Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose

Enterprise Security & SOI
Identity and Access Management in the Organizations with WSO2 IS

ver 1.0

Roger CARHUATOCTO
SOA, BPM, ECM, Portal and Security.
You can reach me on:

http://holisticsecurity.wordpress.com
@Chilcano
http://www.linkedin.com/in/rcarhuatocto

roger [at] chakray.com
+34 629292125

1. A tipical Ecosystem in the Organizations
Service-‐oriented
Infraestructure
(SOI)
as
best
prac7ce
(1/2)

Portal B2C

Authentication
Web

Collaboration

Presentation
Layer

Portal B2B

Portlets

Mobile

B2B

API

Dashboard

OpenData

Security and Identity Management

SECURITY

Authorization
GOVERNED SERVICES

Single Sign-On

BAM, BI
& BigData

Social Login

Enterprise Service Bus

DB, KPI,
Logs, Docs

Federation of
Identities

Consolidation
of Identities

Orchestration
Layer
CONTROLLER

SERVICES

Users Management

Users Provisioning

VIEW

New Business
Application
Systems

Existing Business
Applications

BPM Applications
(Bonita BPM)

ERP

BPM Designer

CRM

Workflow
Engine

CMS, ECM

PHP, Ruby, Python,
Java

BPM Portal

Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS

Business Service
Layer
MODEL

1. A tipical Ecosystem in the Organizations
Service-‐oriented
Infraestructure
(SOI)
as
best
prac7ce
(2/2)

Identity Management
(WSO2 IS)
Authentication,
Authorization

Portal B2C (Liferay Portal)
Web

Collaboration

Portlets

Portal B2B (WSO2 UES, BAM, AM, ES)
Mobile

B2B

API

Dashboard

BAM, BI
& BigData

SECURITY

Social Login

Enterprise Service Bus (WSO2 ESB)

User Management

(WSO2 SS,
BAM, CEP)

Orchestration
Layer
CONTROLLER

SERVICES

New Business
Application
Systems

Existing Business
Applications

BPM Applications
(Bonita BPM)
Bonita Studio
Bonita Workflow
Engine

Alfresco ECM

PHP, Ruby, Python,
Java

Openbravo ERP

Openia CRM

Consolidation
of Identities

VIEW

GOVERNED SERVICES

Single Sign-On

Federated User
Management
(Penrose Virtual
Directory)

OpenData

Presentation
Layer

Bonita UX Portal


Business Service
Layer
MODEL

2. Enterprise Security - IAM
Spreading
Security
in
the
Organiza7on
using
SOI

10

Identity Management
(WSO2 IS)

SECURITY

*

9
*
*
*
*
*
*
*
*
*

Portal B2C (Liferay Portal)

Web, Collab, Mobile, Portlets

B2B

Dashboard

OpenData

BAM, BI
& BigData
8

(WSO2 ESB)

VIEW

(WSO2 SS,
BAM, CEP)

Orchestration
Layer
CONTROLLER

SERVICES

Existing Business
Applications

New Business
Application
Systems

Federated User
Management

API

Presentation
Layer

GOVERNED SERVICES

1

(Penrose Virtual
Directory)

Portal B2B (WSO2 UES, BAM, AM, ES)

PHP, Ruby, Python,
Java
2

BPM Applications
(Bonita BPM)
5

Bonita Studio

6

Bonita Workflow
Engine

3

4


7 Bonita UX Portal

Business Service
Layer
MODEL

3. Identity and Access Management - uses cases
1.
User
Creden7als
Management

• 

WSO2 Identity Server:
• 
• 

User Storage using LDAP embeded, LDAP
external and external DB.

• 

Authentication, Authorization and SSO.

• 

Exposes complete API to user
management.

• 

Provisioning via SCIM.

• 

• 

Multiples User Storages.

Policies

Penrose Virtual Directory
• 

Can integrated existing LDAP and DB
storing user credentials.

• 

Exposes a LDAP interface that can be used
as external LDAP for WSO2 IS.

• 

Bidirectional sync (LDAP in read/write
mode)


2.
AuthN
and
AuthZ
for
Ad-‐hoc
Applica7ons

• 

WSO2 Identity Server exposes API to user
management.
• 
• 

Change password.

• 

• 

Recovery.

Update profile.

WSO2 IS exposes AutheN/AuthZ Services
using serveral strategies/protocols:
• 

OpenID, SAML, OAuth, XACML, RBAC, etc.


3.
AuthN
and
AuthZ
for
exis7ng
ERP
and
ECM

• 

Centralized User Management.
• 

• 

• 

Openia CRM is a module for Openbravo
ERP. Openbravo ERP already have
functionalities to user management, then
Openbravo should be configurated pointing
to the embeded LDAP of WSO2 IS or
Penrose Virtual Directory.
In similar way, Alfresco ECM should be
configures with this LDAP.

Authentication and Authorization.
• 

It is not necessary if you extend ERP or
ECM because user credentials and roles
are in LDAP storage.

• 

Calling Services of Openbravo ERP or
Alfresco ECM requires HTTP Basic
Authentication. Try it using HTTP over SSL.


5.
AuthN
and
AuthZ
for
Bonita
BPM

• 

Any BPM Suite has 3 components:
• 

Designer (Bonita Studio)
• 

• 

• 

In time of processes modeling, obtain
representation of hierarchy of users,
groups, roles is a great help for
business process expert.
Bonita Studio is based in Eclipse IDE
and It is possible to model following
this representation of hierarchy of
users, groups and roles using “Bonita’s
Actor Filter”.

Workflow engine (Bonita Workflow
Engine)
• 

• 

In this case we should cofigure
Workflow engine to get hierarchy from
external LDAP server.

TaskList Portal (Bonita UX Portal)
• 

AuthN and AuthZ process is delegated
to external LDAP. Bonita UX Portal has
to configure pointing to LDAP server.


4.
AuthN
and
AuthZ
for
exis7ng
Services

• 

User Storage in WSO2 IS can be used as User Storage
for WSO2 ESB.

• 

Authentication and Authorization:
• 

• 

In WSO2 ESB you can enable/disable security over the
exposed services.

WSO2 IS offers several protocols and strategies as a
Trusted-third-party, of this way, you can reach SSO and
Federation of Identities.


7.
AuthN
and
AuthZ
for
the
Presenta7on
Layer

• 

Any Web Portal server commonly has a
LDAP connector to sync users, groups
and/or roles. Also, any Web Portal has
connectors to do authentication and
authorization, for example, Liferay has
tools for these purposes.

• 

WSO2 IS provides OpenID functionality
that can be used with Liferay Portal easily.

• 

Review the strategies to authentication,
authorization and SSO of WSO2IS
suitable to our environment.


4. Identity and Access Management – flow diagram

Deploy WSO2
Identity Server,
create several users
and roles.

Consolidate user
credentials (Penrose
Virtual Directory) and
Deploy LDAP WSO2 IS

Configure LDAP
Authentication in
Liferay pointing to
the embedded
LDAP of WSO2 IS.
Enable Users and
Roles (Group) sync.

In this step is possible to
do LDAP Authentication
and User syncronization.

2.

Configure LDAP
Authentication and
users sync in Bonita
pointing to the
embedded LDAP of
WSO2 IS.

Right now this
functionality is available
in Bonita BPM Teamwork
version (http://
www.bonitasoft.com/
products/productcomparison).

3.

4.

5.

Configure LDAP
Authentication and
users sync in
OpenBravo pointing
to the embedded
LDAP of WSO2 IS.
Check the
authentication flow
and user sync flow
in all the system.

WSO2IS

BONITA

OPENBRAVO

LIFERAY

1.

LIFERAY

WSO2IS

BONITA

OPENBRAVO

Authentication in Liferay
1. 
2. 
3. 
4. 

Start login process
Validate credentials
WSO2IS sends response
Liferay receives response

Authentication in Bonita

Configure LDAP
Authentication and User
syncronization of
OpenBravo with
embedded LDAP of
WSO2 IS.

1. 
2. 
3. 
4. 
5. 
6. 

Start login process
Pass login process to Bonita
Validate credentials
Bonita redirects response
Liferay receives response

Authentication in Openbravo
1. 
2. 
3. 
4. 
5. 
6. 
7. 
8. 

Start login process
Pass login process to Bonita
Bonita passes login process
OB passes login process
OB redirects response
Bonita redirects response
Liferay receive response

Testining authentication
an sync of users.


5. Enterprise Security & SOI - summary

1

2

3
4

5
6
7

8

9
10

•  Process integration and consolidation of different sources of user identities.
•  Bi-directional synchronization, the goal is to build a centralized database of identities and attributes.

•  WSO2 Identity Server exposes API to user management: recovery, change password, update
profile.
•  WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: OpenID, SAML,
OAuth, XACML, RBAC, etc.
•  Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management,
then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory.
•  In similar way, Alfresco ECM should be configures with this LDAP.
•  Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication.
•  Bonita BPM in two phases: In design-time and running-time.
•  When the processes are modeling, the Bonita Studio’s Actor Filters should be configurated to get users, groups and
roles from our centrilazed User Storage (LDAP).
•  When the processes are running, the BPM engine delegate the validation of identities (authorization) in WSO2 IS,
while the model of roles and permissions (attributes) on the centralized User Storage (LDAP).
•  User Storage in WSO2 IS can be used as the User Storage for WSO2 ESB.
•  In WSO2 ESB you can enable/disable security over the exposed services.
•  WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach
SSO and Federation of Identities.
•  Existing or new applications can delegate their authentication process in WSO2 IS, while for user synchronization
will use the Penrose Virtual Direcotry as our centralized repository of users and attributes.
•  The advantage of using Liferay Portal Server rather than a pure applications is the ability to delegate the
Authentication, Authorization and People Management WSO2 IS only setting connectors with little programming.


Doing the right things. With the right technology. To support business.

www.chakray.com
@Chakray_com

www.linkedin.com/company/chakray-consulting

SOA · BPM · ECM · PORTAL · BIGDATA · SECURITY

Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose

Similar a Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose (20)

Más de Roger CARHUATOCTO

Más de Roger CARHUATOCTO (20)

Último

Último (20)

Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose