WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management solution at West
Download as PPTX, PDF1 like1,420 views
The document outlines a multi-tenant, role-based identity and access management solution developed by West Corporation to enhance communication experiences across various channels for clients. It details the centralization of identity management, user role management, and tenant-specific security features, as well as future enhancements planned for the system. Key technologies mentioned include WSO2 Identity Server for supporting various protocols and user stores, emphasizing operational efficiency and customer consistency.
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management solution at West
- 1. Multi-tenant, Role-based Identity & Access Management solution at West Pranav Patel VP, Product Engineering
- 4. Our Business We deliver communication solutions to help brands create connected customer experiences Communication Channel/Solutions Commercial Utility Healthcare Education Interactive Services What we do: We are the communication channel/solutions that connects our clients and their consumers. Emails Text messages Phone calls Web Chat Social Media Wearables Website Emails Text messages Phone calls Web Our Clients Inbound Outbound Cloud Contact Center Mobile Website Consumers
- 5. The Challenge • Start connecting all of our solutions to help our customer create the Connected Customer Experience • Customer’s choice of communication channel – mobile, web, phone, text, e- mail etc. • Company should know the customer and their experience should be consistent across all channels of communication
- 6. Centralized Identity & Access Management • Distributed - Several disparate web applications with its own identity management system • Centralized – operational efficiency, easy of account management, cost savings, know the customer • Tied to our single customer portal Access Management Authentication •Single Sign-On (SSO) •Federation •Session Management •Password Service Authorization •Role-based •Attribute-based •Rule-based User Management •User & Role Management •Provisioning •Password Management •Delegated Administration •Self-Service User Store •Directory •Database •Data Synchronization Identity Management
- 7. Requirements • Multi-tenancy with hierarchical tenant management • Role based access by Product (web application) • User Role Play – Mimic being user of another Tenant • UserStore – PostgreSQL DB • Password policies by Tenant, password history, password expiration notifications, lock account after failed login attempts • Tenant based security question sets • Support for various protocols for SSO and federation • Bulk user import • Audit logging
- 8. WSO2 Identity Server • Fulfilled several of our requirements out of the box • Support for various protocols – SAML2, Oauth2, OpenID, WS- Federation • Support for heterogeneous and multiple user stores • Integrates nicely with other WSO2 products in our stack – API Manager, ESB, App Server, DSS • Started with v 5.0 and later upgraded to 5.1
- 9. System Concepts Tenant - Typically refers to West's clients (customers). Each tenant requires unique domain name – e.g. "west.com“. Tenant can have sub-tenants. Products – Various applications that needs to be integrated. Each product has multiple features & sub-features. And each feature has actions. Subscription – This defines relationship between Tenant & Product. Roles – Each product has role definitions that defines permissions allowed on its features. Users – Individuals requiring access to the portal and products. Users are grouped at Tenant level.
- 10. Tenant Extensions • Introduced “Relationships” (hierarchy) between tenants – Parent/child • Added “Attributes” table to store additional tenant specific data – West Client ID & Name, Divisions • 3 sets of 5 security questions each per tenant • “Subscription” table to hold Tenant & Product relationship
- 11. Products & Roles
- 12. User
- 14. Few Other Extensions • REST API wrappers • Oauth2 Proxy for authentication in a Single Page Application • Password expiration notification e-mails – 5 days & 2 days prior • Password history – can not reuse last 12 passwords • Lock user account for 15 min. after 3 failed login attempts • Automatic removal of user account after 180 days of password expiration • Bulk user creation through CSV file • Audit log table to track operations, users, data changes etc.
- 15. Future Wish List • Customizable login pages per application and/or Tenant • 2-factor authentication • User provisioning, self-registration and approval workflow • Integrate more products with SSO / federation • Monitoring & Reporting – suspicious login activities, forced termination of abnormal user sessions • Analytics • Keep up with WSO2 Identity Server releases
- 16. Thank You!