OpenID, SAML,
OAuth, XACML, RBAC, etc.
• Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management,
then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory.
• In similar way, Alfresco ECM should be configures with this LDAP.
• Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication.
• Bonita BPM in two phases: In design-time and running-time.
• When the processes are modeling, the Bonita Studio’s Actor Filters should be configurated to get users, groups and
roles from our centrilazed User Storage (LDAP).
• When the processes are running, the BPM engine delegate the validation of identities (authorization) in WSO2 IS,
while the model of roles and permissions (attributes) on the centralized User Storage (LDAP).
• User Storage in WSO2 IS can be used as the User Storage for WSO2 ESB.
• In WSO2 ESB you can enable/disable security over the exposed services.
• WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach
SSO and Federation of Identities.
• Existing or new applications can delegate their authentication process in WSO2 IS, while for user synchronization
will use the Penrose Virtual Direcotry as our centralized repository of users and attributes.
• The advantage of using Liferay Portal Server rather than a pure applications is the ability to delegate the
Authentication, Authorization and People Management WSO2 IS only setting connectors with little programming.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
14. Doing the right things. With the right technology. To support business.
www.chakray.com
@Chakray_com
www.linkedin.com/company/chakray-consulting
SOA · BPM · ECM · PORTAL · BIGDATA · SECURITY