The goal of West’s project is to provide a centralized identity and access management solution within West’s Interactive Services division that can be leveraged by the customer facing portal and several other web applications developed within the company. Apart from the several out-of-the-box features that West benefited from, WSO2 Identity Server had to be extended for certain other requirements. This session will go into the details of these extensions as it relates to multi-tenancy, role-based permissions and access control by product, as well as tenant subscription and entitlements.
4. Our Business
We deliver communication solutions to help brands create connected customer experiences
Communication
Channel/Solutions
Commercial
Utility
Healthcare
Education
Interactive Services
What we do: We are the communication channel/solutions that
connects our clients and their consumers.
Emails
Text messages
Phone calls
Web Chat
Social Media
Wearables
Website
Emails
Text messages
Phone calls
Web
Our Clients
Inbound
Outbound
Cloud Contact
Center
Mobile
Website
Consumers
5. The Challenge
• Start connecting all of our solutions to
help our customer create the Connected
Customer Experience
• Customer’s choice of communication
channel – mobile, web, phone, text, e-
mail etc.
• Company should know the customer and
their experience should be consistent
across all channels of communication
6. Centralized Identity & Access Management
• Distributed - Several disparate web
applications with its own identity
management system
• Centralized – operational efficiency,
easy of account management, cost
savings, know the customer
• Tied to our single customer portal
Access Management
Authentication
•Single Sign-On (SSO)
•Federation
•Session Management
•Password Service
Authorization
•Role-based
•Attribute-based
•Rule-based
User Management
•User & Role Management
•Provisioning
•Password Management
•Delegated Administration
•Self-Service
User Store
•Directory
•Database
•Data Synchronization
Identity Management
7. Requirements
• Multi-tenancy with hierarchical tenant management
• Role based access by Product (web application)
• User Role Play – Mimic being user of another Tenant
• UserStore – PostgreSQL DB
• Password policies by Tenant, password history, password expiration
notifications, lock account after failed login attempts
• Tenant based security question sets
• Support for various protocols for SSO and federation
• Bulk user import
• Audit logging
8. WSO2 Identity Server
• Fulfilled several of our requirements out of the box
• Support for various protocols – SAML2, Oauth2, OpenID, WS-
Federation
• Support for heterogeneous and multiple user stores
• Integrates nicely with other WSO2 products in our stack – API
Manager, ESB, App Server, DSS
• Started with v 5.0 and later upgraded to 5.1
9. System Concepts
Tenant - Typically refers to West's clients (customers). Each
tenant requires unique domain name – e.g. "west.com“.
Tenant can have sub-tenants.
Products – Various applications that needs to be integrated.
Each product has multiple features & sub-features. And each
feature has actions.
Subscription – This defines relationship between Tenant &
Product.
Roles – Each product has role definitions that defines
permissions allowed on its features.
Users – Individuals requiring access to the portal and
products. Users are grouped at Tenant level.
10. Tenant Extensions
• Introduced “Relationships”
(hierarchy) between tenants –
Parent/child
• Added “Attributes” table to store
additional tenant specific data –
West Client ID & Name, Divisions
• 3 sets of 5 security questions each
per tenant
• “Subscription” table to hold
Tenant & Product relationship
14. Few Other Extensions
• REST API wrappers
• Oauth2 Proxy for authentication in a Single Page Application
• Password expiration notification e-mails – 5 days & 2 days prior
• Password history – can not reuse last 12 passwords
• Lock user account for 15 min. after 3 failed login attempts
• Automatic removal of user account after 180 days of password
expiration
• Bulk user creation through CSV file
• Audit log table to track operations, users, data changes etc.
15. Future Wish List
• Customizable login pages per application and/or Tenant
• 2-factor authentication
• User provisioning, self-registration and approval workflow
• Integrate more products with SSO / federation
• Monitoring & Reporting – suspicious login activities, forced
termination of abnormal user sessions
• Analytics
• Keep up with WSO2 Identity Server releases