Tag Archives: WSO2 Identity Server

Nutanix: How WSO2’s Identity Server Enhanced Customer Experience

Nutanix is a leader in hyper converged systems with a mission to make infrastructure invisible by delivering an enterprise cloud platform that enables you to focus on the applications and services that power your business. At WSO2Con USA 2017, Director of SaaS and Tools Engineering at Nutanix Manoj Thirutheri explored how WSO2 Identity Server helped them enhance their customer experience to stay competitive against large vendors like HP, Microsoft and Cisco.

Nutanix provides over 4450 customers across the globe with a hyperconvergence appliance that has storage, virtualization and network components overlaid by an intelligent software layer in order to minimize the need for infrastructure. “Customer experience is the last mile of digital transformation,” Manoj said while stressing on the importance of creating an integrated ecosystem of customers and partners to be successful. They currently maintain multiple web portals for customer support, partner support, and the community. One of their top priorities is to make customer experiences as simple and seamless as possible. They needed to create a more seamless sign-on experience for their portals and mobile apps to maintain growth.

Because of the speed at which Nutanix was growing, many identity silos existed, which meant the same customer was identified in multiple ways. They had non-standard and insecure authentication and authorization mechanisms in place which made them vulnerable and hindered their user experience. Furthermore, their ability to be agile and innovate fast was deterred by the proprietary technology they used, which was not open or extendable. “The bottom line is, we didn’t know what our customers or partners were doing. We were lost,” notes Manoj. Having a 360 view of their customers’ activities and keeping track of them across the different portals were key requirements of their solution to these challenges.

As shown in the diagram below, Nutanix used WSO2 Identity Server to overcome their major identity and access management challenges. Manoj then explained the architecture from the bottom up. The highly available WSO2 Identity Server cluster is load balanced across multiple regions for high redundancy. Next, they built an intelligent API layer, which exposed all the APIs including user management, tenant management, service provider and identity provider APIs. By doing so they avoided vendor lock-in and didn’t couple their functionality to any technology, be it open source or proprietary. The third layer consisted of their own entitlement system called My Nutanix where customers and partners register and access the service providers. The green boxes at the top depict the service providers including the following:

  • The customer portal enables customers to access the services offered in My Nutanix.
  • The partner portal allows partners to perform deal registrations among other things.
  • The community portal is open source and can be used by anyone. Here, they use WSO2 Identity Server to authenticate the users through basic OAuth over Transport Layer Security (TLS), which allows them to track the users and gain new customer prospects.
  • They also have the educational and training portal in addition to many other service providers that are still in development.

Nutanix currently uses many industry standards for authentication including OAuth 2.0, OpenID Connect, and SAML 2.0, which are all supported out-of-the-box by WSO2 Identity Server. They also use WSO2 Identity Server for Just-in-Time (JIT) provisioning of users. Nutanix performs SMS-based multi-factor authentication (MFA) by using WSO2 Identity Server connectors to integrate with Twilio, which allows you to programmatically send and receive text messages using its web service APIs. In addition, they integrate with their partners through the Active Directory Federation Services (ADFS) provided by WSO2 Identity Server.

Apart from these implemented features, Nutanix is working on leveraging more capabilities of WSO2 Identity Server. They will soon bring in multi-tenancy because every customer has their own tenant with their own isolated roles. They will also experiment with a service-based authentication, a fairly new concept to them, which uses certificates to authenticate the user and creates the service accounts within WSO2 Identity Server. As Manoj states, “Two services, no human interaction”.

Having a product that is open source, supported multiple security protocols, and can scale was key. WSO2 Identity Server met all these requirements. WSO2 Identity Server helped create a seamless single sign-on experience for their customers, partners and prospects, while keeping track of all their actions. A key advantage that helped sustain Nutanix’s rapid growth was WSO2 Identity Server’s high scalability and availability and its ability to support a rapid increase in the number of users from 1000 to 100,000 in just two years. It met all of Nutanix’s requirements including out-of-the-box support for many standard protocols, multi-factor authentication (both SMS-based and Google authenticator), identity federation, multi-tenancy and tenant management. Furthermore, Nutanix also used WSO2 Managed Cloud, which provides excellent support.

“We now have a bunch of happy customers and partners. We ourselves are also very happy with WSO2 Identity Server,” Manoj added.To learn more about how Nutanix leveraged WSO2 watch Manoj’s talk at WSO2Con USA 2017.

West Interactive: Using WSO2 Identity Server to Enhance Customer Experience

Headquartered in Omaha, West Corporation is all about telecommunication – be it conferencing solutions, safety services, interactive voice response solutions or speech application automation. Pranav Patel, the vice president of systems development at West Interactive, recently spoke at WSO2Con USA 2017 about the unique customer experience they offer through their multi-tenanted role-based identity and access management solution built using WSO2 Identity Server.

An increasing numbers of users today are turning to various different channels like the web, mobile devices, and social media to interact with vendors. Pranav explained that knowing the customer and making sure that they can access West Interactive’s services from whichever channel they prefer is a key requirement for them.

West has been in the telecommunication industry for the last 30 years, and quite commonly, have many solutions that are siloed and distributed. Connecting all these solutions was a major challenge they needed to overcome in order to provide a holistic experience to their customers, explained Pranav. This meant dealing with and managing various different identities that belonged to many different customer portals. They needed to create a solution that revolves around centralizing user identities to a single user portal and creating an efficient identity and access management system.

Pranav then examined the requirements they needed to meet in order to achieve operational efficiency, easily manage accounts, save costs, and provide great customer experience. Other than the evident single sign-on and federation requirements, multitenancy with hierarchical tenant management was an important feature that enabled them to serve all their tenants (a client of West represented as a domain in the system) and users (individuals that require access to the portal and are grouped at the tenant level) through their portal. The system also needed to enforce rule-based access control that allows access to certain products (web applications that need to be integrated) depending on who the user is. In addition to this, they had corporate policy requirements for passwords, needed to maintain password history and had a password expiry date that prompted users to frequently change the password. Audit logging and user bulk imports were some other requirements.

“WSO2 fulfilled several of our requirements out-of-the-box, especially support for various protocols and heterogeneous multiple user stores,” observed Pranav. He went on to explain that they could easily extend the product and customize it for any features that it didn’t already have, making it the perfect solution for West.

WSO2 Identity Server is used for

  • Introducing a relationship hierarchy between the parent tenant and child subtenant and allowing multi-tenancy
  • Asking for and storing answers to five security questions per user
  • Defining permissions or roles for products (web applications) and users
  • Providing single sign-on and federation for users
  • Allowing employees to mimic a user and see how they perceive the user portal
  • Enforcing password policies set by tenants

Pranav expressed how WSO2 Identity Server meets all their current requirements and how they would like to introduce customizable login pages (by tenant), two-factor and multi-factor authentication, automated user provisioning and self-registration among other features in the future. He concluded by saying they were looking forward to adding WSO2 Data Analytics Server to the mix in order to monitor what’s really going on in the system.

To learn more about West Interactive’s story listen to Pranav’s talk at WSO2Con USA 2017.

Guest Blog: Speeding Delivery of Affordable E-Health With WSO2

The good news is that modern technology is helping us to live longer. According to the Ambient Assisted Living Joint Programme, some 25% of the population in the European Union will be over 65 by the year 2020, and the number of people aged 65 to 80 years will rise by 40% between 2010 and 2030.

The challenge before us is to ensure that as people age, we can enable them to live independently and experience the highest quality of life possible—and do so in a way that is affordable for individuals and governments. Addressing that demand has been a key priority here in the Active Independent Living (AIL) group within Barcelona Digital Technology Center (BDigital).

We have built eKauri, a non-invasive e-health and smart home platform that empowers seniors to gain autonomy, participate in modern society, and achieve independence through eKauri1solutions based on information and communications technologies (ICT). It includes a patient application that provides a range of services activated by the users—for example a home media center and video conferencing—plus sensors that monitor the patient’s activities and environment. A second care center module gives caregivers and managers tools for such activities as monitoring and managing patients and handling patient alarms, among many others.

The cloud-enabled eKauri platform takes advantage of credit-card sized Raspberry Pi computers and Z-Wave wireless home automation devices within patients’ homes. It also relies on four eKauri2products from the open source WSO2 Carbon enterprise middleware platform: WSO2 API Manager, WSO2 Identity Server, WSO2 Enterprise Service Bus and WSO2 Application Server. Together, these products enable eKauri to tie together data, applications and services across a range of applications, computers and Internet of Things (IoT) devices.

Notably, all WSO2 products extend from its Carbon base, so it created a seamless environment that allowed for our programmers to rapidly gain an understanding of the technology as well as accelerate our integration and product development.

Because our charter is to develop technology that commercial partners can then deliver as solutions to the market, we wanted to provide a minimally viable version that our commercial partners could start using by January 2015. By speeding our development with WSO2, we were able to complete the first minimally viable version of eKauri in October 2014, three months ahead of schedule, and we already have a built-in market and clients that want to pay for the product.

With a rapidly aging population worldwide, we need to move quickly to bring new solutions to market that enhance the health and quality of life for senior citizens. WSO2 has played an important role in helping us meet that demand with eKauri.

WSO2 recently published a case study about our use of its products with eKauri. You can read it here: http://wso2.com/casestudies/bdigital-delivers-e-health-and-smart-home-platform-using-the-wso2-carbon-platformJoan_Protasio

 

Joan Protasio, AIL Software Engineer, BDigital E-Health R&D Group

WSO2Con Insights – AlmavivA Adopts Lean Approach to Public Administration with WSO2

The Italian Ministry of Economy was looking for a complete transformation in data management by redefining and organizing its own data, so that information of millions of employees of the Italian Public Administration would be unique and certified.

The proposed system spelt the integration of two main IT systems in the Ministry; one that handles personal data, and a second that handles economic data, so that the system would have one single point of management, and serve applications regarding salaries and personal data as a self-service for the Italian public sector employees.

The Ministry approached AlmavivA Group, Italy’s number one Information and Communication Technology provider, for a solution. Guiseppe Bertone, Solution Architect at AlmavivA S.p.A. said during his session at WSO2Con 2014 EU, in Barcelona, Spain that AlmavivA designed and proposed an ad hoc master data management (MDM) solution for the Ministry, based on WSO2 products to manage the data of 2.6 million employees.

Picking the Best Product Solution

He said that there was a set criteria that AlmavivA and their client listed out prior to choosing the right products and platform for the project. Some of the critical features were interoperability with existing IT components, high modularity, optimized for performance, and most importantly, open source. Comparing pre-built product solutions available in the market, Bertone and his team made a decision to use WSO2 products for the entire solution.

“WSO2 products fit the requirement. You can enable only the components that you need, and leave the rest of it out, unlike in pre-built solutions,” he said.  almaviv1

He added that there were many redundant repositories within the Ministry IT systems; datasets needed to be optimized and integrated with external systems, and a migration workflow for the existing data had to be defined.

The reference architecture for the MDM solution included interface, events, security, and data quality components, as well as the repository layer, which consists of four databases; master data, meta data, historical data and reference data.  

The AlmavivA project ‘Anagrafca Unica’, roughly translating to ‘Unique Repository’, was initiated in March 2012.

The WSO2 Advantage

The mapped reference architecture was a total solution platform based on a set of WSO2 products;   almaviv2

WSO2 Enterprise Service Bus (ESB) for interface services, the WSO2 Data Services Server (DSS) to access the repository layer and manage all life cycle services, WSO2 Identity Server (IS) as the security and identity component, WSO2 Message Broker (MB) for communication between applications, WSO2 Governance Registry (G-REG) to store configurations of all components, and the WSO2 Business Activity Monitor (BAM) to monitor services across the entire MDM solution. OracleDB is used as the repository layer.

With BAM being easily integrated to other WSO2 products, AlmavivA simply had to install only a specific BAM load inside each component, so that the statistics and real-time performance could be monitored. An additional console was added as an UI for the system’s custom procedures.

Another advantage of using WSO2 products was brought to light during the development stage; “Many aspects of WSO2 products can be simply configured from the web UI, or the developer studio for all WSO2 components. It’s really useful and easy to use,” explained Bertone.

In a covalent situation such as this, WSO2 deploys Carbon Apps. By creating a carbon app, a single file consisting of all components is created, so that once the file is deployed, the server knows which components to take, according to Bertone. “This is useful because once you have a system like this you can integrate it with an application cycle management solution already present in the customer environment, like we did,” he says. “We have now created a console where with a single click, the customer can pass from staging to production.”

AlmavivA is looking to expand Anagrafica Unica across the country to include all employees of the Italian Public Administration sector in the system, bringing the total user count to 3.5 million. Bertone and his team are also looking to serve data to external systems, such as the Ministry of Health, with more government institutions being added along the way.

For more information on AlmavivA’s development of the Master Data Management System, view the recording of Bertone’s WSO2Con EU presentation.

giuseppe-bertone-hover

WSO2Con Insights–Trimble Builds an Enterprise PaaS Framework with Open Source

A large part of the value of Trimble solutions is that they enable customers to build and manage their own positioning-centric solutions for employees in the field—a key requirement for customers in the agriculture, construction, and transportation sectors. Trimble also needs this capability in-house, since its various divisions are set up to be entrepreneurial and have the speed and agility to execute. As Prakash Iyer, Trimble’s vice president for software architecture and strategy, explained during his session at WSO2Con 2013 US, building an enterprise platform as a service (PaaS) framework with open source solutions helped Trimble meet these goals.

The Move to a Cloud Platform

When Trimble first considered building a flexible development platform, the question was whether to go with a traditional platform versus a product-driven platform, Iyer recalled. With a traditional platform, by the time the hard work is done, the technology is likely to have changed, he noted. The better solution, the Trimble team realized, was a product-driven platform where selection of the platform elements is driven by the product. Users can then build applications on the platform and deliver them efficiently.

PrakashIyer1The Trimble Platform as a Service, known as TPaaS, provides the core services needed to build any modern enterprise application, and also provides an architectural framework to build loosely coupled SOA applications, Iyer explained. Providing a foundation for TPaaS are four multi-tenant, cloud-enabled WSO2 Carbon products: WSO2 Enterprise Service Bus, WSO2 API Manager, WSO2 Application Server, and WSO2 Identity Server.

“Our first implementation of TPaaS had Identity Server, App Server, API Manager and ESB. We didn’t use the whole stack but then we incrementally added to it,” Iyer noted. “We’re able to then build an app on that platform and then deliver it to the team, and prove it can be done efficiently. And that creates momentum.”

TPaaS Supports Internal and External Users

Iyer explained that Trimble’s development platform includes deployment infrastructure and managed hosting services, all of which help reduce the cost, time, and complexity of application development.

A key advantage of TPaaS is that it is accessible to Trimble’s network of partners and dealers, who often need to use the system to exchange data and flow transactions through it, Iyer said. It can be offered as a service framework to these partners and dealers to host their applications. He noted that the platform also provides a cloud container that can host any Trimble service, and act as a gateway to share any Trimble service for wider reuse.

The Benefits of Open Source

While the cost savings of open source were attractive, Iyer stated that other aspects of an open source licensing model were important.

“We can take WSO2 and customize it. If we don’t find everything we need, we can PrakashIyer3 customize it. We don’t have to take everything, just the part needed for us,” Iyer observed. “The other advantage is portability and ownership. I want to take my PaaS across multiple infrastructures and services; some divisions may want to deploy in Rackspace, some in Amazon, or even internally.”

Additionally, since technology changes so quickly, using WSO2 open source products allows  Trimble to avoid costly investments in solutions that will become out of date, or can’t be customized. Finally, there was the issue of focus. Iyer recalled that Trimble needed to build a solution, and using open source would allow the team to focus on those areas where Trimble could differentiate.

“My goal was always to eventually have everything from writing the code to deployment; things we could assemble and put together our own platform, and then we can focus on the applications,” Iyer said. “That was the strategic alignment part we shared with WSO2.”

For more information about Trimble’s development of an enterprise PaaS framework, view Iyer’s WSO2Con 2013 presentation.

WSO2Con-US-2013--Building-an-Enterprise-PaaS-framework-using-Open-Source-Components

WSO2 Joins Cloud Security Alliance

Cloud Security Alliance LogoAfter watching the good work of the Cloud Security Alliance (CSA) for more than a year, WSO2 has joined as a Corporate Member.

As you know, WSO2 offers the very first completely open source Platform as a Service (PaaS). Taking our Carbon-based middleware platform to the next level, WSO2 Stratos offers the most complete, enterprise-grade, open PaaS, with support for more core services than any other available PaaS today. Unlike many cloud platforms, WSO2 Stratos, the software behind the WSO2 StratosLive Java PaaS, is available as a fully supported product that can be installed and run on-premise.

WSO2 Stratos provides the core cloud services and essential building blocks, for example federated identity and single sign-on, data-as-a-service and messaging-as-a-service and more, required for developing SaaS and cloud applications.

Building a cloud PaaS is actually quite a challenge, but no pain, no gain!

We took up the first challenge of getting our Carbon stack running on OSGi runtime, not an easy task and one that some vendors were unable to complete, but one that we found necessary to build cloud nativity deeply into the platform, and to enable incremental upgrades and addition of the platform as a live entity.

Security represents one of the biggest challenges we faced making Stratos a reality.  We had to rebuild the foundations of the system to focus on tenant isolation, data security, restricted operations, tenant-based user stores, standards-based security models, integration with other *aaS models among other concerns. Stratos today supports many of the most popular open standards related to security and identity management including SAML2, OpenID, OAuth, XACML and WS-Security.

KuppingerCole European Identity Award 2011A few months back we received some recognition of this work, as a recipient of KuppingerCole’s European Identity Award 2011 for the Cloud Provider Offerings category.  The award recognizes WSO2 specifically for WSO2 Stratos Identity, citing the multi-tenant open source cloud service for its OpenID and XACML support and its innovative features, including the ability to migrate from on-premise to a full cloud service (and back).

Stratos has come a long way, with customers now adopting the platform, and we welcome the opportunity to both share our experiences with other cloud providers and be part of the conversation in moving cloud security forward.

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

Among many of our community, questions about whether to move to cloud or not, whether to move to a private or public cloud and so forth mostly revolve around security concerns.  We are looking to helping address those concerns, and contributing to the standards and guidelines promoted by the CSA to educate users about ensuring the future of cloud is secure.

Prabath Siriwardena, Architect & Senior Manager – Carbon Platform & Security
blog: http://blog.facilelogin.com

Why Governance isn’t just for SOA – but Identity too!

People often think of security in terms of barriers. But anyone who looks after a barrier knows that its an ongoing process. And managing processes is what we call governance. A few years ago, I would talk to people who had put in place a firewall. They were convinced they were now “secure”. But then I’d ask what process they had to monitor the firewall and its logs. Unfortunately too often a look of “do I have to do that?” crept onto their faces. Without governance, a firewall is no good: if you don’t know someone is making a concerted effort to attack you, they will eventually get through.

It is not just firewalls that require governance. Increasingly I see examples of security issues that also are linked to governance. I think Wikileaks is a good example: whoever did it had too much access (not policy based but simply yes/no) and there was no “alert” that perhaps an unusual access pattern was in operation. Similarly I recently heard of a situation where an employee kept their online work log in for six months after they left the company.

Too many keys, copyright 2011 Jonathan MarshThere are two prime causes for this:

  • Firstly, there are too many identities. Each of us knows we have tens if not hundreds of identities on different systems. And there is no overall control of those identities.
  • Secondly, there are too many places that permissions are checked, or not checked. On the whole we rely on each application to implement permissions and there is a huge lack of consistency between these systems.

Its possible to fix some of these problems with manual governance processes. But even better is to automate them: the least human effort giving the most security.

We believe that there are two key technologies that can help:

1. Federated Identity Tokens

For example – SAML2 – the Security Assertion Markup Language v2 is a standard for XML-based identity tokens. These tokens give us two big benefits: single-sign on and federated identity. SAML2 can help unify as many systems as possible around a single identity. You can configure Salesforce or Google Apps to accept SAML2 tokens from a system driven by your internal LDAP. When an employee leaves, all you need to do is to remove them from your LDAP system and they are automatically shut out of all SAML2 based systems. This is an example of federating the identity from your internal model into Salesforce or Google. Amazingly, unlike most security systems that make life harder, SAML2 actually helps your users, because it gives them single-sign on onto many different websites.

How does SAML2 do this? The key benefit of SAML2 is that the user authenticates to a single “identity server”. Then this server creates a token which is trusted for a limited time by the target. The token can contain a variety of information (“claims”). These claims can be used as part of any authorization process. For example, a claim could assert that the user is logging in from a secure network.

2. Policy-based authorization and entitlement

For example: XACML – the XML Access Control Markup Language – does for authorization what SAML2 does for authentication. It allows a single policy based model for who can access which resources. XACML is very powerful too. It can work in conjunction with SAML2 to create very rich security models. For example, you can allow different access to users who are logged into a secure computer on a secure network as opposed to users coming via their laptop from Starbucks.

XACML does this by being able to capture complex “entitlement” logic into the Policy. The Policy is an XML file that can be stored in a smart registry. For example a policy might state that user Paul may access a salary update process between 9AM and 5PM GMT if Paul is in Role Manager.

 

The title of this blog is that governance is not just for SOA. SOA Governance has been — in our view — an area where the architecture community has learnt a lot of useful lessons. Let’s try to apply the SOA Governance lessons to Identity and Security Governance.

In the SOA world a common pattern for governance is the combination of a Registry and an ESB. The secret to this is:

  • Using policy and metadata instead of code, and managing the metadata in a Registry.
  • Moving towards a canonical model and transforming legacy systems into the canonical model.
  • Putting in place central logs and monitoring.

It turns out we can learn exactly the same lessons for Identity:

  • Using XACML to have a consistent model and way of defining authorization and entitlement using policy instead of hard-coding it into apps and storing these policies in a Registry.
  • Audit Log, Copyright 2011 Paul FremantleUsing SAML2 as a canonical model for Identity and bridging that into legacy systems as much as possible.
  • Using common auditing across your Policy Enforcement Points (PEPs) to ensure a single central audit log.

With this kind of model the governance becomes much more simple and automated. Removing a user’s login permission can remove login from everything. Authorization can be based on policies, which can be managed using processes. Even remote systems like Salesforce will still be included in the audit, because when a user signs in via SAML2, the SAML2 token server will create an audit event.

OpenID and OAuth are alternatives that perform similar and complementary functions to SAML2 and XACML, and are supported by a number of websites and web-based systems.

Good governance is tricky, and an ongoing process. The best way to get good governance is to automate it around simple straightforward approaches. The trio of metadata, canonicalization and log/audit is a great start and putting in place a solution around that architecture is an effective way to improve your Identity Governance.

 

 

Portions of this post have previously appeared in an article written by the author for Enterprise Features

Paul Fremantle, WSO2 CTO
Paul’s blog: http://pzf.fremantle.org/