SlideShare a Scribd company logo

Navigating Identity and Access Management in the Modern Enterprise

WSO2, profile picture
WSO2

The document discusses the evolution of Identity and Access Management (IAM) in modern enterprises, highlighting the transition from traditional to adaptive, identity-first security approaches. It emphasizes the importance of an identity fabric architecture, which integrates various IAM tools and practices to enhance security and improve user experience in consumer and business applications. Additionally, it addresses future challenges like quantum computing threats and the need for decentralized identity solutions.

Technology
1 of 63
Downloaded 13 times
1
2
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Navigating IAM in the Modern Enterprise Johann Nallathamby Director - Solutions Architecture WSO2 Malithi Edirisinghe Director in Engineering WSO2
Evolution of IAM in the Modern Enterprise
AREA TRADITIONAL MODERN FUTURE Scope Organization only Multiple organizations and public Any human or machine Topology Siloed Centralized Centralized / decentralized Architecture Closed Extensible and interoperable Composable and orchestrated Security Physical perimeter Logical perimeter Adaptive, continuous, risk-aware and resilient Standards Few Some Pervasive Connectivity Siloed Basic integration Event-based Change Periodic Frequent Continuous and automated Threat Detection and Response None Descriptive Prescriptive and remediating Privacy None Customers in selected regions For everyone Observability None Discovery within silos Continuous 3 Evolution of IAM Business Requirements
Identity-First Security 4 Consistent Context-aware Continuous * Identity Fabric - The Definition and its Architecture - Felix Gaehtgens, Gartner IAM Summit 2024, London
Identity-first security is an approach that makes identity-based controls the foundational element of an organization’s cybersecurity architecture - Gartner -
An identity fabric is an evolution of an organization’s IAM infrastructure that is architected to enable identity-first security. - Gartner -
Identity Fabric 7 * Identity Fabric - The Definition and its Architecture - Felix Gaehtgens, Gartner IAM Summit 2024, London
STATUS FOR ORGANIZATIONS AND APP DEVELOPERS FOR IAM TOOL VENDORS Existing JWT, OAuth 2.0, OIDC, SCIM 2.0 FIDO2/WebAuthn, Radius, SAML Early adoption OPA, DID SPIFFE, DID, Verifiable credentials Emerging SSE CAEP Nascent SSE RISC, OIDC AuthZen IDQL, WIMSE Missing SCIM for workloads and secrets Better sharing of risk metadata 8 Open Standards - A must have for an Identity Fabric
All Users Deserve Seamless and Secure Digital Experiences Identity and Access Management is fundamental to ensuring a long lasting, fruitful relationships with consumers, business partners and employees. 9
PAM 10 IGA B2C B2B B2E APIs WAM ● Self-registration and social-login ● Identity verification ● Account linking ● Progressive profiling ● Passwordless, OTP and Adaptive MFA ● Consent-based authorization ● Branding and internationalization ● Login and registration insights ● Distinct tenancies per organization ● Flexible organizational hierarchy design ● Enterprise login ● Customizable login experiences for organizations ● Delegated administration ● B2B Collaboration ● User invites and bulk onboarding ● BYO-directory/Virtual directory ● Just-in-time access provisioning ● Single sign-on ● X509, RSA, IWA and Adaptive MFA ● Role-based authorization ● OAuth 2.0/OIDC compliance ● Consent-, role- and context-based authorization ● Pre-integrated API gateways IAM Landscape Access Management
Optimize internal processes 11 3 Key Stakeholders that an IAM solution MUST Satisfy Empower developers Enhance customer experiences
CIAM for consumer facing applications
What CIAM means for your consumer facing applications ? 13 IAM APIs Systems of Record Domain APIs IAM APIs Web Mobile CIAM Secure access for Apps Secure access for APIs Serve IAM APIs for apps Manage identities & integrate
The significance of CIAM in consumer applications 14 Frictionless registration and login is the entrypoint for your apps and the key for adoption. An identity-centric approach is crucial for delivering exceptional digital experiences. Compliance with data protection regulations is essential. CIAM solutions are designed with compliance in mind, ensuring adherence to standards like GDPR, CCPA, PSD-2, and more. Consumer data must be safeguarded at every step. Identity verification, authentication, access authorization, and continuous access evaluation are the essential building blocks. Adoption Security Compliance
Critical Requirements for effective CIAM in consumer apps Self register Login Access Self manage profile BYOID MFA ATO Protection Identity Verification Account Linking Manage Linked Accounts Passwordless SSO Account Recovery Authorize Data Authorize APIs Manage Profile Manage Consents Manage Authorized Apps Manage Credentials 15 Progressive Profiling and Verification Adaptive Access Systems of records Integrations Audits and Insights APIs Events Extensions SDKs Branding Internationalization Editors to orchestrate Enhance customer experiences Digitally transform processes Empower Developers Consumer Journey OOTB Self service portals
Let’s start managing access for a web application 16
Rely on JavaScript and render the content in the browser without page refresh. ● Use Authorization Code Flow with PKCE ● Secure API Requests ● Use short lived tokens ● Use BFF pattern when possible Choreo managed authentication Not opting for BFF ? Carefully choose the token storage webworker or session storage or local storage Loads a new page from the server as user interacts resulting a page refresh. ● Use Authorization Code Flow with PKCE is still recommended ● Secure API requests ● Implement proper session management ● Regularly rotate secrets 17 Best practices for web apps implementing OAuth/OIDC Single Page Apps (SPAs) Traditional Applications (MPAs)
Use well known libraries 18 Single Page Applications AppAuth Auth0.js Auth.js AWS Amplify Asgardeo React SDK Traditional Web Applications Auth0 Python NextAuth.js Microsoft .Net SDK Asgardeo SPA SDK Asgardeo Auth Node SDK Asgardeo Tomcat OIDC Agent
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 19 Clone the iam-tutorial repo to follow
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 20
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 21
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 22
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 23
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Single Logout (SLO) ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 24
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Single Logout (SLO) ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 25
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Single Logout (SLO) ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 26
Implement omni-channel experience with mobile 27
● Use Authorization Code Flow with PKCE ● Use In-app browser tabs that utilize system browser to redirect ● So much to handle ? Use libraries AppAuth.io ● Store tokens securely iOS -> KeyChain Android -> EncryptedSharedPreferences Best practices for mobile apps implementing OAuth/OIDC 28
Prefer the redirect based UX for Login ? 29 GitHub mobile app for iOS Disconnected experience with redirection to the Authorization Server (AS) User sees the domain and knows the site being redirected is legitimate still.
Introducing API for In-App Authentication CURRENT USER EXPERIENCE An external browser window is required to handle logging into the app ● Use extended OAuth 2.0/Open ID Connect flows in an API centric way without redirecting to a browser Internet-Draft:draft-parecki-oauth-first-party-apps ● Orchestrate authentication conditionally without changing the application logic ● Guarantees the identity and proof of possession of the client and the API only communicates with legitimate client apps User never leaves the native application while logging in NEW USER EXPERIENCE 30
Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for next authentication step /authn (authentication input from user) code=<authorization_code> In-App Authentication for Mobile App in Action /token (code=<authorization_code>) Continue still authentication flow is completed 31 id-token, access-token
Developing Android Apps? Use the Android SDK by Asgardeo Android SDK iOS SDK Coming Soon! Using Asgardeo SDKs to simplify In-App Auth development 32
Supports integrating natively or over redirection. ● Native ⦿ Use SDKs provided by Social Login Identity Providers for the platform e.g, Google, Apple ⦿ Create back the session in AS (Asgardeo/Identity Server) with id-token ● Redirect ⦿ Redirect to the authorization URL AS (Asgardeo/Identity Server) sends in the API flow ⦿ Use when platform native SDKs are not available or when redirection is ok Federating to a third party Identity Provider 33
Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for google login Add Login with Google natively Sign In With Google Complete Google authentication (idToken=<google id-token> & accessToken=<google access-token>) 34 id-token, access-token id-token, access-token
Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for github login Add Login with Google redirecting to the browser Sign In With Google Complete google authentication code =<code>&state=<state> 35 id-token, access-token code=<code>, state=<state>
Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for passkey login Add Login with Passkeys Webauthn API (challenge) signed challenge response 36 Webauthn API (signed challenge) id-token, access-token
SSO over In-App Authentication API for mobile apps 37 Initiate the authorization request with the session identifier accessible over the secure shared storage between apps /authorize (response_mode=direct) Manage access Manage pet owners Tracy Emily Juliet /token (Issue id-token, access-token) isk=f3dda02474595abb (claim in id-token) SSO and receive code code=<authorization_code> /authn (go through the login flow and receive authorization code) /authorize (response_mode=direct&sessionId=f3dda02474595abb)
● Use wherever enhanced flexibility and control over user experiences during login and access are required, subject to the following: ⦿ Use only for first party apps ⦿ Use only with confidential clients with client authentication ⦾ Use client authentication mechanisms available for the confidential clients in the authorization endpoint when response_mode is “direct” ⦾ Ability to mandate the Pushed Authorization Requests (PAR) requests and use client authentication Intended only for native applications ? 38
● SDKs for iOS and Flutter ● Improved support for redirect flows ⦿ Support to handle implications of using deep links in web clients of some of the social login providers. E.g: Google, Facebook ● Comprehensive support for diverse steps in the login flow Upcoming roadmap for In-App Authentication 39
CIAM for B2B Interactions
41 B2B Organization Management Customer b Reseller Admin Reseller Platform Admin Customer Customer Admin a Employee B2B SaaS Provider Customer Admin Employee Customer Customer x n Employee Employee Customer Admin Customer Admin Enterprise IdP UN/PW
What CIAM means for your B2B users? 42 IAM APIs Systems of Record Domain APIs IAM APIs Web API Products CIAM Secure access for external APIs Secure access for internal APIs Serve IAM APIs for apps Manage identities & integrate
Critical capabilities for effective CIAM in B2B SaaS apps Register Login Access User self-service Sales-led organization orboarding MFA ATO Protection Identity Verification Enterprise SSO Account Recovery Authorize Data Authorize APIs Manage Profile Manage consent Manage credentials 43 Adaptive Access Systems of records Integrations Audits and Insights APIs Events Extensions SDKs Branding Internationalization Editors to orchestrate Enhance customer experiences Digitally transform processes Empower Developers B2B Customer Journey Delegated administration portal Delegated administration Manage users Manage entitlements Choose sign-in options Manage branding Audits Insights Product-led organization onboarding B2B Collaboration Organization hierarchies
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 44
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 45
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 46
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 47
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 48
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 49
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 50
➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 51
● Focus on domain logic, use CIAM platforms Prioritize your core business processes while leveraging CIAM platforms to manage identity and access. ● Shift to Multi-Experience CIAM Design CIAM strategies that support multiple user experiences, offering a flexible and user-friendly approach. ● Conduct comprehensive stakeholder assessments Consider all external stakeholders to ensure that CIAM addresses user experience, business, technical, and regulatory requirements. ● Select flexible and extensible tools Opt for CIAM platforms with open integration standards and customizable workflows, ensuring adaptability and scalability. Pathway for successful CIAM Strategy 52
53 The Leading Open Source IAM WSO2 Identity Server is a powerful, modern identity and access management solution for your on-premises or cloud environment A Single Product Powering Multiple Deployment Options to Support Any IT Strategy Multi-tenant SaaS IAM Asgardeo is a developer-focused, multi-tenant IDaaS solution that provides seamless, secure authentication and user management Single-tenant SaaS IAM Private Identity Cloud is a single-tenant cloud deployment of Identity Server, fully managed and maintained by WSO2
Advancements in IAM Preparing for Tomorrow
Impact upon the arrival of Quantum Computers ● Ability to break public-key cryptosystems* and less robust symmetric cryptosystems* currently in use ⦿ An attacker can store encrypted data today, and decrypt it when they gain access to a quantum computer ( store-now-decrypt-later (SNDL) attack). ⦿ Possibility of reading persisted states over data transmitted via HTTPS or data encrypted at rest. ⦿ Less impact on signature validation scenarios due to short lived, temporal nature of data thattransmits. ● Less robust hashing* techniques will be prone to brute force attacks ⦿ Possibility of credential bruteforce with hashing. Act now before it's too late. ● Upgrade HTTPS communications to PQC enabled TLS. ● Use at least AES-128 in symmetric cryptosystems and SHA-256 in hashing use cases ● Make your systems crypto-agile so you can act fast. 1. Future-Proofing IAM Against Post-Quantum Threats 55 * NIST Post Quantum Cryptography
2. Decentralized Identity and Verifiable Credentials 56 Holder Issuer Verifiable credential Verifiable presentation Issuance Identity Trust Registry (Discoverable public key materials for issuers, holders and verifiers ) Verifier Presentation
Key value propositions to monitor ● Non auditing Identity Providers is a key advantage ● Facility for ubiquitous high assurance credentials and scalable verification Current trend and joining the movement ● Current adoption is focused on Identity Wallets ⦿ EU Digital Identity wallet is closer, and wallet implementations are getting standardized ● Trust infrastructure decentralization remains challenging ● DCI ecosystems are forming around, so better join the ecosystem integratingissuers, verifiers and wallets as applicable 2. Decentralized Identity and Verifiable Credentials 57 - Technical Insights: Decentralized Identity and Verifiable Credentials Trends and Advancements -Gartner IAM Summit 2024, London - Verifiable Credentials for the Identity Practitioner - Identiverse 2023
● AI powering the Digital Double (transactions + systems of records + AI) ● Utlized to provide the exceptional digital experiences and secure access ● Should act with consent and control of the user ● AI powering fake Identity Deutsche Telekom Deepfake AI Ad* ● Requires identification of reputable/verified services and people to interact ● Strong protection of data ● Stronger requirements for privacy and consent 58 3. The Interplay of AI in Digital Identity Personalized Experiences Identity Theft and Fraud * Viewer discretion is advised
WSO2 IAM Roadmap - Preparing for Upcoming Advancements 59 2024 Q3 2024 Q4 2025 H1 2024 Q2 2025 H2 Leverage architectural improvements for extensibility Feature enhancements including FAPI 2.0 Ecosystem integrations Support post-quantum security Productized webhooks Ochestratable registration On feature parity with Identity Server Comply for FAPI 2.0 End to end consent management UI libraries embeddable for apps Product architecture improvements for consistent and comprehensive extension experience Inbuilt environment support Improved device identity mgt Integrations for DCI ecosystems Embedded fine grained authz policy engine caters for ABAC & ReBAC Growing IAM ecosystem integrations & systems of records integrations OOTB supported digital wallet Growing cloud native ecosystem integrations, and IAM ecosystem integrations Access Mgt for VR apps OOTB enablers to build secure comprehensive personality profile Anomaly detection, threat insights Access Mgt for VR apps Leverage feature improvements Ochestratable registration Productized webhooks Support for Java21 runtime Improved operational efficiency Post-quantum security Leverage architecture improvements & extended ecosystem Software Identity Server SaaS Asgardeo Private Identity Cloud Identity Server v7.1 Identity Server v8.0 Identity Server v8.x
● Improved UX/DevEx ○ React, iOS, Flutter SDKs for application native login ● Feature improvements ○ Registration API closer to OIDC standard for ochestratable registration flows ○ Application level branding, ToS management ○ Auditing, administrative insights for B2B customer admins ○ OAuth 2.0 DPoP support ○ User impersonation capabilities to address help desk support use cases ○ Support for post-quantum security securing internal/external encryption, hashing with Post Quantum Cryptography (PQC) ● Architecture improvements ○ Productized support for webhooks for asynchronous communication ○ Optimized architecture for operational efficiency: Redesigned runtime data handling for sessions, Non-persistent tokens, etc. ● Integrations ○ SSO templates for well-know SaaS providers ○ Identity verification: Onfido ○ Facial Biometrics, MFA: iProov, DUO ○ Bot detection: castle.io ● Authorization policy engine enhancement supporting RBAC, ABAC & ReBAC ● Security monitoring and data visualization dashboards ● Build a comprehensive personality profile with interactions, transactions and omnichannel activities ○ Master data management and integrations with systems of record ○ APIs for querying the personality, patterns and classifications to build personalized experiences ○ Event processing and AI/ML analysis of all data to derive insights on behalf of businesses ○ Triggers alerting anomalies and transactions ● Digital wallet compliant with EU digital wallet and Open Wallet specification ● Access Management on VR apps (metaverse, vision-os) ● Continued ecosystem supporting, ○ PAM, IGA ○ Adjacent business system integrations CMS, web3 ○ Decentralized identity and integrations with intelligent IDVs, Synthetic identity fraud detection ● Improved UX/DevEx ○ Registration, login, progressive profiling, user and IdP management UI libraries embeddable in applications (2024 Q3) ○ AI to simplify building personalized login experiences (2024 Q4) ○ Support for environments (e.g:dev, stage, prod) with the capability to promote (2024 Q4) ● Feature improvements ○ FAPI 2.0 compliance (2024 Q3) ○ Enhanced fine-grained consent authorization for business APIs and ability for the end user to manage authorized consents for third party apps (On top of RAR, Grant Management) (2024 Q3) ○ Extend B2B collaboration use cases where users can collaborate across organizations horizontally or vertically (2024 Q4) ○ Improved self service functionalities to manage device identities (2024 Q3) ○ Integrate to Decentralized Credential ecosystem. 1Kosmos, SpruceID (2024 Q4) ● Architecture improvements ○ Elevating extensibility framework for consistent and comprehensive extension experience with refined scripting at login, registration and account management flows ○ Add custom authentication, invoking custom code deployed in Choreo ● Integrations (2024 Q3−Q4) ○ Consent management: OneTrust, DataGuard ○ Identity verification :Trusona, Keyless ○ Bot/fraud detection:Sift, Imperva, LexisNexis ○ Authorization : Axiomatics, Styra Asgardeo Roadmap 2024 Q2 60 2024 H2 2025+
WSO2 Identity Server Roadmap 2024 H2 61 2025 H1 2025 H2+ ● Improved UX/DevEx ○ Build login/registration flows with natural language input utilizing LLMs ○ AI to automate end user facing UI/email branding to match applications look and feel ○ React, Android, iOS, Flutter SDKs for application native login ● Feature improvements ○ Registration API closer to OIDC standard for ochestratable registration flows ○ Application level branding, ToS management ○ OAuth 2.0 DPoP support ○ Extend B2B collaboration use cases where users can collaborate across organizations horizontally or vertically ○ User impersonation capabilities to address help desk support use cases ○ Support for post-quantum security securing internal/external encryption, hashing with Post Quantum Cryptography (PQC) ● Architecture improvements ○ Elevating extensibility framework for consistent and comprehensive extension experiences with refined scripting, events, and webhooks ○ Optimized architecture for operational efficiency: Redesigned runtime data handling for sessions, Non-persistent tokens, etc. ● Integrations ○ SSO templates for well-know SaaS providers ○ Identity verification: Onfido ○ Facial Biometrics: iProov ○ Bot detection: castle.io ● Authorization policy engine enhancement supporting RBAC, ABAC & ReBAC ● Agents and enablers to build a comprehensive personality profile with integrations for Master data management and systems of record ○ APIs for querying the personality, patterns and classifications to build personalized experiences ● Access Management on VR apps (metaverse, vision-os) ● Continued ecosystem supporting, ○ PAM, IGA ○ Adjacent business system integrations CMS, web3 ○ Decentralized identity and integrations with intelligent IDVs, Synthetic identity fraud detection ● Improved UX/DevEx ○ Registration, login, progressive profiling, user and IdP management UI libraries embeddable in applications ○ AI to simplify building personalized login experiences ○ Support for environments (e.g:dev, stage, prod) with the capability to promote ● Feature improvements ○ Enhanced fine-grained consent authorization for business APIs and ability for the end user to manage authorized consents for third party apps (On top of RAR, Grant Management) ○ Improved self service functionalities to manage device identities ○ FAPI 2.0 compliance ○ User impersonation capabilities to address help desk support use cases ● Integrations ○ Identity verification: Trusona, Keyless ○ Consent management: OneTrust, DataGuard ○ Bot/fraud detection: Sift, Imperva, LexisNexis ○ Authorization : Axiomatics, Styra
Thank You!
➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 63

More Related Content

Similar to Navigating Identity and Access Management in the Modern Enterprise (20)

PDF
The Future of Digital IAM
WSO2
 
PDF
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
PDF
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock
 
PPTX
Securing Access to SaaS Apps with WSO2 Identity Server
WSO2
 
PPTX
OpenAM - An Introduction
ForgeRock
 
PDF
The Consumerization of Authentication with iovation
TransUnion
 
PPTX
Identity & access management jonas syrstad
Meandmine2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PPTX
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
PDF
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
PDF
Introducing Salesforce Identity
Salesforce Developers
 
PDF
[EIC 2021] The Rise of the Developer in IAM
WSO2
 
PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
PDF
Cloud identity management meetup 150108
Morteza Ansari
 
PDF
FIWARE Identity Management and Access Control
Fernando Lopez Aguilar
 
PPTX
Silicon Valley IDSA Meetup October 2018
Identity Defined Security Alliance
 
PPTX
The New Venn of Access Control in the API-Mobile-IOT Era
ForgeRock
 
The Future of Digital IAM
WSO2
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock
 
Securing Access to SaaS Apps with WSO2 Identity Server
WSO2
 
OpenAM - An Introduction
ForgeRock
 
The Consumerization of Authentication with iovation
TransUnion
 
Identity & access management jonas syrstad
Meandmine2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
Introducing Salesforce Identity
Salesforce Developers
 
[EIC 2021] The Rise of the Developer in IAM
WSO2
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
Cloud identity management meetup 150108
Morteza Ansari
 
FIWARE Identity Management and Access Control
Fernando Lopez Aguilar
 
Silicon Valley IDSA Meetup October 2018
Identity Defined Security Alliance
 
The New Venn of Access Control in the API-Mobile-IOT Era
ForgeRock
 

More from WSO2 (20)

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
PDF
Platformless Modernization with Choreo.pdf
WSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
WSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
PDF
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
PDF
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Ad

Recently uploaded (20)

PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Ad

Navigating Identity and Access Management in the Modern Enterprise

  • 1. Navigating IAM in the Modern Enterprise Johann Nallathamby Director - Solutions Architecture WSO2 Malithi Edirisinghe Director in Engineering WSO2
  • 2. Evolution of IAM in the Modern Enterprise
  • 3. AREA TRADITIONAL MODERN FUTURE Scope Organization only Multiple organizations and public Any human or machine Topology Siloed Centralized Centralized / decentralized Architecture Closed Extensible and interoperable Composable and orchestrated Security Physical perimeter Logical perimeter Adaptive, continuous, risk-aware and resilient Standards Few Some Pervasive Connectivity Siloed Basic integration Event-based Change Periodic Frequent Continuous and automated Threat Detection and Response None Descriptive Prescriptive and remediating Privacy None Customers in selected regions For everyone Observability None Discovery within silos Continuous 3 Evolution of IAM Business Requirements
  • 4. Identity-First Security 4 Consistent Context-aware Continuous * Identity Fabric - The Definition and its Architecture - Felix Gaehtgens, Gartner IAM Summit 2024, London
  • 5. Identity-first security is an approach that makes identity-based controls the foundational element of an organization’s cybersecurity architecture - Gartner -
  • 6. An identity fabric is an evolution of an organization’s IAM infrastructure that is architected to enable identity-first security. - Gartner -
  • 7. Identity Fabric 7 * Identity Fabric - The Definition and its Architecture - Felix Gaehtgens, Gartner IAM Summit 2024, London
  • 8. STATUS FOR ORGANIZATIONS AND APP DEVELOPERS FOR IAM TOOL VENDORS Existing JWT, OAuth 2.0, OIDC, SCIM 2.0 FIDO2/WebAuthn, Radius, SAML Early adoption OPA, DID SPIFFE, DID, Verifiable credentials Emerging SSE CAEP Nascent SSE RISC, OIDC AuthZen IDQL, WIMSE Missing SCIM for workloads and secrets Better sharing of risk metadata 8 Open Standards - A must have for an Identity Fabric
  • 9. All Users Deserve Seamless and Secure Digital Experiences Identity and Access Management is fundamental to ensuring a long lasting, fruitful relationships with consumers, business partners and employees. 9
  • 10. PAM 10 IGA B2C B2B B2E APIs WAM ● Self-registration and social-login ● Identity verification ● Account linking ● Progressive profiling ● Passwordless, OTP and Adaptive MFA ● Consent-based authorization ● Branding and internationalization ● Login and registration insights ● Distinct tenancies per organization ● Flexible organizational hierarchy design ● Enterprise login ● Customizable login experiences for organizations ● Delegated administration ● B2B Collaboration ● User invites and bulk onboarding ● BYO-directory/Virtual directory ● Just-in-time access provisioning ● Single sign-on ● X509, RSA, IWA and Adaptive MFA ● Role-based authorization ● OAuth 2.0/OIDC compliance ● Consent-, role- and context-based authorization ● Pre-integrated API gateways IAM Landscape Access Management
  • 11. Optimize internal processes 11 3 Key Stakeholders that an IAM solution MUST Satisfy Empower developers Enhance customer experiences
  • 12. CIAM for consumer facing applications
  • 13. What CIAM means for your consumer facing applications ? 13 IAM APIs Systems of Record Domain APIs IAM APIs Web Mobile CIAM Secure access for Apps Secure access for APIs Serve IAM APIs for apps Manage identities & integrate
  • 14. The significance of CIAM in consumer applications 14 Frictionless registration and login is the entrypoint for your apps and the key for adoption. An identity-centric approach is crucial for delivering exceptional digital experiences. Compliance with data protection regulations is essential. CIAM solutions are designed with compliance in mind, ensuring adherence to standards like GDPR, CCPA, PSD-2, and more. Consumer data must be safeguarded at every step. Identity verification, authentication, access authorization, and continuous access evaluation are the essential building blocks. Adoption Security Compliance
  • 15. Critical Requirements for effective CIAM in consumer apps Self register Login Access Self manage profile BYOID MFA ATO Protection Identity Verification Account Linking Manage Linked Accounts Passwordless SSO Account Recovery Authorize Data Authorize APIs Manage Profile Manage Consents Manage Authorized Apps Manage Credentials 15 Progressive Profiling and Verification Adaptive Access Systems of records Integrations Audits and Insights APIs Events Extensions SDKs Branding Internationalization Editors to orchestrate Enhance customer experiences Digitally transform processes Empower Developers Consumer Journey OOTB Self service portals
  • 16. Let’s start managing access for a web application 16
  • 17. Rely on JavaScript and render the content in the browser without page refresh. ● Use Authorization Code Flow with PKCE ● Secure API Requests ● Use short lived tokens ● Use BFF pattern when possible Choreo managed authentication Not opting for BFF ? Carefully choose the token storage webworker or session storage or local storage Loads a new page from the server as user interacts resulting a page refresh. ● Use Authorization Code Flow with PKCE is still recommended ● Secure API requests ● Implement proper session management ● Regularly rotate secrets 17 Best practices for web apps implementing OAuth/OIDC Single Page Apps (SPAs) Traditional Applications (MPAs)
  • 18. Use well known libraries 18 Single Page Applications AppAuth Auth0.js Auth.js AWS Amplify Asgardeo React SDK Traditional Web Applications Auth0 Python NextAuth.js Microsoft .Net SDK Asgardeo SPA SDK Asgardeo Auth Node SDK Asgardeo Tomcat OIDC Agent
  • 19. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 19 Clone the iam-tutorial repo to follow
  • 20. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 20
  • 21. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 21
  • 22. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 22
  • 23. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 23
  • 24. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Single Logout (SLO) ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 24
  • 25. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Single Logout (SLO) ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 25
  • 26. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Single Logout (SLO) ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 26
  • 28. ● Use Authorization Code Flow with PKCE ● Use In-app browser tabs that utilize system browser to redirect ● So much to handle ? Use libraries AppAuth.io ● Store tokens securely iOS -> KeyChain Android -> EncryptedSharedPreferences Best practices for mobile apps implementing OAuth/OIDC 28
  • 29. Prefer the redirect based UX for Login ? 29 GitHub mobile app for iOS Disconnected experience with redirection to the Authorization Server (AS) User sees the domain and knows the site being redirected is legitimate still.
  • 30. Introducing API for In-App Authentication CURRENT USER EXPERIENCE An external browser window is required to handle logging into the app ● Use extended OAuth 2.0/Open ID Connect flows in an API centric way without redirecting to a browser Internet-Draft:draft-parecki-oauth-first-party-apps ● Orchestrate authentication conditionally without changing the application logic ● Guarantees the identity and proof of possession of the client and the API only communicates with legitimate client apps User never leaves the native application while logging in NEW USER EXPERIENCE 30
  • 31. Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for next authentication step /authn (authentication input from user) code=<authorization_code> In-App Authentication for Mobile App in Action /token (code=<authorization_code>) Continue still authentication flow is completed 31 id-token, access-token
  • 32. Developing Android Apps? Use the Android SDK by Asgardeo Android SDK iOS SDK Coming Soon! Using Asgardeo SDKs to simplify In-App Auth development 32
  • 33. Supports integrating natively or over redirection. ● Native ⦿ Use SDKs provided by Social Login Identity Providers for the platform e.g, Google, Apple ⦿ Create back the session in AS (Asgardeo/Identity Server) with id-token ● Redirect ⦿ Redirect to the authorization URL AS (Asgardeo/Identity Server) sends in the API flow ⦿ Use when platform native SDKs are not available or when redirection is ok Federating to a third party Identity Provider 33
  • 34. Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for google login Add Login with Google natively Sign In With Google Complete Google authentication (idToken=<google id-token> & accessToken=<google access-token>) 34 id-token, access-token id-token, access-token
  • 35. Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for github login Add Login with Google redirecting to the browser Sign In With Google Complete google authentication code =<code>&state=<state> 35 id-token, access-token code=<code>, state=<state>
  • 36. Trusted Authorization Server /authorize (response_mode=direct) Access API Manage access Manage pet owners Tracy Emily Juliet Play Integrity API Validate app attestation Input required for passkey login Add Login with Passkeys Webauthn API (challenge) signed challenge response 36 Webauthn API (signed challenge) id-token, access-token
  • 37. SSO over In-App Authentication API for mobile apps 37 Initiate the authorization request with the session identifier accessible over the secure shared storage between apps /authorize (response_mode=direct) Manage access Manage pet owners Tracy Emily Juliet /token (Issue id-token, access-token) isk=f3dda02474595abb (claim in id-token) SSO and receive code code=<authorization_code> /authn (go through the login flow and receive authorization code) /authorize (response_mode=direct&sessionId=f3dda02474595abb)
  • 38. ● Use wherever enhanced flexibility and control over user experiences during login and access are required, subject to the following: ⦿ Use only for first party apps ⦿ Use only with confidential clients with client authentication ⦾ Use client authentication mechanisms available for the confidential clients in the authorization endpoint when response_mode is “direct” ⦾ Ability to mandate the Pushed Authorization Requests (PAR) requests and use client authentication Intended only for native applications ? 38
  • 39. ● SDKs for iOS and Flutter ● Improved support for redirect flows ⦿ Support to handle implications of using deep links in web clients of some of the social login providers. E.g: Google, Facebook ● Comprehensive support for diverse steps in the login flow Upcoming roadmap for In-App Authentication 39
  • 40. CIAM for B2B Interactions
  • 41. 41 B2B Organization Management Customer b Reseller Admin Reseller Platform Admin Customer Customer Admin a Employee B2B SaaS Provider Customer Admin Employee Customer Customer x n Employee Employee Customer Admin Customer Admin Enterprise IdP UN/PW
  • 42. What CIAM means for your B2B users? 42 IAM APIs Systems of Record Domain APIs IAM APIs Web API Products CIAM Secure access for external APIs Secure access for internal APIs Serve IAM APIs for apps Manage identities & integrate
  • 43. Critical capabilities for effective CIAM in B2B SaaS apps Register Login Access User self-service Sales-led organization orboarding MFA ATO Protection Identity Verification Enterprise SSO Account Recovery Authorize Data Authorize APIs Manage Profile Manage consent Manage credentials 43 Adaptive Access Systems of records Integrations Audits and Insights APIs Events Extensions SDKs Branding Internationalization Editors to orchestrate Enhance customer experiences Digitally transform processes Empower Developers B2B Customer Journey Delegated administration portal Delegated administration Manage users Manage entitlements Choose sign-in options Manage branding Audits Insights Product-led organization onboarding B2B Collaboration Organization hierarchies
  • 44. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 44
  • 45. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 45
  • 46. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 46
  • 47. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 47
  • 48. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 48
  • 49. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 49
  • 50. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 50
  • 51. ➤ Authorizing APIs for B2B SaaS applications ➤ Managing organizations ➤ Delegating administration ➤ Custom login journeys per organization ➤ Custom branding per organization ➤ Selective application subscription ➤ Modeling organization hierarchies Managing access for B2B SaaS applications 51
  • 52. ● Focus on domain logic, use CIAM platforms Prioritize your core business processes while leveraging CIAM platforms to manage identity and access. ● Shift to Multi-Experience CIAM Design CIAM strategies that support multiple user experiences, offering a flexible and user-friendly approach. ● Conduct comprehensive stakeholder assessments Consider all external stakeholders to ensure that CIAM addresses user experience, business, technical, and regulatory requirements. ● Select flexible and extensible tools Opt for CIAM platforms with open integration standards and customizable workflows, ensuring adaptability and scalability. Pathway for successful CIAM Strategy 52
  • 53. 53 The Leading Open Source IAM WSO2 Identity Server is a powerful, modern identity and access management solution for your on-premises or cloud environment A Single Product Powering Multiple Deployment Options to Support Any IT Strategy Multi-tenant SaaS IAM Asgardeo is a developer-focused, multi-tenant IDaaS solution that provides seamless, secure authentication and user management Single-tenant SaaS IAM Private Identity Cloud is a single-tenant cloud deployment of Identity Server, fully managed and maintained by WSO2
  • 55. Impact upon the arrival of Quantum Computers ● Ability to break public-key cryptosystems* and less robust symmetric cryptosystems* currently in use ⦿ An attacker can store encrypted data today, and decrypt it when they gain access to a quantum computer ( store-now-decrypt-later (SNDL) attack). ⦿ Possibility of reading persisted states over data transmitted via HTTPS or data encrypted at rest. ⦿ Less impact on signature validation scenarios due to short lived, temporal nature of data thattransmits. ● Less robust hashing* techniques will be prone to brute force attacks ⦿ Possibility of credential bruteforce with hashing. Act now before it's too late. ● Upgrade HTTPS communications to PQC enabled TLS. ● Use at least AES-128 in symmetric cryptosystems and SHA-256 in hashing use cases ● Make your systems crypto-agile so you can act fast. 1. Future-Proofing IAM Against Post-Quantum Threats 55 * NIST Post Quantum Cryptography
  • 56. 2. Decentralized Identity and Verifiable Credentials 56 Holder Issuer Verifiable credential Verifiable presentation Issuance Identity Trust Registry (Discoverable public key materials for issuers, holders and verifiers ) Verifier Presentation
  • 57. Key value propositions to monitor ● Non auditing Identity Providers is a key advantage ● Facility for ubiquitous high assurance credentials and scalable verification Current trend and joining the movement ● Current adoption is focused on Identity Wallets ⦿ EU Digital Identity wallet is closer, and wallet implementations are getting standardized ● Trust infrastructure decentralization remains challenging ● DCI ecosystems are forming around, so better join the ecosystem integratingissuers, verifiers and wallets as applicable 2. Decentralized Identity and Verifiable Credentials 57 - Technical Insights: Decentralized Identity and Verifiable Credentials Trends and Advancements -Gartner IAM Summit 2024, London - Verifiable Credentials for the Identity Practitioner - Identiverse 2023
  • 58. ● AI powering the Digital Double (transactions + systems of records + AI) ● Utlized to provide the exceptional digital experiences and secure access ● Should act with consent and control of the user ● AI powering fake Identity Deutsche Telekom Deepfake AI Ad* ● Requires identification of reputable/verified services and people to interact ● Strong protection of data ● Stronger requirements for privacy and consent 58 3. The Interplay of AI in Digital Identity Personalized Experiences Identity Theft and Fraud * Viewer discretion is advised
  • 59. WSO2 IAM Roadmap - Preparing for Upcoming Advancements 59 2024 Q3 2024 Q4 2025 H1 2024 Q2 2025 H2 Leverage architectural improvements for extensibility Feature enhancements including FAPI 2.0 Ecosystem integrations Support post-quantum security Productized webhooks Ochestratable registration On feature parity with Identity Server Comply for FAPI 2.0 End to end consent management UI libraries embeddable for apps Product architecture improvements for consistent and comprehensive extension experience Inbuilt environment support Improved device identity mgt Integrations for DCI ecosystems Embedded fine grained authz policy engine caters for ABAC & ReBAC Growing IAM ecosystem integrations & systems of records integrations OOTB supported digital wallet Growing cloud native ecosystem integrations, and IAM ecosystem integrations Access Mgt for VR apps OOTB enablers to build secure comprehensive personality profile Anomaly detection, threat insights Access Mgt for VR apps Leverage feature improvements Ochestratable registration Productized webhooks Support for Java21 runtime Improved operational efficiency Post-quantum security Leverage architecture improvements & extended ecosystem Software Identity Server SaaS Asgardeo Private Identity Cloud Identity Server v7.1 Identity Server v8.0 Identity Server v8.x
  • 60. ● Improved UX/DevEx ○ React, iOS, Flutter SDKs for application native login ● Feature improvements ○ Registration API closer to OIDC standard for ochestratable registration flows ○ Application level branding, ToS management ○ Auditing, administrative insights for B2B customer admins ○ OAuth 2.0 DPoP support ○ User impersonation capabilities to address help desk support use cases ○ Support for post-quantum security securing internal/external encryption, hashing with Post Quantum Cryptography (PQC) ● Architecture improvements ○ Productized support for webhooks for asynchronous communication ○ Optimized architecture for operational efficiency: Redesigned runtime data handling for sessions, Non-persistent tokens, etc. ● Integrations ○ SSO templates for well-know SaaS providers ○ Identity verification: Onfido ○ Facial Biometrics, MFA: iProov, DUO ○ Bot detection: castle.io ● Authorization policy engine enhancement supporting RBAC, ABAC & ReBAC ● Security monitoring and data visualization dashboards ● Build a comprehensive personality profile with interactions, transactions and omnichannel activities ○ Master data management and integrations with systems of record ○ APIs for querying the personality, patterns and classifications to build personalized experiences ○ Event processing and AI/ML analysis of all data to derive insights on behalf of businesses ○ Triggers alerting anomalies and transactions ● Digital wallet compliant with EU digital wallet and Open Wallet specification ● Access Management on VR apps (metaverse, vision-os) ● Continued ecosystem supporting, ○ PAM, IGA ○ Adjacent business system integrations CMS, web3 ○ Decentralized identity and integrations with intelligent IDVs, Synthetic identity fraud detection ● Improved UX/DevEx ○ Registration, login, progressive profiling, user and IdP management UI libraries embeddable in applications (2024 Q3) ○ AI to simplify building personalized login experiences (2024 Q4) ○ Support for environments (e.g:dev, stage, prod) with the capability to promote (2024 Q4) ● Feature improvements ○ FAPI 2.0 compliance (2024 Q3) ○ Enhanced fine-grained consent authorization for business APIs and ability for the end user to manage authorized consents for third party apps (On top of RAR, Grant Management) (2024 Q3) ○ Extend B2B collaboration use cases where users can collaborate across organizations horizontally or vertically (2024 Q4) ○ Improved self service functionalities to manage device identities (2024 Q3) ○ Integrate to Decentralized Credential ecosystem. 1Kosmos, SpruceID (2024 Q4) ● Architecture improvements ○ Elevating extensibility framework for consistent and comprehensive extension experience with refined scripting at login, registration and account management flows ○ Add custom authentication, invoking custom code deployed in Choreo ● Integrations (2024 Q3−Q4) ○ Consent management: OneTrust, DataGuard ○ Identity verification :Trusona, Keyless ○ Bot/fraud detection:Sift, Imperva, LexisNexis ○ Authorization : Axiomatics, Styra Asgardeo Roadmap 2024 Q2 60 2024 H2 2025+
  • 61. WSO2 Identity Server Roadmap 2024 H2 61 2025 H1 2025 H2+ ● Improved UX/DevEx ○ Build login/registration flows with natural language input utilizing LLMs ○ AI to automate end user facing UI/email branding to match applications look and feel ○ React, Android, iOS, Flutter SDKs for application native login ● Feature improvements ○ Registration API closer to OIDC standard for ochestratable registration flows ○ Application level branding, ToS management ○ OAuth 2.0 DPoP support ○ Extend B2B collaboration use cases where users can collaborate across organizations horizontally or vertically ○ User impersonation capabilities to address help desk support use cases ○ Support for post-quantum security securing internal/external encryption, hashing with Post Quantum Cryptography (PQC) ● Architecture improvements ○ Elevating extensibility framework for consistent and comprehensive extension experiences with refined scripting, events, and webhooks ○ Optimized architecture for operational efficiency: Redesigned runtime data handling for sessions, Non-persistent tokens, etc. ● Integrations ○ SSO templates for well-know SaaS providers ○ Identity verification: Onfido ○ Facial Biometrics: iProov ○ Bot detection: castle.io ● Authorization policy engine enhancement supporting RBAC, ABAC & ReBAC ● Agents and enablers to build a comprehensive personality profile with integrations for Master data management and systems of record ○ APIs for querying the personality, patterns and classifications to build personalized experiences ● Access Management on VR apps (metaverse, vision-os) ● Continued ecosystem supporting, ○ PAM, IGA ○ Adjacent business system integrations CMS, web3 ○ Decentralized identity and integrations with intelligent IDVs, Synthetic identity fraud detection ● Improved UX/DevEx ○ Registration, login, progressive profiling, user and IdP management UI libraries embeddable in applications ○ AI to simplify building personalized login experiences ○ Support for environments (e.g:dev, stage, prod) with the capability to promote ● Feature improvements ○ Enhanced fine-grained consent authorization for business APIs and ability for the end user to manage authorized consents for third party apps (On top of RAR, Grant Management) ○ Improved self service functionalities to manage device identities ○ FAPI 2.0 compliance ○ User impersonation capabilities to address help desk support use cases ● Integrations ○ Identity verification: Trusona, Keyless ○ Consent management: OneTrust, DataGuard ○ Bot/fraud detection: Sift, Imperva, LexisNexis ○ Authorization : Axiomatics, Styra
  • 63. ➤ Integrate with Asgardeo ➤ Self registration ➤ Account linking ➤ Self service account management ➤ Multi-Factor Authentication (MFA) ➤ Passwordless Authentication ➤ Access a high assurance API ➤ Integrate with Salesforce Managing access for a Single Page Web Application 63