Last Updated: July 2. 2014 Software Engineer Pushpalanka Jaywardhana Leveraging Federation Capabilities of Identity Server for API Gateway
Jan 15, 2015
Last Updated: July 2. 2014
Software EngineerPushpalanka Jaywardhana
Leveraging Federation Capabilities
of Identity Server for API Gateway
**
About the Presenter
๏ Pushpalanka Jayawardhana-Software Engineeremail:[email protected]
Pushpalanka is a member of WSO2 Identity Server team, focusing on security and integration. In addition to the development efforts, she has been involved in several consulting customer engagements, providing solutions for various requirements in different domains.
**
About WSO2๏ Global enterprise, founded in
2005 by acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C.
๏ Driven by Innovation
๏ Launched first open source API Management solution in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
**
What WSO2 delivers
**
Outline
๏ Scenario๏ Deployment - IS as Key Manager for API Gateway
๏ Configuration Steps๏ Federation Capabilities of IS 5.0.0๏ Deployment - Extend to use an Existing IAM (Shibboleth IDP)๏ Expandability๏ Q&A
**
Scenario
Web AppsSAML SSO
Shibboleth® is a registered trademark of Internet2®.
**
Scenario
Web Apps
API Management(WSO2 API-M 1.7.0)
SAML SSOKey Manager
SAML SSO
**
Scenario
Web Apps
API Management(WSO2 API-M 1.7.0)
SAML SSOKey Manager
(WSO2 IS 5.0.0)
SAML SSO
OAuth 2.0
**
Scenario
Web Apps
API Management(WSO2 API-M 1.7.0)
SAML SSOKey Manager
(WSO2 IS 5.0.0)
SAML SSO
OAuth 2.0
**
Deployment - IS as Key Manager for API Gateway
**
Configuration Steps
Create the databases,
๏ WSO2REG_DB: keep the registry information
- use <IS_HOME>/dbscripts/<database_type>.sql
๏ WSO2UM_DB: store permissions and the internal roles
- use <IS_HOME>/dbscripts/<database_type>.sql
๏ WSO2AM_DB: keep the identity data and API-related data
- use
APIM_HOME>/dbscripts/apimgt/<database_type>.sql and
<IS_HOME>/dbscripts/identity/<database_type>.sql
**
Configuration Steps Ctd
In Identity Server,๏ Install the ‘key manager’ feature๏ Copy api-manager.xml from API-M 1.7.0
๏ Do configurations to point to Gateway๏ Configure JWT generation
๏ Add data sources in master-datasource.xml๏ Copy registry.xml from API-M 1.7.0
๏ Do the registry mounts๏ Add handler for XACML media type
๏ Point identity.xml to use datasource AM_DB๏ Point user-mgt.xml to use datasource UM_DB
**
Configuration Steps Ctd
In API Manager,๏ Add data sources in master-datasource.xml๏ Copy registry.xml from API-M 1.7.0
๏ Do the registry mounts๏ Point user-mgt.xml to use datasource UM_DB๏ In api-manager.xml
๏ Configure AuthManager and APIKey Manager๏ Point available default APIs to use IS endpoints
**
Scenario
Web Apps
API Management(WSO2 API-M 1.7.0)
SAML SSOKey Manager
(WSO2 IS 5.0.0)
SAML SSO
OAuth 2.0
**
Federation Capabilities of IS
๏ Federation between multiple heterogeneous identity providers
๏ SSO between heterogenous standards/protocols
๏ Out-of-the-box integration with Google Apps and Salesforce ๏ Home realm discovery - deriving user's home IDP from the
request
**
Scenario
Web Apps
API Management(WSO2 API-M 1.7.0)
SAML SSOKey Manager
(WSO2 IS 5.0.0)
SAML SSO
OAuth 2.0
**
Delegate Authentication to Shibboleth
๏ Configure Shibboleth IDP as a IDP in Identity Server๏ Configure default SP to use above configured IDP.
**
Expandability of Solution
Web Apps
API Management(WSO2 API-M 1.7.0)
SAML SSO
Key Manager(WSO2 IS 5.0.0)
SAML SSO
OAuth 2.0
SSO between heterogenous standards/protocols
SalesForce
LifeRayGoogleApps
Drupal
SAML SSO
SAML SSO
OpenID
OpenID
**
Expandability of Solution
Web Apps
SAML SSO
API Management(WSO2 API-M 1.7.0)
SAML SSO
Key Manager(WSO2 IS 5.0.0)
OAuth 2.0
Federation between multiple heterogeneous identity providers
Web Apps
OpenId
Google Apps FaceBookCustom-
---
SAML SSO
**
More Information !๏ Download WSO2 Identity Server (latest version 5.0.0) from, http:
//wso2.com/products/identity-server๏ Download WSO2 API Manager (latest version 1.7.0) from, http:
//wso2.com/products/api-manager/๏ Set up Identity Server 5.0.0 as Key Manager for API Manager 5.0.0 -
https://docs.wso2.com/display/CLUSTER420/Configuring+WSO2+Identity+Server+as+the+Key+Manager
๏ Identity Server 5.0.0 documentation - https://docs.wso2.com/display/IS500/WSO2+Identity+Server+Documentation
๏ Configure Shibboleth with WSO2 products - http://dulanja.blogspot.com/2013/09/saml2-sso-to-wso2-420-carbon-products.html
๏ Enterprise Directory of APIs and Service Bus (University of Michingan Use case)- https://spaces.internet2.
edu/display/itana/University+of+Michigan
**
Business Model
Contact us !