Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
0 likes•1,260 views
The document outlines a comprehensive strategy for identity and access management (IAM) within organizations utilizing WSO2 in a service-oriented infrastructure (SOI). It details various use cases, including user credential management, authentication, and authorization processes for applications and environments, such as ERP and BPM systems. The integration of LDAP and other systems aims to centralize user identities, promote security through various protocols, and optimize user management processes across different platforms.
![Roger CARHUATOCTO
SOA, BPM, ECM, Portal and Security.
You can reach me on:
http://holisticsecurity.wordpress.com
@Chilcano
http://www.linkedin.com/in/rcarhuatocto
roger [at] chakray.com
+34 629292125](https://image.slidesharecdn.com/chk-enterprise-security-soi-v1-131231021834-phpapp01/85/Chakray-com-Enterprise-Security-and-IAM-with-WSO2IS-and-Penrose-2-320.jpg)
Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
- 1. Enterprise Security & SOI Identity and Access Management in the Organizations with WSO2 IS ver 1.0
- 2. Roger CARHUATOCTO SOA, BPM, ECM, Portal and Security. You can reach me on: http://holisticsecurity.wordpress.com @Chilcano http://www.linkedin.com/in/rcarhuatocto roger [at] chakray.com +34 629292125
- 3. 1. A tipical Ecosystem in the Organizations Service-‐oriented Infraestructure (SOI) as best prac7ce (1/2) Portal B2C Authentication Web Collaboration Presentation Layer Portal B2B Portlets Mobile B2B API Dashboard OpenData Security and Identity Management SECURITY Authorization GOVERNED SERVICES Single Sign-On BAM, BI & BigData Social Login Enterprise Service Bus DB, KPI, Logs, Docs Federation of Identities Consolidation of Identities Orchestration Layer CONTROLLER SERVICES Users Management Users Provisioning VIEW New Business Application Systems Existing Business Applications BPM Applications (Bonita BPM) ERP BPM Designer CRM Workflow Engine CMS, ECM PHP, Ruby, Python, Java BPM Portal Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS Business Service Layer MODEL
- 4. 1. A tipical Ecosystem in the Organizations Service-‐oriented Infraestructure (SOI) as best prac7ce (2/2) Identity Management (WSO2 IS) Authentication, Authorization Portal B2C (Liferay Portal) Web Collaboration Portlets Portal B2B (WSO2 UES, BAM, AM, ES) Mobile B2B API Dashboard BAM, BI & BigData SECURITY Social Login Enterprise Service Bus (WSO2 ESB) User Management (WSO2 SS, BAM, CEP) Orchestration Layer CONTROLLER SERVICES New Business Application Systems Existing Business Applications BPM Applications (Bonita BPM) Bonita Studio Bonita Workflow Engine Alfresco ECM PHP, Ruby, Python, Java Openbravo ERP Openia CRM Consolidation of Identities VIEW GOVERNED SERVICES Single Sign-On Federated User Management (Penrose Virtual Directory) OpenData Presentation Layer Bonita UX Portal Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS Business Service Layer MODEL
- 5. 2. Enterprise Security - IAM Spreading Security in the Organiza7on using SOI 10 Identity Management (WSO2 IS) SECURITY * 9 * * * * * * * * * Portal B2C (Liferay Portal) Web, Collab, Mobile, Portlets B2B Dashboard OpenData BAM, BI & BigData 8 (WSO2 ESB) VIEW (WSO2 SS, BAM, CEP) Orchestration Layer CONTROLLER SERVICES Existing Business Applications New Business Application Systems Federated User Management API Presentation Layer GOVERNED SERVICES 1 (Penrose Virtual Directory) Portal B2B (WSO2 UES, BAM, AM, ES) PHP, Ruby, Python, Java 2 BPM Applications (Bonita BPM) 5 Bonita Studio 6 Bonita Workflow Engine 3 4 Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 7 Bonita UX Portal Business Service Layer MODEL
- 6. 3. Identity and Access Management - uses cases 1. User Creden7als Management • WSO2 Identity Server: • • User Storage using LDAP embeded, LDAP external and external DB. • Authentication, Authorization and SSO. • Exposes complete API to user management. • Provisioning via SCIM. • • Multiples User Storages. Policies Penrose Virtual Directory • Can integrated existing LDAP and DB storing user credentials. • Exposes a LDAP interface that can be used as external LDAP for WSO2 IS. • Bidirectional sync (LDAP in read/write mode) Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 7. 3. Identity and Access Management - uses cases 2. AuthN and AuthZ for Ad-‐hoc Applica7ons • WSO2 Identity Server exposes API to user management. • • Change password. • • Recovery. Update profile. WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: • OpenID, SAML, OAuth, XACML, RBAC, etc. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 8. 3. Identity and Access Management - uses cases 3. AuthN and AuthZ for exis7ng ERP and ECM • Centralized User Management. • • • Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory. In similar way, Alfresco ECM should be configures with this LDAP. Authentication and Authorization. • It is not necessary if you extend ERP or ECM because user credentials and roles are in LDAP storage. • Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication. Try it using HTTP over SSL. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 9. 3. Identity and Access Management - uses cases 5. AuthN and AuthZ for Bonita BPM • Any BPM Suite has 3 components: • Designer (Bonita Studio) • • • In time of processes modeling, obtain representation of hierarchy of users, groups, roles is a great help for business process expert. Bonita Studio is based in Eclipse IDE and It is possible to model following this representation of hierarchy of users, groups and roles using “Bonita’s Actor Filter”. Workflow engine (Bonita Workflow Engine) • • In this case we should cofigure Workflow engine to get hierarchy from external LDAP server. TaskList Portal (Bonita UX Portal) • AuthN and AuthZ process is delegated to external LDAP. Bonita UX Portal has to configure pointing to LDAP server. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 10. 3. Identity and Access Management - uses cases 4. AuthN and AuthZ for exis7ng Services • User Storage in WSO2 IS can be used as User Storage for WSO2 ESB. • Authentication and Authorization: • • In WSO2 ESB you can enable/disable security over the exposed services. WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach SSO and Federation of Identities. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 11. 3. Identity and Access Management - uses cases 7. AuthN and AuthZ for the Presenta7on Layer • Any Web Portal server commonly has a LDAP connector to sync users, groups and/or roles. Also, any Web Portal has connectors to do authentication and authorization, for example, Liferay has tools for these purposes. • WSO2 IS provides OpenID functionality that can be used with Liferay Portal easily. • Review the strategies to authentication, authorization and SSO of WSO2IS suitable to our environment. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 12. 4. Identity and Access Management – flow diagram Deploy WSO2 Identity Server, create several users and roles. Consolidate user credentials (Penrose Virtual Directory) and Deploy LDAP WSO2 IS Configure LDAP Authentication in Liferay pointing to the embedded LDAP of WSO2 IS. Enable Users and Roles (Group) sync. In this step is possible to do LDAP Authentication and User syncronization. 2. Configure LDAP Authentication and users sync in Bonita pointing to the embedded LDAP of WSO2 IS. Right now this functionality is available in Bonita BPM Teamwork version (http:// www.bonitasoft.com/ products/productcomparison). 3. 4. 5. Configure LDAP Authentication and users sync in OpenBravo pointing to the embedded LDAP of WSO2 IS. Check the authentication flow and user sync flow in all the system. WSO2IS BONITA OPENBRAVO LIFERAY 1. LIFERAY WSO2IS BONITA OPENBRAVO Authentication in Liferay 1. 2. 3. 4. Start login process Validate credentials WSO2IS sends response Liferay receives response Authentication in Bonita Configure LDAP Authentication and User syncronization of OpenBravo with embedded LDAP of WSO2 IS. 1. 2. 3. 4. 5. 6. Start login process Pass login process to Bonita Validate credentials WSO2IS sends response Bonita redirects response Liferay receives response Authentication in Openbravo 1. 2. 3. 4. 5. 6. 7. 8. Start login process Pass login process to Bonita Bonita passes login process OB passes login process WSO2IS sends response OB redirects response Bonita redirects response Liferay receive response Testining authentication an sync of users. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 13. 5. Enterprise Security & SOI - summary 1 2 3 4 5 6 7 8 9 10 • Process integration and consolidation of different sources of user identities. • Bi-directional synchronization, the goal is to build a centralized database of identities and attributes. • WSO2 Identity Server exposes API to user management: recovery, change password, update profile. • WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: OpenID, SAML, OAuth, XACML, RBAC, etc. • Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory. • In similar way, Alfresco ECM should be configures with this LDAP. • Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication. • Bonita BPM in two phases: In design-time and running-time. • When the processes are modeling, the Bonita Studio’s Actor Filters should be configurated to get users, groups and roles from our centrilazed User Storage (LDAP). • When the processes are running, the BPM engine delegate the validation of identities (authorization) in WSO2 IS, while the model of roles and permissions (attributes) on the centralized User Storage (LDAP). • User Storage in WSO2 IS can be used as the User Storage for WSO2 ESB. • In WSO2 ESB you can enable/disable security over the exposed services. • WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach SSO and Federation of Identities. • Existing or new applications can delegate their authentication process in WSO2 IS, while for user synchronization will use the Penrose Virtual Direcotry as our centralized repository of users and attributes. • The advantage of using Liferay Portal Server rather than a pure applications is the ability to delegate the Authentication, Authorization and People Management WSO2 IS only setting connectors with little programming. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
- 14. Doing the right things. With the right technology. To support business. www.chakray.com @Chakray_com www.linkedin.com/company/chakray-consulting SOA · BPM · ECM · PORTAL · BIGDATA · SECURITY