Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose

Enterprise Security & SOI Identity and Access Management in the Organizations with WSO2 IS

ver 1.0

Roger CARHUATOCTO SOA, BPM, ECM, Portal and Security. You can reach me on:

http://www.linkedin.com/in/rcarhuatocto

@Chilcano

roger [at] chakray.com

+34 629292125 http://holisticsecurity.wordpress.com

Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS

1. A tipical Ecosystem in the Organizations

Service-‐oriented Infraestructure (SOI) as best prac7ce (1/2)

BAM, BI & BigData

Enterprise Service Bus

Sec

urity

and

Iden

tity

Man

agem

ent

Authentication

Authorization

Single Sign-On

Social Login

Federation of Identities

Users Management

Users Provisioning

Consolidation of Identities

Presentation Layer

Orchestration Layer

Business Service Layer

CONTROLLER

MODEL

VIEW

SE

CU

RIT

Y

Portal B2B Portal B2C

Web Portlets Mobile B2B API Dashboard OpenData Collaboration

BPM Applications (Bonita BPM)

Existing Business Applications

CRM

CMS, ECM

ERP BPM Designer

Workflow Engine

BPM Portal

SERVICES

DB, KPI, Logs, Docs

GOVERNED SERVICES

New Business Application Systems

PHP, Ruby, Python, Java


Federated User Management

(Penrose Virtual Directory)

Portal B2B (WSO2 UES, BAM, AM, ES)

1. A tipical Ecosystem in the Organizations

Service-‐oriented Infraestructure (SOI) as best prac7ce (2/2)

BAM, BI & BigData

(WSO2 SS, BAM, CEP)

Enterprise Service Bus (WSO2 ESB)

Portal B2C (Liferay Portal) Identity Management (WSO2 IS)

Web Portlets Mobile B2B API Authentication, Authorization

Single Sign-On

Consolidation of Identities

New Business Application Systems

Dashboard OpenData Collaboration

Presentation Layer

Orchestration Layer


CONTROLLER

MODEL

VIEW

SE

CU

RIT

Y


User Management

Social Login



Openia CRM

Alfresco ECM

Openbravo ERP Bonita Studio

Bonita Workflow Engine

Bonita UX Portal

SERVICES

GOVERNED SERVICES


*

*

*

*

*

*

*

*

*

*

Federated User Management

Portal B2B (WSO2 UES, BAM, AM, ES)

2. Enterprise Security - IAM

Spreading Security in the Organiza7on using SOI

BAM, BI & BigData

(WSO2 SS, BAM, CEP)


(WSO2 ESB)

Portal B2C (Liferay Portal) Identity Management

Web, Collab, Mobile, Portlets B2B API

(Penrose Virtual Directory)


New Business Application

Systems Bonita Studio

Bonita Workflow Engine

Dashboard OpenData

Presentation Layer

Orchestration Layer


CONTROLLER

MODEL

VIEW

SE

CU

RIT

Y

Bonita UX Portal

SERVICES


2 3

4

5

6

7

9

10

8

(WSO2 IS)

1

GOVERNED SERVICES


3. Identity and Access Management - uses cases

•  WSO2 Identity Server:

•  Multiples User Storages.

•  User Storage using LDAP embeded, LDAP external and external DB.

•  Authentication, Authorization and SSO.

•  Exposes complete API to user management.

•  Provisioning via SCIM.

•  Policies

•  Penrose Virtual Directory

•  Can integrated existing LDAP and DB storing user credentials.

•  Exposes a LDAP interface that can be used as external LDAP for WSO2 IS.

•  Bidirectional sync (LDAP in read/write mode)

1. User Creden7als Management



•  WSO2 Identity Server exposes API to user management.

•  Recovery.

•  Change password.

•  Update profile.

•  WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols:

•  OpenID, SAML, OAuth, XACML, RBAC, etc.

2. AuthN and AuthZ for Ad-‐hoc Applica7ons



•  Centralized User Management.

•  Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory.

•  In similar way, Alfresco ECM should be configures with this LDAP.

•  Authentication and Authorization.

•  It is not necessary if you extend ERP or ECM because user credentials and roles are in LDAP storage.

•  Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication. Try it using HTTP over SSL.

3. AuthN and AuthZ for exis7ng ERP and ECM



5. AuthN and AuthZ for Bonita BPM

•  Any BPM Suite has 3 components:

•  Designer (Bonita Studio)

•  In time of processes modeling, obtain representation of hierarchy of users, groups, roles is a great help for business process expert.

•  Bonita Studio is based in Eclipse IDE and It is possible to model following this representation of hierarchy of users, groups and roles using “Bonita’s Actor Filter”.

•  Workflow engine (Bonita Workflow Engine)

•  In this case we should cofigure Workflow engine to get hierarchy from external LDAP server.

•  TaskList Portal (Bonita UX Portal)

•  AuthN and AuthZ process is delegated to external LDAP. Bonita UX Portal has to configure pointing to LDAP server.



4. AuthN and AuthZ for exis7ng Services

•  User Storage in WSO2 IS can be used as User Storage for WSO2 ESB.

•  Authentication and Authorization:

•  In WSO2 ESB you can enable/disable security over the exposed services.

•  WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach SSO and Federation of Identities.



7. AuthN and AuthZ for the Presenta7on Layer

•  Any Web Portal server commonly has a LDAP connector to sync users, groups and/or roles. Also, any Web Portal has connectors to do authentication and authorization, for example, Liferay has tools for these purposes.

•  WSO2 IS provides OpenID functionality that can be used with Liferay Portal easily.

•  Review the strategies to authentication, authorization and SSO of WSO2IS suitable to our environment.


1.  Start login process 2.  Pass login process to Bonita 3.  Bonita passes login process 4.  OB passes login process 5.  WSO2IS sends response 6.  OB redirects response 7.  Bonita redirects response 8.  Liferay receive response

Authentication in Openbravo

1.  Start login process 2.  Pass login process to Bonita 3.  Validate credentials 4.  WSO2IS sends response 5.  Bonita redirects response 6.  Liferay receives response

Authentication in Bonita

1.  Start login process 2.  Validate credentials 3.  WSO2IS sends response 4.  Liferay receives response

Authentication in Liferay

Deploy WSO2 Identity Server, create several users and roles.

Consolidate user credentials (Penrose Virtual Directory) and Deploy LDAP WSO2 IS

Configure LDAP Authentication in Liferay pointing to the embedded LDAP of WSO2 IS. Enable Users and Roles (Group) sync.

In this step is possible to do LDAP Authentication and User syncronization.

Configure LDAP Authentication and users sync in Bonita pointing to the embedded LDAP of WSO2 IS.

Right now this functionality is available in Bonita BPM Teamwork version (http://www.bonitasoft.com/products/product-comparison).

Configure LDAP Authentication and users sync in OpenBravo pointing to the embedded LDAP of WSO2 IS.

Configure LDAP Authentication and User syncronization of OpenBravo with embedded LDAP of WSO2 IS.

Check the authentication flow and user sync flow in all the system.

Testining authentication an sync of users.

LIFERAY WSO2IS BONITA OPENBRAVO

LIFERAY WSO2IS BONITA OPENBRAVO

4. Identity and Access Management – flow diagram

1.

2.

3.

4.

5.


5. Enterprise Security & SOI - summary

5

6

7

1

3

4

2

9

10

8

•  Process integration and consolidation of different sources of user identities. •  Bi-directional synchronization, the goal is to build a centralized database of identities and attributes.

•  WSO2 Identity Server exposes API to user management: recovery, change password, update profile.

•  WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: OpenID, SAML, OAuth, XACML, RBAC, etc.

•  Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory.

•  In similar way, Alfresco ECM should be configures with this LDAP. •  Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication.

•  Bonita BPM in two phases: In design-time and running-time. •  When the processes are modeling, the Bonita Studio’s Actor Filters should be configurated to get users, groups and

roles from our centrilazed User Storage (LDAP). •  When the processes are running, the BPM engine delegate the validation of identities (authorization) in WSO2 IS,

while the model of roles and permissions (attributes) on the centralized User Storage (LDAP).

•  User Storage in WSO2 IS can be used as the User Storage for WSO2 ESB. •  In WSO2 ESB you can enable/disable security over the exposed services. •  WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach

SSO and Federation of Identities.

•  Existing or new applications can delegate their authentication process in WSO2 IS, while for user synchronization will use the Penrose Virtual Direcotry as our centralized repository of users and attributes.

•  The advantage of using Liferay Portal Server rather than a pure applications is the ability to delegate the Authentication, Authorization and People Management WSO2 IS only setting connectors with little programming.

www.linkedin.com/company/chakray-consulting

@Chakray_com

www.chakray.com

Doing the right things. With the right technology. To support business.

SOA · BPM · ECM · PORTAL · BIGDATA · SECURITY

Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose

Technology

Transcript of Chakray.com - Enterprise Security and IAM with WSO2IS and Penrose