Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
-
Upload
roger-carhuatocto -
Category
Technology
-
view
274 -
download
1
description
Transcript of Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose
Enterprise Security & SOI Identity and Access Management in the Organizations with WSO2 IS
ver 1.0
Roger CARHUATOCTO SOA, BPM, ECM, Portal and Security. You can reach me on:
http://www.linkedin.com/in/rcarhuatocto
@Chilcano
roger [at] chakray.com
+34 629292125 http://holisticsecurity.wordpress.com
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
1. A tipical Ecosystem in the Organizations
Service-‐oriented Infraestructure (SOI) as best prac7ce (1/2)
BAM, BI & BigData
Enterprise Service Bus
Sec
urity
and
Iden
tity
Man
agem
ent
Authentication
Authorization
Single Sign-On
Social Login
Federation of Identities
Users Management
Users Provisioning
Consolidation of Identities
Presentation Layer
Orchestration Layer
Business Service Layer
CONTROLLER
MODEL
VIEW
SE
CU
RIT
Y
Portal B2B Portal B2C
Web Portlets Mobile B2B API Dashboard OpenData Collaboration
BPM Applications (Bonita BPM)
Existing Business Applications
CRM
CMS, ECM
ERP BPM Designer
Workflow Engine
BPM Portal
SERVICES
DB, KPI, Logs, Docs
GOVERNED SERVICES
New Business Application Systems
PHP, Ruby, Python, Java
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
Federated User Management
(Penrose Virtual Directory)
Portal B2B (WSO2 UES, BAM, AM, ES)
1. A tipical Ecosystem in the Organizations
Service-‐oriented Infraestructure (SOI) as best prac7ce (2/2)
BAM, BI & BigData
(WSO2 SS, BAM, CEP)
Enterprise Service Bus (WSO2 ESB)
Portal B2C (Liferay Portal) Identity Management (WSO2 IS)
Web Portlets Mobile B2B API Authentication, Authorization
Single Sign-On
Consolidation of Identities
New Business Application Systems
Dashboard OpenData Collaboration
Presentation Layer
Orchestration Layer
Business Service Layer
CONTROLLER
MODEL
VIEW
SE
CU
RIT
Y
PHP, Ruby, Python, Java
User Management
Social Login
BPM Applications (Bonita BPM)
Existing Business Applications
Openia CRM
Alfresco ECM
Openbravo ERP Bonita Studio
Bonita Workflow Engine
Bonita UX Portal
SERVICES
GOVERNED SERVICES
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
*
*
*
*
*
*
*
*
*
*
Federated User Management
Portal B2B (WSO2 UES, BAM, AM, ES)
2. Enterprise Security - IAM
Spreading Security in the Organiza7on using SOI
BAM, BI & BigData
(WSO2 SS, BAM, CEP)
BPM Applications (Bonita BPM)
(WSO2 ESB)
Portal B2C (Liferay Portal) Identity Management
Web, Collab, Mobile, Portlets B2B API
(Penrose Virtual Directory)
Existing Business Applications
New Business Application
Systems Bonita Studio
Bonita Workflow Engine
Dashboard OpenData
Presentation Layer
Orchestration Layer
Business Service Layer
CONTROLLER
MODEL
VIEW
SE
CU
RIT
Y
Bonita UX Portal
SERVICES
PHP, Ruby, Python, Java
2 3
4
5
6
7
9
10
8
(WSO2 IS)
1
GOVERNED SERVICES
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
3. Identity and Access Management - uses cases
• WSO2 Identity Server:
• Multiples User Storages.
• User Storage using LDAP embeded, LDAP external and external DB.
• Authentication, Authorization and SSO.
• Exposes complete API to user management.
• Provisioning via SCIM.
• Policies
• Penrose Virtual Directory
• Can integrated existing LDAP and DB storing user credentials.
• Exposes a LDAP interface that can be used as external LDAP for WSO2 IS.
• Bidirectional sync (LDAP in read/write mode)
1. User Creden7als Management
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
3. Identity and Access Management - uses cases
• WSO2 Identity Server exposes API to user management.
• Recovery.
• Change password.
• Update profile.
• WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols:
• OpenID, SAML, OAuth, XACML, RBAC, etc.
2. AuthN and AuthZ for Ad-‐hoc Applica7ons
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
3. Identity and Access Management - uses cases
• Centralized User Management.
• Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory.
• In similar way, Alfresco ECM should be configures with this LDAP.
• Authentication and Authorization.
• It is not necessary if you extend ERP or ECM because user credentials and roles are in LDAP storage.
• Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication. Try it using HTTP over SSL.
3. AuthN and AuthZ for exis7ng ERP and ECM
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
3. Identity and Access Management - uses cases
5. AuthN and AuthZ for Bonita BPM
• Any BPM Suite has 3 components:
• Designer (Bonita Studio)
• In time of processes modeling, obtain representation of hierarchy of users, groups, roles is a great help for business process expert.
• Bonita Studio is based in Eclipse IDE and It is possible to model following this representation of hierarchy of users, groups and roles using “Bonita’s Actor Filter”.
• Workflow engine (Bonita Workflow Engine)
• In this case we should cofigure Workflow engine to get hierarchy from external LDAP server.
• TaskList Portal (Bonita UX Portal)
• AuthN and AuthZ process is delegated to external LDAP. Bonita UX Portal has to configure pointing to LDAP server.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
3. Identity and Access Management - uses cases
4. AuthN and AuthZ for exis7ng Services
• User Storage in WSO2 IS can be used as User Storage for WSO2 ESB.
• Authentication and Authorization:
• In WSO2 ESB you can enable/disable security over the exposed services.
• WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach SSO and Federation of Identities.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
3. Identity and Access Management - uses cases
7. AuthN and AuthZ for the Presenta7on Layer
• Any Web Portal server commonly has a LDAP connector to sync users, groups and/or roles. Also, any Web Portal has connectors to do authentication and authorization, for example, Liferay has tools for these purposes.
• WSO2 IS provides OpenID functionality that can be used with Liferay Portal easily.
• Review the strategies to authentication, authorization and SSO of WSO2IS suitable to our environment.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
1. Start login process 2. Pass login process to Bonita 3. Bonita passes login process 4. OB passes login process 5. WSO2IS sends response 6. OB redirects response 7. Bonita redirects response 8. Liferay receive response
Authentication in Openbravo
1. Start login process 2. Pass login process to Bonita 3. Validate credentials 4. WSO2IS sends response 5. Bonita redirects response 6. Liferay receives response
Authentication in Bonita
1. Start login process 2. Validate credentials 3. WSO2IS sends response 4. Liferay receives response
Authentication in Liferay
Deploy WSO2 Identity Server, create several users and roles.
Consolidate user credentials (Penrose Virtual Directory) and Deploy LDAP WSO2 IS
Configure LDAP Authentication in Liferay pointing to the embedded LDAP of WSO2 IS. Enable Users and Roles (Group) sync.
In this step is possible to do LDAP Authentication and User syncronization.
Configure LDAP Authentication and users sync in Bonita pointing to the embedded LDAP of WSO2 IS.
Right now this functionality is available in Bonita BPM Teamwork version (http://www.bonitasoft.com/products/product-comparison).
Configure LDAP Authentication and users sync in OpenBravo pointing to the embedded LDAP of WSO2 IS.
Configure LDAP Authentication and User syncronization of OpenBravo with embedded LDAP of WSO2 IS.
Check the authentication flow and user sync flow in all the system.
Testining authentication an sync of users.
LIFERAY WSO2IS BONITA OPENBRAVO
LIFERAY WSO2IS BONITA OPENBRAVO
4. Identity and Access Management – flow diagram
1.
2.
3.
4.
5.
Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS
5. Enterprise Security & SOI - summary
5
6
7
1
3
4
2
9
10
8
• Process integration and consolidation of different sources of user identities. • Bi-directional synchronization, the goal is to build a centralized database of identities and attributes.
• WSO2 Identity Server exposes API to user management: recovery, change password, update profile.
• WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: OpenID, SAML, OAuth, XACML, RBAC, etc.
• Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory.
• In similar way, Alfresco ECM should be configures with this LDAP. • Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication.
• Bonita BPM in two phases: In design-time and running-time. • When the processes are modeling, the Bonita Studio’s Actor Filters should be configurated to get users, groups and
roles from our centrilazed User Storage (LDAP). • When the processes are running, the BPM engine delegate the validation of identities (authorization) in WSO2 IS,
while the model of roles and permissions (attributes) on the centralized User Storage (LDAP).
• User Storage in WSO2 IS can be used as the User Storage for WSO2 ESB. • In WSO2 ESB you can enable/disable security over the exposed services. • WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach
SSO and Federation of Identities.
• Existing or new applications can delegate their authentication process in WSO2 IS, while for user synchronization will use the Penrose Virtual Direcotry as our centralized repository of users and attributes.
• The advantage of using Liferay Portal Server rather than a pure applications is the ability to delegate the Authentication, Authorization and People Management WSO2 IS only setting connectors with little programming.
www.linkedin.com/company/chakray-consulting
@Chakray_com
www.chakray.com
Doing the right things. With the right technology. To support business.
SOA · BPM · ECM · PORTAL · BIGDATA · SECURITY