Multi-tenant, Role-based Identity & Access Management solution at West

Pranav PatelVP, Product Engineering

West Corporation Overview

Segment Overview

Our Business

We deliver communication solutions to help brands create connected customer experiences

Communication Channel/Solutions

Commercial

Utility

Healthcare

Education

Interactive ServicesWhat we do: We are the communication channel/solutions that

connects our clients and their consumers.

Emails

Text messages

Phone calls

Web Chat

Social Media

Wearables

Website

Emails

Text messages

Phone calls

Web

Our Clients

InboundOutbound

Cloud Contact CenterMobile

Website

Consumers

The Challenge

• Start connecting all of our solutions to help our customer create the Connected Customer Experience

• Customer’s choice of communication channel – mobile, web, phone, text, e-mail etc.

• Company should know the customer and their experience should be consistent across all channels of communication

Centralized Identity & Access Management

• Distributed - Several disparate web applications with its own identity management system

• Centralized – operational efficiency, easy of account management, cost savings, know the customer

• Tied to our single customer portal

Access Management

Authentication•Single Sign-On (SSO)•Federation•Session Management•Password Service

Authorization•Role-based•Attribute-based•Rule-based

User Management•User & Role Management•Provisioning•Password Management•Delegated Administration•Self-Service

User Store•Directory•Database•Data Synchronization

Identity Management

Requirements

• Multi-tenancy with hierarchical tenant management• Role based access by Product (web application)• User Role Play – Mimic being user of another Tenant• UserStore – PostgreSQL DB• Password policies by Tenant, password history, password expiration

notifications, lock account after failed login attempts• Tenant based security question sets• Support for various protocols for SSO and federation• Bulk user import• Audit logging

WSO2 Identity Server

• Fulfilled several of our requirements out of the box• Support for various protocols – SAML2, Oauth2, OpenID, WS-

Federation• Support for heterogeneous and multiple user stores • Integrates nicely with other WSO2 products in our stack – API

Manager, ESB, App Server, DSS• Started with v 5.0 and later upgraded to 5.1

System ConceptsTenant - Typically refers to West's clients (customers). Each tenant requires unique domain name – e.g. "west.com“. Tenant can have sub-tenants.

Products – Various applications that needs to be integrated. Each product has multiple features & sub-features. And each feature has actions.

Subscription – This defines relationship between Tenant & Product.

Roles – Each product has role definitions that defines permissions allowed on its features.

Users – Individuals requiring access to the portal and products. Users are grouped at Tenant level.

Tenant Extensions

• Introduced “Relationships” (hierarchy) between tenants – Parent/child

• Added “Attributes” table to store additional tenant specific data – West Client ID & Name, Divisions

• 3 sets of 5 security questions each per tenant

• “Subscription” table to hold Tenant & Product relationship

Products & Roles

User

1

2

3

User Registration

Few Other Extensions

• REST API wrappers• Oauth2 Proxy for authentication in a Single Page Application• Password expiration notification e-mails – 5 days & 2 days prior• Password history – can not reuse last 12 passwords• Lock user account for 15 min. after 3 failed login attempts• Automatic removal of user account after 180 days of password

expiration• Bulk user creation through CSV file• Audit log table to track operations, users, data changes etc.

Future Wish List

• Customizable login pages per application and/or Tenant• 2-factor authentication• User provisioning, self-registration and approval workflow• Integrate more products with SSO / federation• Monitoring & Reporting – suspicious login activities, forced

termination of abnormal user sessions• Analytics• Keep up with WSO2 Identity Server releases

Thank You!