Jun 27, 2009

SOA Summer School: Security in SOA

As many businesses move ahead with SOA, security and identity management need to be made available as a service in the architecture in a consistent and reusable way across all applications. This session will focus on implementing key security standards and identity management for SOA with regards to two emerging user centric identities: OpenID & Information Cards, and also XACML for fine-grained authorization.

Course Content :

  • Understanding Web Services Security

    • WS-Security

    • WS-Trust

    • WS-Secure Conversation

    • WS-Security Policy

  • Information Cards as an Application of WS-Trust

  • Identity as a Service

  • Understanding OpenID and Oauth

  • Authorization with XACML

  • Identity and SOA

  • Summary and Resources

Get Registered today. All SOA Summer School courses are completely free. And a couple of interesting sessions are yet to come.

Go and grab some knowledge on SOA from the experts...!!

Jun 11, 2009

WSO2 Identity Server 2.0 -alpha1 released

The WSO2 Identity Server team is pleased to announce the release of
version 2.0-alpha1 of the Open Source WSO2 Identity Server (IS).

IS 2.0-alpha1 release is available for download at [1].

This is based on revolutionary the WSO2 Carbon [2] framework, Middleware
a la carte'.

All the major features have been developed as pluggable Carbon components.

New Features
1. Entitlement Engine with XACML 2.0 support.
2. Claim based Security Token Service.
3. Extension points for SAML assertion handling.
4. XMPP based multi-factor authentication.
5. Improved User Management.
6. Claim Management.
7. User Profiles and Profile Management.
8. XKMS.
9. Separable front-end & back-end - a single front-end server can be
used to administer several back-end servers.
10. Bug fixes and enhancements.

Other Features
1. Information Cards provider supporting Managed Information Cards
backed by user name / password and self-issued cards.
2. Information cards support for SAML 1.1/2.0.
3. OpenID Provider.
4. Multi-factor authentication with Information Cards.

How to Run
1. Extract the downloaded zip.
2. Go to the bin directory in the extracted folder.
3. Run the wso2server.sh or wso2server.bat as appropriate.
4. Point your browser to the URL https://localhost:9443/carbon
5. Use "admin", "admin" as the user name and password.
6. If you need to start the OSGi console with the server use the
property -DosgiConsole when starting the server

Known issues
------------ --
1. https://wso2.org/jira/browse/CARBON-3899

All other known issues have been filed here [3]. Please report any
issues you find as JIRA entries.

WSO2 Identity Server team

[1]: http://dist.wso2.org/products/solutions/identity/2.0.0-alpha1/wso2is-2.0.0-alpha1.zip
[2]. http://wso2.org/projects/carbon
[3]. https://wso2.org/jira/browse/CARBON

Jun 4, 2009

XMPP based Multi-Factor Authentication with WSO2 Identity Server 2.0

With the version 2.0 of WSO2 Identity Server, it supports multi-factor authentication for OpenIDs. WSO2 Identity Server can act as an identity provider and it can issue InfoCards and OpenIDs. With the the next version of Identity Server which is about to be released, users are benefited with a more assured authentication mechanism for their OpenIDs issued by WSO2 Identity Server.

Usually an authentication process considers only a single factor, something an user KNOWs like a password, pin number, etc. But multi-factor authentication consolidates this process further and enforces users to submit something he IS or something he HAS to prove that he is who he claims to be. Wikipedia gives a simple example to explain what multi-factor authentication is. According to FFIEC(Federal Financial Institutions Examination Council), a particular authentication process is considered as a multi-factor authentication iff at least two of these three factors (user KNOWs, user HAS, and user IS) are present in the process. With multi-factor authentication, users can expect a higher assurance as two or more factors as opposed to one factor generally delivers a higher level of authentication assurance.

"Multi-factor authentication is used every time a bank customer visits their local ATM machine. One authentication factor is the physical ATM card the customer slides into the machine. The second factor is the PIN number they enter. Without both, authentication cannot take place. This scenario illustrates the basic parts of most multi-factor authentication systems; the "something you have" + "something you know" concept."

WSO2 Identity Server supports multi-factor authentication by using the Instant Messaging services. So in this case, the IM account of the user is considered as the entity that the user HAS. So users should prove that they do possess the IM account that they have provided when activating multi-factor authentication, in addition to providing the password/InfoCard for their OpenID.

Enabling multi-factor authentication is straight forward. Once you are logged into the IS, you will see Multi-Factor Authentication Link in the "my identity" menu on the left hand side.



Then enable multi-factor authentication by checking, "Enable XMPP based multi-factor authentication.". Then start filling out the information required for multi-factor authentication. At the moment only the GTalk is supported as the IM server, but in future more IM providers will be supported. Provide your IM address in the username field and a PIN number. You can select, whether to promt for a PIN number in the authentication or not. You can mark your option using the check box, "Use the PIN number for authentication". Prompting for PIN number is more stronger than the normal multi-factor authentication as it enforces to provide something you KNOW and something you HAVE in addition to the normal authentication based on something you KNOW.


After filling out all the required columns click "Add" button.


Your OpenID information is available in the InfoCard/OpenID Dashboard.


Then try to sign-in with your OpenID provided by the WSO2 IS. In this post, I am using an IS instance running on localhost.


Then it will ask for your password/InfoCard. Provide the appropriate credentials based on your sign up approach.


Then it will prompt for your PIN (If you have enabled prompting for a PIN) or for a confirmation to continue via IM. In this case I have configured the IS instance to use a GTalks account called "test" to send IMs to the OpenID users.


After that the authentication process is completed and you will be successfully logged into the system10

WSO2 Identity Server can provide with a higher security for the OpenID authentication. So it will be a valuable asset for any of the Identity Providers. Stay tuned for the latest news about WSO2 Identity Server which will offer revolutionary features in upcoming releases.

InfoCard/OpenID Dashboard