WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management solution at West
-
Upload
wso2-inc -
Category
Technology
-
view
85 -
download
0
Transcript of WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management solution at West
Multi-tenant, Role-based Identity & Access Management solution at West
Pranav PatelVP, Product Engineering
West Corporation Overview
Segment Overview
Our Business
We deliver communication solutions to help brands create connected customer experiences
Communication Channel/Solutions
Commercial
Utility
Healthcare
Education
Interactive ServicesWhat we do: We are the communication channel/solutions that
connects our clients and their consumers.
Emails
Text messages
Phone calls
Web Chat
Social Media
Wearables
Website
Emails
Text messages
Phone calls
Web
Our Clients
InboundOutbound
Cloud Contact CenterMobile
Website
Consumers
The Challenge
• Start connecting all of our solutions to help our customer create the Connected Customer Experience
• Customer’s choice of communication channel – mobile, web, phone, text, e-mail etc.
• Company should know the customer and their experience should be consistent across all channels of communication
Centralized Identity & Access Management
• Distributed - Several disparate web applications with its own identity management system
• Centralized – operational efficiency, easy of account management, cost savings, know the customer
• Tied to our single customer portal
Access Management
Authentication•Single Sign-On (SSO)•Federation•Session Management•Password Service
Authorization•Role-based•Attribute-based•Rule-based
User Management•User & Role Management•Provisioning•Password Management•Delegated Administration•Self-Service
User Store•Directory•Database•Data Synchronization
Identity Management
Requirements
• Multi-tenancy with hierarchical tenant management• Role based access by Product (web application)• User Role Play – Mimic being user of another Tenant• UserStore – PostgreSQL DB• Password policies by Tenant, password history, password expiration
notifications, lock account after failed login attempts• Tenant based security question sets• Support for various protocols for SSO and federation• Bulk user import• Audit logging
WSO2 Identity Server
• Fulfilled several of our requirements out of the box• Support for various protocols – SAML2, Oauth2, OpenID, WS-
Federation• Support for heterogeneous and multiple user stores • Integrates nicely with other WSO2 products in our stack – API
Manager, ESB, App Server, DSS• Started with v 5.0 and later upgraded to 5.1
System ConceptsTenant - Typically refers to West's clients (customers). Each tenant requires unique domain name – e.g. "west.com“. Tenant can have sub-tenants.
Products – Various applications that needs to be integrated. Each product has multiple features & sub-features. And each feature has actions.
Subscription – This defines relationship between Tenant & Product.
Roles – Each product has role definitions that defines permissions allowed on its features.
Users – Individuals requiring access to the portal and products. Users are grouped at Tenant level.
Tenant Extensions
• Introduced “Relationships” (hierarchy) between tenants – Parent/child
• Added “Attributes” table to store additional tenant specific data – West Client ID & Name, Divisions
• 3 sets of 5 security questions each per tenant
• “Subscription” table to hold Tenant & Product relationship
Products & Roles
User
1
2
3
User Registration
Few Other Extensions
• REST API wrappers• Oauth2 Proxy for authentication in a Single Page Application• Password expiration notification e-mails – 5 days & 2 days prior• Password history – can not reuse last 12 passwords• Lock user account for 15 min. after 3 failed login attempts• Automatic removal of user account after 180 days of password
expiration• Bulk user creation through CSV file• Audit log table to track operations, users, data changes etc.
Future Wish List
• Customizable login pages per application and/or Tenant• 2-factor authentication• User provisioning, self-registration and approval workflow• Integrate more products with SSO / federation• Monitoring & Reporting – suspicious login activities, forced
termination of abnormal user sessions• Analytics• Keep up with WSO2 Identity Server releases
Thank You!