UNIVERSITY OF MORATUWA

Faculty of Engineering

Non-GPA Module 3992: Industrial Training

TRAINING REPORT

WSO2 Lanka (PVT) Ltd

From 25/07/2016 to 23/12/2016

Date of Submission: 31/01/2017

Sugathadasa K. M.

130581H Department of Computer Science and Engineering

i

Preface

This report is based on the internship experience I had during my time of internship. The

relevant details of the internship program are available in the cover page. This report contains

three main chapters namely, Introduction to the Training Establishment, Training Experience

and Conclusion. In the following paragraphs, what each chapter contains is explained briefly.

The first chapter is titled, “Introduction to training establishment” and it contains information

about the organization that I had my training at. This chapter contains information about the

training establishment, its main functions, organizational structure and hierarchical levels. The

information about the training establishment contains information like what this company is all

about and the history of the company. In the mid-section of the chapter, it explains the core

functionalities of the company and the platform that the company uses, alongside its main

products. And in the latter part of the chapter, it mentions a SWOT analysis and my suggestions

to improve its overall performance, with the contribution of the company towards the IT

industry of Sri Lanka.

The second chapter includes information related to the training experience I had, during my

time of stay at the training establishment. This chapter emphasizes on the work carried out at

the training establishment as an intern. It includes information regarding how I saw the

company from my perspective and what I experienced as an intern. It also contains the duties

assigned to me, events in the company and how I took part in all of them. The beginning of the

chapter contains information on commencement of the internship program and how my new

experience was with the company. The mid-section of the chapter explains the work that I

carried out and the latter part of the chapter talks about the life at the company where all the

events and how I enjoyed those events are being mentioned.

The final chapter is the conclusion of the report, where it contains a summary of the training

experience mentioned in chapter 2 and how all these training experiences affected my life and

career and it distinguishes the university life from the training life, by clearly mentioning what

I gained as an intern in that company. The identified weaknesses of myself as a trainee is

mentioned here and how I intend to take measures to overcome these weaknesses within the

final year of my university career. It also contains about the ability for the training organization

to provide a good training for interns when they come for training.

ii

Acknowledgement

I would first like to thank the Department of Computer Science and Engineering, for providing

us with these wonderful companies to work in and for making sure that everyone in the batch

gets a fair chance in selecting the training places. I would like to thank Dr. C. De Silva (Head

of the Department of Computer Science and Engineering) and Dr. D. Bandara (Head of the

Training Program for the Department) for all the effort you put to let us work and gain a great

amount of experience during our internship periods.

Next I would like to thank the Industrial Training Division of University of Moratuwa, and the

National Apprentice and Industrial Training Authority (NAITA) for letting us work in such

companies and for giving us guidance on how to work and behave during the training period.

And I would like to thank the Industrial Training Division for being very flexible with the

submissions and other tasks, despite their busy schedules.

Next I would like to thank Dr. S. Weerawarana (CEO and Founder of WSO2) for making sure

that interns get a great experience during the stay at the company and for showing us no

difference when it comes to employees and interns. Then I would also like to thank my mentor,

Mr. P. Siriwardena (Director of Security Architecture at WSO2) for guiding me along every

path and providing me necessary advices at the right time. If not for him, i wouldn’t be writing

this many blogs by now, where his work is what inspired me so to work very hard and share

my knowledge.

I would also like to thank, Mr J. Nallathmaby (Technical Lead of Identity Server at WSO2) for

helping me through out and acting like my mentor, since my mentor was working abroad. And

I would also like to thank Mr. H. Thirimanne (Associate Technical Lead of Identity Server at

WSO2) where he was the one who gave me all the technical support whenever I needed it. I

would not have been able to finish my project if he hadn’t helped me the way he helped me

when I was an intern.

Last but not the least, I would like to thank everyone in the University, at WSO2 and all the

interns who worked with me for making my internship life enjoyable and successful.

iii

Contents 1 Introduction to the Training Establishment ....................................................................... 1

1.1 What is WSO2 ............................................................................................................. 1

1.2 History of WSO2 ......................................................................................................... 2

1.3 WSO2 Vision .............................................................................................................. 2

1.4 WSO2 Platform ........................................................................................................... 2

1.1.1 Features of WSO2 Platform ................................................................................. 3

1.1.2 WSO2 Advantage ................................................................................................ 4

1.2 The Organizational Structure ...................................................................................... 4

1.3 SWOT Analysis of the Company ................................................................................ 6

1.3.1 Strengths .............................................................................................................. 6

1.3.2 Weaknesses .......................................................................................................... 7

1.3.3 Opportunities........................................................................................................ 7

1.3.4 Threats.................................................................................................................. 7

1.4 Contributions to the Sri Lankan Society ..................................................................... 8

1.5 How to improve the overall performance? .................................................................. 8

2 Training Experience ........................................................................................................... 9

2.1 Selection Interviews .................................................................................................... 9

2.2 Training at WSO2 ....................................................................................................... 9

2.2.1 First day at WSO2 ................................................................................................ 9

2.2.2 Orientation Program........................................................................................... 10

2.2.3 Joining the Identity Server Team ....................................................................... 16

2.2.4 My Project – The Mobile Connect Federated Authenticator ............................. 23

2.2.5 Assisting Project – OpenID Connect Protocol................................................... 31

2.2.6 WSO2 Mobile Connect Webinar ....................................................................... 34

2.3 Life at WSO2 ............................................................................................................ 36

2.3.1 Inter House Tea Time Championships .............................................................. 36

2.3.2 Inter House Badminton Tournament ................................................................. 36

2.3.3 WSO2 Smart Ass Quiz ...................................................................................... 37

2.3.4 Secret Santa ........................................................................................................ 37

iv

2.3.5 Karaoke Session ................................................................................................. 38

2.3.6 Whack Internal Hackathon ................................................................................ 38

2.3.7 WSO2 Intern Life .............................................................................................. 39

2.3.8 WSO2 Year End Party ....................................................................................... 41

3 Conclusion ....................................................................................................................... 42

3.1 A different exposure from university life .................................................................. 43

3.2 How to improve my final year at university? ............................................................ 43

3.3 Quality of the training I received .............................................................................. 44

3.4 Comments on the training program organized by the university and NAITA .......... 45

4 References ........................................................................................................................ 46

5 Table of Figures ............................................................................................................... 47

1

1 Introduction to the Training Establishment

1.1 What is WSO2

The term WSO2 stands for Web Services Oxygenated and it is one of the leading open source

software companies in the world. It is a company that provides Service Oriented Architecture

(SOA) middleware [1]. It has a variety of products which are being used by leading

organizations in the world like eBay, Boeing, Experian and others. The Enterprise Service Bus

(ESB) of WSO2 is one of the main products that is being used by many organizations around

the world. More on WSO2 products and their platforms can be found in section 1.4 of this

report

WSO2 was founded by two persons namely Dr. Sanjiva Weerawarana and Paul Fremantle in

August 2005, and investments for this company is being carried out by various supporters such

as Intel Capital, Toba Capital Pacific Controls and some others. Having over 11 years of

exposure in the industry, WSO2 has offices located in various parts of the world, including

Colombo Sri Lanka, London United Kingdom, Mountain View CA in United States, whereas

most of the engineering and research teams are situated in the Colombo Sri Lanka office which

is in the Palm Grove Avenue of Colpetty. WSO2 gained a lot of attraction in the middleware

industry eBay being one of the major customers of WSO2, released that the overall

functionality of their organization is being backed by a WSO2 product namely the WSO2 ESB

(Enterprise Service Bus).

All the products of WSO2 are being released under the WSO2 Apache License Version 2 and

it follows open source development principles which includes the codes and architectures being

publicly available for everyone, transparency of the work being carried out by providing public

mailing lists and documentations and conducting workshops every month to get the public

aware on the open source community of WSO2. When considering the application

infrastructure market, the company names Gartner, consider WSO2 as one of their leading

competitors.

The 100% open source middleware architecture platform gives the ability to companies to build

their very own infrastructure completely and reliably using each of the products of WSO2. The

customizable architecture of the products at WSO2, allows all the users to use only what they

need and automatically adapt business activity in response to market events.

2

1.2 History of WSO2

Dr. Sanjiva Weerawarana is one of the founders of the web services platform at IBM, where

he was working there as a researcher. WSO2 was started by Dr. Sanjiva Weerawarana, where

he was joined by Paul Fremantle where he became WSO2’s Chief Technical Officer (CTO)

and was subsequently named one of Infoworld’s Top 25 CTOs in 2008.

The first product of WSO2 was named Tungsten and it was used for development of web

applications. The next product of WSO2 was named as WSO2 Titanium, which later happened

to become well known as WSO2 Enterprise Service Bus (ESB). Funding for WSO2 was done

by various different investors like Intel Capital, Godel Technologies, Toba Capital, Cisco and

in 2015, Pacific Controls and Toba Capital raised another $20 million as investment for WSO2.

The WSO2Mobile was launched in 2013 as a subsidiary, with Harsha Purasinghe of

MicroImage as the CEO and Co-founder for WSO2Mobile. In 2015, a new line for WSO2 was

launched as WSO2.Telco with the partnership of the Malaysian Telecommunications Company

Axiata.

The top leadership at WSO2 have contributed a lot to Apache Projects, and in 2016, WSO2

was ranked seven for having most number of committers for Apache. WSO2 has always had a

very close connection with Apache where WSO2’s Stratos project was donated to Apache later

on.

1.3 WSO2 Vision

The main global vision of WSO2 is to become the leading Middleware Provider for enterprise

architecture in the whole of Asia. Currently WSO2 faces challenges in terms of expansion and

competition throughout the industry despite their successful strong customer base which

includes many leading companies from around the world.

WSO2 also targets at becoming achieving levels of recognitions via their business models

provided, working environment for employees, support and marketing aspects and technology

being used in the company.

1.4 WSO2 Platform

WSO2 is an Open Source Community where most of the products available today lets users

customize the systems according their needs and deploy it to enhance a digital service into their

businesses. For the past 11 years, WSO2 has provided organizations with an Open and

3

Comprehensive Platform to connect their businesses digitally. With the vision of going forward

as the leading Middleware company in Asia, WSO2 now enhances the global movement of

making enterprise middleware flexible, cost efficient, collaborative and faster like never seen

before. The entire platform provides the pan for the entire breadth of Service Oriented

Architecture (SOA) whilst being 100% open source to the community [2]. The following image

depicts the overall platform and the available products of WSO2.

Figure 1.1 WSO2 Platform

1.1.1 Features of WSO2 Platform

A Platform build for the future – The overall platform of WSO2 runs on top of the

WSO2 Carbon. It will let you customize the components as required and automatically

adapt to the relevant business activity in response to market events.

4

Develop Once, Deploy Everywhere – The entire WSO2 middleware stack and

architecture supports to work on many different clouds such as private, public, hybrid

and even on premise.

Optimized for Internet of Things (IoT) – The WSO2 products enable the System

Integrators to build, integrate, analyze, manage and secure IoT Enabled solutions for

any WSO2 enabled enterprises.

Open and Infinitely Flexible – All WSO2 products run on Open Source and Open

Standards to completely protect from lock in. The platform supports many other

standards and protocols, despite the fact whether each of the external components are

paid or open source. Giving a pluggable architecture to the entire platform makes it

infinitely flexible and many enterprises take advantage of this fact to expand the system

as needed.

1.1.2 WSO2 Advantage

The WSO2 Advantage is a concept brought up by the company to show the advantages that

one would get by integrating the WSO2 platform into their enterprises. WSO2 is known as the

Middleware Paradigm Shift, that will advance the entire world. Following are the core features

mentioned under the WSO2 Advantage Concept.

100% Open Source

Comprehensive Platform

Easy Integration by Design

Fully Cloud Ready

Rapid, Expert Support

A Proven Fortune 500 Partner

1.2 The Organizational Structure

The organizational structure at WSO2 provides a flat hierarchy and transparency in everything

that happens within the company and outside of it. The flat organization (hierarchy) depicts a

structure with few levels of middle management between the staff and executives.

5

The flat and informal structure within WSO2 is what drives employees to build rapid and

innovative systems throughout the products span of the company. The following list shows the

current senior management at WSO2.

Sanjiva Weerawarana – Founder, CEO, Chief Architect

Jonathan Marsh – Vice President Strategy

Samisa Abeysinghe – Vice President Delivery

Devaka Randeniya – Vice President Sales

Padmika Dissanaika – Vice President Finance

Puny Navaratne – Vice President Legal Affairs

Asanka Abeysinghe – Vice President Solutions Architecture

Udeshika Ratnavira – Vice President Human Resources & Administration

Selvaratnam Uthaiyashankar – Vice Preseident Engineering

Jackie Wheeler – Vice President Technical Content

Srinath Perera – Vice President Research

Shevan Goonetilleke – Vice President Operations

Hasmin AbdulCader – Vice President Marketing

Dmitry Sotnikov – Vice President Cloud

The following diagram shows the overall hierarchy of WSO2.

6

Figure 1.2 Company Hierarchy of WSO2

1.3 SWOT Analysis of the Company

1.3.1 Strengths

Open Source Community: The open source community in the world today is very strong

and WSO2 place a major role in the overall community. Currently it holds rank seven, for

having the most number of open source contributors for Apache in the year of 2016. This is

a great achievement for the company

Comfortable working environment: Having a comfortable working environment is a

strength of the company since, that is what allows the workers to think out of the box and

work in a very relaxed mind set. This allows employees to be innovating and solve problems

really fast to provide a better service to its customers

Talented set of developers and employees: The employees at WSO2 is a very strong base,

because it has people from every industry working in various parts of the company. These

employees bring reputation and sales into the company by their talents being shown around

the globe. Their talent is what brings new features to the WSO2 products within every

release of each product.

7

Strong Carbon Platform: The carbon platform being used at WSO2, is a very strong and

reliable one which is running on top of the OSBI bundle. The carbon platform is what runs

as the core component of every WSO2 product available today. Having a reliable

architecture underneath every product is a strength to the company.

Flexible working hours: Having flexible working hours can be seen as a strength of the

company, where this is what allows the employees to work freely during the times they are

mostly comfortable in. If you decide to work from home, you can do so. If you decide to

sleep during the day and work over night, you can make arrangements to do so as well. This

is seen as a strength that will bring out the fullest potential of the employees.

1.3.2 Weaknesses

Employee Turnover: Within my stay at WSO2, I found out that many leading engineers

and people from the senior leadership, getting better job opportunities from other Software

Engineering companies in Sri Lanka and abroad. I see this as a weakness of the company

for not being able to retain the current workforce, and due to this reason, the company will

have to invest more on new employees to get them to adapt to the WSO2 culture and working

environment

1.3.3 Opportunities

Top leading companies being interested in WSO2 products: During my stay at WSO2, I

was working in a new concept for the WSO2 Identity Server, which is Mobile Connect. And

from the webinars and blogs I wrote, I noticed that many leading companies were interested

in joining WSO2 as their key partners for their underlying system

The growth in the Open Source Community: We can see the open source community in

the world is growing day by day, and this is a great opportunity for WSO2 in the way I see

it. Being open and transparent, makes other organizations think that, WSo2 products are

more reliable over its competitor products.

1.3.4 Threats

Competitors for each WSO2 product: Having competitors in any kind of business is what

drives a business to achieve better goals and perfection. Similarly WSO2 also has some

challenging competitors when it comes to each of the products whereas WSO2 has to be

more careful in retaining their existing customer base.

8

Customer Complaints: During my stay at WSO2, I notice several incidents where some

top customers at WSO2, being disappointed in the service being provided to them by the

support team. The customers are our main asset when it comes to open source products.

Therefore, it is important to maintain a good relationship with the customers of each of the

products.

1.4 Contributions to the Sri Lankan Society

Being one of the leading open source platforms in the country, WSO2 provides a separate eco

system for developers in Sri Lanka to get in touch with the products and work with them.

Recently, WSO2 was selected as a company for Google Summer of Code, and by this, it opened

up a lot of opportunities for developers in Sri Lanka as well as abroad to take part in WSO2

products and start developments as needed.

WSO2 provides many job opportunities for students from state universities as well as private

universities, and most of them are computer science graduates. This is a good opportunity for

those graduates to gain a greater exposure about the industry and work in one of the leading

Software Engineering companies in Sri Lanka.

During my stay at WSO2, I saw many social projects being carried out by WSO2, where once

they went to the University of Sabaragamuwa, and conducted a few workshops for the first-

year Computer Science students.

1.5 How to improve the overall performance?

Improving in terms of marketing would be a good way to increase the performance, because

marketing is what brings in customers into the company where it is hard to get customers to

contact support of WSO2, because all the products are open source products. WSO2 conducted

an internal hackathon for us, where the while purpose was to identify better means of bringing

in customers into the company.

Further, expanding the company to various other parts in the world, where it will let the

customers feel reliable and eased, because having a local office in some countries, would be

really beneficial for the customers as well as the company to reach each other without a bug

hassle.

9

2 Training Experience

2.1 Selection Interviews

The selection interviews for internships at WSO2 was held in the month of August and it was

conducted by Mr. Selvaratnam Uthaiyashankar (Vice President Engineering) and it was a very

comfortable and friendly interview. He was very polite and had done a background search on

every interviewee who had come on that day. From what I saw, he had checked our LinkedIn

Profiles as well, where he happened to ask a few questions from my LinkedIn profile on the

day of the interview.

I was a bit nervous at the beginning of the interview, but it all faded away when Mr.

Uthaiyashankar called me from my first name and started asking about my family background.

And from that moment onwards I felt really comfortable and without hesitation I expressed my

very own ideas for all the questions he asked. He asked questions like what are my interests,

the projects I have done and what are my future goals. He was interested in my hackathon

achievements and he encouraged me to do more because that’s what builds the motivation and

enthusiasm to work as Computer Science Students.

I was contacted by Mr. Nirshan Fernando from the Human Resource Division of WSO2, and

the confirmation of my internship was informed to me. I was excited and happy, where I was

really looking forward to work at WSO2 as soon as the internship period starts.

2.2 Training at WSO2

2.2.1 First day at WSO2

We commenced our internship at WSO2 on the 25th of July 2016, and we all were asked to

come to the Human Resource Division at WSO2, where we were joined by some other interns

from University of Moratuwa, Department of Electronics and Telecommunications and APIIT.

Most of us were there for the training program of Engineering Team at WSO2 and one person

was for the Marketing Team of WSO2, where all of us were joining as interns. We were

addressed by Mr. Charitha Bandara who is the Lead of Administration and Human Resources

at WSO2, and he welcome us all. He introduced us to the WSO2 orientation program and our

next two weeks at WSO2 were mainly focused on the orientation program.

10

2.2.2 Orientation Program

The first day of the orientation program started with the introduction to the houses at WSO2,

and the four houses are,

Cloudbots

Titans

Wild Boars

Legions

I was selected to Cloudbots and we were all asked to do a presentation on the concepts at

WSO2. There were many different concepts where our house was given the chance to present

on the concept called “broken windows” and it was presented by me for the house. That was

the first presentation that I did at WSO2, and was interesting to go to the front of a meeting

room and presenting to all the interns.

2.2.2.1 Tour around the company

Then we were taken around the WSO2 premises by Mr. Charitha Bandara (Lead HR and

Administration) and he explained what teams were on each floor and the special rooms in each

of the floors. Each floor at WSO2 had a separate theme, just to bring some variety into the

working employees and give some fun exposure to work in. And each floor consisted of one

or more teams working for some products and they were all working collaboratively with each

other.

Another interesting part which I saw in the company as the space allocated for employees to

do communications and carry out meetings. Each floor consisted of more than one call room

where employees can go to the call room and make a call whenever needed. The purpose of

this was to allow the employees to communicate comfortably with people and not to disturb

others in the process of doing it.

There were some interesting rooms that we found out at WSO2, and one of them was named

as the snooze room. Whenever an employee is feeling sleepy, he or she can go there and have

a nap, where the whole purpose is to avoid employees working in sleepy conditions because it

just slows down the work making it inaccurate at times. I, myself have been to the snooze room

whenever I felt sleepy and rested there for some time before working again.

11

Another interesting room at WSO2 is the Crèche. This room was built as a day care center for

kids, where there was a nurse attending all the babies in that room. The employees can bring

their kids and babies to this place whenever they come to work, so that they can leave the baby

in that room and go to work comfortably. This room was on the topmost floor of the building

so that it will not interfere with the work environment of the company. The purpose of this

room is to let employees off the worries of thinking about the kids all the time, and focus on

the work being carried out there.

The building has a separate gymnasium and a basketball court for employees to come and play

whenever they want. The purpose of this is to make sure that the employees have a stress free

working environment and to make sure that the employees being physically healthy.

The lobby area contains a lot of games and fun activities including, carom, table tennis, chess,

a pool table, a play station and many more. When the employees come down for tea and lunch,

they can relax themselves by playing on of the games with other employees and relieving the

stress they have. This is to ensure that the employees always maintaining a healthy mindset

where it will always increase the accuracy of the work they are doing when they go back to

their desk or work area.

Then kitchen area was also shown to us as a part of the tour around the building where food

was provided to everyone at WSO2 at any time of the day. Whether it is lunch, breakfast, dinner

or tea, the company provides all these and plus other refreshments to all the employees. The

main purpose for providing food like this inside the company is to ensure that employees do

not go out of the company for food, and by that wasting time that could have been used for a

better purpose.

And finally, he showed us that there is a special area for playing music inside the company

where there is a guitar, drum set, organ and other instruments for employees to come and play

with. This gives employees the opportunity to come in the evening and have some musical

session with everyone and enjoy the time at WSO2.

2.2.2.2 Presentation by Teams

During the orientation program, we had various sessions with many different people from

around the company. There were fun sessions as well as knowledge sharing sessions where

12

team leads from various teams came to us and tried to market their products to us in a way that

will gain our interest when picking a project for the internship program. It was also a knowledge

sharing session where all of us were well informed about the products at WSO2. Following

teams came to us and explained about their products and the available products for all of the

interns. We had to take note of those available projects and pick one at the end of the orientation

program. The following topics explains the items that each team presented at the orientation

program.

Identity Server Team

WSO2 Identity Server team is one of the most prominent teams at WSO2, where I got a chance

to work as an intern during my internship period. The WSO2 Identity Server is the industry’s

first Enterprise identity Bus (EIB) where the WSO2 Carbon platform runs as the core

component of the system. The Identity Server runs on a lot of application despite the fact of

different protocols being used, because it supports many different components to be attached

into the server without any hassle. WSO2 Identity Server is the central backbone that connects

and manages multiple identities across applications, APIs, the cloud, mobile, and Internet of

Things devices, regardless of the standards on which they are based.

The Identity Server provides many different connectors for the WSO2 Identity Server and those

connectors are directly pluggable to where new functionalities and features can be added as

extensions to the identity server. Ms. Malithi Edirisinghe being the Associate Technical Lead,

came to the interns during the orientation program and presented their projects for the intern.

Some of the projects are as follows.

Mobile Connect Authenticator as a Federated Authenticator

SCIM for Identity Server

SAML 2.0 Upgrade

Metadata Support for WSO2 Identity Server

LDAP connector for the WSO2 Carbon platform

13

API Manager

Any connected business has many different applications inter connected together and bringing

in major functionalities for the business. APIs are at the core of any connected business,

exposing valuable services across customers, partners, and supplier channels. The WSO2

Platform for API Management will revive your APIs and ensure faster return on investment.

The WSO2 API Manager allows the enterprise to achieve their business goals by achieving

fast, scalable, flexible and proven platform that gives you complete control over infrastructure

and management of all your APIs. The system gives the following features to the customers.

Design and Implementation

Secure and Manageable

Publish and Engage with ease

Monitor and Analyze

WSO2 Research Team

The WSO2 Research Team is led by Dr. Shrinath Perera (Vice President – Research) and this

team was also an interesting team to work in. They had many projects which included areas

like, machine learning and analytics where most of them led to interesting research areas in the

field. One of the interesting projects that I applied for was the “using machine learning for

predictive maintenance” project. There was another project where many interns applied for and

it was the “use decoders for anomaly detection” project.

2.2.2.3 Games – Orientation Program

We had two very interesting games during the orientation program and one of them was a team

building activity where the other was to get an understanding about the company and its

structure. The team building activity was held in the WSO2 gymnasium where all the interns

took part in it. It was done by one of the members from the Human Resources Team and it was

really interesting and fun when the game was carried out.

The second game, was a team activity where teams were separated from the house names, and

we were given a set of tasks to finish within one hour. All these tasks were related to the culture

of WSO2, and it was really fun and interesting because we actually learned something at the

end of the game. We learned about the people at WSO2 and the cultures which are currently

happening in the company. We mentioned this to Mr. Charitha Bandara (Lead HR and

14

Administration) to do similar kind of events for interns because the outcome of it was really

effective.

2.2.2.4 WSO2 Harassment Policy

This was something new for all of us, because for most of us, WSO2 was the first employment

opportunity and had not seen anything like this before. I have heard that many companies have

policies like this to stop harassments happening inside the company, but the fact that a separate

session of about two hours being allocated to talk about the WSO2 harassment policy, made

me wonder, whether it is something really serious.

The harassment policy mentioned a lot of important factors that we see in many companies

today and I assume that the reason for WSO2 being one of the leading companies in the industry

with a comfortable working environment is because of this policy being enforced strictly on

the employees. This policy covers aspects related to all work areas and I could not see any

other method to make it more accurate in terms of protecting the right of each employees. From

what I think, the main reason for this company to have a flat hierarchy, where everyone can

openly communicate is also because of this harassment policy which is available in the

company today.

This policy was discussed on the very last day of the internship program and it was conducted

by Mr. Charitha Bandara, who is the Lead Human Resources and Administration.

2.2.2.5 WSO2 Carbon Kernel Workshop

During the orientation program, a workshop was carried out by the WSO2 Carbon team, to get

us all aware regarding the WSO2 Carbon Kernel which is being used today. This was actually

a five-hour hands-on session where we got laptops and carried out tasks on the WSO2 Carbon

Platform. According to what was mentioned, the WSO2 Carbon Platform is the platform that

makes all the WSO2 products run and it was one of the core components that everyone at

WSO2 should learn about.

WSO2 Carbon Kernel 5.0.0 is the core of the next-generation WSO2 Carbon platform. It is

completely re-architected from the ground up using the latest technologies and patterns. It is

now streamlined into a more powerful middleware platform, which is a lightweight, general-

purpose OSGi runtime, specialized in hosting servers that provide key functionalities for server

15

developers. The diagram below, depicts an abstract view of how the requests go through the

WSO2 Carbon kernel and where the OSGI framework lies in the overall architecture of the

WSO2 carbon kernel.

Figure 2.1 WSO2 Carbon Kernel Modules

During the workshop, I gained a lot of information from what was taught to us, and I realized

why all the WSO2 products were running smoothly and in a flexible manner.

End of the orientation program

Two weeks from commencement of the orientation program, we were all asked to select a

project for our internship period and it was based on our very own interest. The projects I chose

where related to machine learning and security architectures. I was really interested in the

project named, “Mobile Connect Federated Authenticator for the WSO2 Identity Server”

because this project was a new project and I knew that the final outcome of this project is a

product and that it is not only a small connector or an upgrade like most other projects which

were available.

The “Mobile Connect” project, was led by Mr. Prabath Siriwadena who is the Director of

Security Architecture at WSO2. And I did a background research on him before selecting the

project, and I found out that he was known as the father of WSO2 Identity Server and that he

16

has published some books and conducted many workshops, here and abroad. With the interest

I had with him and the project, I wanted to work under him and for this project. So I selected

the “Mobile Connect” project.

2.2.3 Joining the Identity Server Team

I started working at the WSO2 Identity Server Team on the 8th of August 2016, and four other

members joined with me. So, we were all put to the same place at the beginning, and we were

welcome by Mr. Darshana Gunawardena who is the Associate Technical Lead of the WSO2

Identity Server Team. He sent us some documents to read on and some other forms that we

were supposed to fill when coming into a team at WSO2. On the same day, we were welcome

by Mr. Waruna De Silva who is the Director of Engineering and he asked us all to blend in

with the team and get into the culture of WSO2 as soon as possible. At the very beginning, I

sat next to Mr. Maduranga Siriwardena, who was a Software Engineer at the WSO2 Identity

Server Team.

During the first two weeks at the Identity Server Team, we were asked to go through the

documentation available in the WSO2 official site and to work with the Identity Server, so that

we can be easily familiarized with the product, before moving in with the projects allocated to

each of us. The WSO2 Identity Server Management Console, is a very descriptive and user

friendly interface where all the functionalities are given just by simple interactions with the

system. The following image, depicts the main menu interface of the WSO2 Management

Console.

Whilst learning all the functionalities provided by the Identity Server, we had to consult almost

everyone in the team, to get the relevant information needed. I got most of the help from Mr.

Pulasthi Mahawithana, who is a Senior Software Engineer at WSO2. In the meantime, I got

help from another team member as well.

17

Figure 2.2 Identity Server Management Console Main Menu

My mentor for my project was, Mr. Prabath Siriwardena (Director of Security Architecture)

and he was working abroad in the WSO2 United States office. I contacted him via Google

Hangouts during some weeks to get to know more information about the project. Since he was

abroad, I had to work under Mr. Johann Nallathamby, who is the Tech Lead of the WSO2

Identity Server team. He was really helpful in signing documents and giving relevant approvals

for the meetings and other requirements.

In the meantime, a separate mentor was assigned to me and his name is Harsha Thirimanne,

who is an Associate Technical Lead for the WSO2 Identity Server team. He has a sound

knowledge on the entire Identity Server, and he helped me a lot on figuring out the major

aspects of the system within a few days’ time.

18

2.2.3.1 Identity Server Team Culture

The WSO2 Identity Server Team is a separate family and it has its very own culture different

from the WSO2 main culture. The people in the team, are really helpful and motivated to do

work as a team and achieve its goals within the given deadline. The following picture shows

the Identity Server team, and this picture was taken on the last day at WSO2.

Figure 2.3 Identity Server Team with Interns

Friendly Environment

The Identity Server Team has a very friendly culture where you feel very comfortable to work

in. When I entered the team, I felt accepted and warmly welcome by everyone, because of the

friendly environment they maintain with everyone. Normally when you go to a new workplace

or office, it takes a long time to get to know everyone and become friendly with them. But at

the WSO2 Identity Server Team, everyone came and talked to us, even though we felt reluctant

to talk with them. They came to us and asked about all our details, and cracked jokes about

themselves all the time. Something I really adored about this was that fact that they never let

us get separated from the team culture, and they constantly kept on asking us to talk to them

all the time, no matter how reluctant we feel.

Normally the interns used to sit together during lunch time and go to tea with the interns only.

But with time, they used to drag us along for lunch and tea, which made us feel like we are

really part of that team. Sometimes they get together and talk about team members and other

19

stuff. Whenever something like this happens, they ask us also to join their conversations, and

it was really fun to be a part of the team within a short period of time.

IS Choco Times

This is something that is very unique to the WSO2 Identity Server Team, where whenever

someone brings chocolates to the team, they announce a chat saying “Choco time” and

everyone will come running to the floor toe at the chocolates, because the Choco time will not

last for long. Normally this happens every day because there is at least one person who would

bring chocolates or something else. Even if it is something else, they will always share it with

the entire team by announcing a Choco time or some other time.

IS Funday

IS Funday is a chat group, which contains all the members from the Identity Server Team,

where all the fun discussions are happening in this chat. It is actually a Google hangouts

conversation, where everyone is involved and we all talk about various fun stuff and bug each

other. It is actually like a family chat where we all share everything and have fun in it.

Whenever we find something interesting about someone in the team, we use to share it on the

chat, and everyone comments on it. This is why I mentioned that the WSO2 Identity Server

team culture is a very different culture and it is really interesting to work in a team like this.

IS Musical Nights

This is also a separate tradition that only the Identity Server team carries out, and this happens

once every night. And also, whenever there is a separate function within the team, we normally

stay overnight at WSO2 and sing songs with the entire team for hours till the next day morning.

This is a very fun activity, where most of us get together and talk about stories and record

videos all the time.

The team has a separate theme song, and we all sing that every time we go for a musicals

session. Most of the times, we record all these videos and put them live on Facebook, so that

everyone else can see and enjoy the live sessions. This is something that I enjoyed very much,

I am currently missing it a lot.

20

Figure 2.4 IS Musical Nights

2.2.3.2 Basics of the WSO2 Identity Server System

As the industry's first Enterprise Identity Bus (EIB), WSO2 Identity Server is the central

backbone that connects and manages multiple identities across applications, APIs, the cloud,

mobile, and Internet of Things devices, regardless of the standards on which they are based. It

could be any given standard in the industry where the WSO2 Identity Server is directly

applicable, which makes it more flexible and adaptable to any kind of system available today.

There are many components packed with the WSO2 Identity Server, and some of them are

User Management, Authentication, Security, Communication, Analytics and Service provider

management. The multi-tenant WSO2 Identity Server can be deployed directly on servers or

in the cloud, and has the ability to propagate identities across geographical and enterprise

borders in a connected business environment [3].

Some of the main features available today in the latest WSO2 Identity Server are as follows.

21

Enterprise/Cloud Single Sign-On and Federation

Strong Authentication

Identity Governance and Administration (IGA)

Entitlements and Access Control

Monitoring, Reporting and Auditing

Connectors to Extend the Identity Ecosystem

Deployment Flexibility

Pluggable, Extensible and Themable

From what I learnt, the WSO2 Identity Server is a product built on top of WSO2 Carbon. Based

on the OSGI specification, it enables easy customization and extension through it flexible

architecture.

Identity Server – User Management

User management functionality is provided by default in all WSO2 Carbon-based products.

User management involves defining and managing users, roles, and their access levels in a

system. A user management dashboard or console provides system administrators with a high-

level view of a system's active user sessions, their log-in statuses, the privileges of each user,

and their activity in the system, enabling system admins to make business-critical, real-time

security decisions [4]. I attended some of the important meetings related to user management

and I made not of the following diagram, which shows how the virtual user store is directly

pluggable with mane other user stores which run on many different standards.

A typical user management implementation involves a wide range of functionality such as

adding/deleting users, controlling user activity through permissions, managing user roles,

defining authentication policies, managing external user stores, manual/automatic log-out, and

resetting user passwords.

This was actually discussed at a meeting held within the team, and the team was asked to figure

out an easy mechanism to paginate the list of users. Using this architecture, the system was to

display the list of users, in separate pages so that each page contains a fixed number of users,

22

and the purpose was to have an efficient way to show page 2 for example, with a set of users,

instead of retrieving all users and filtering the page 2 users.

Figure 2.5 WSO2 Virtual User Store

Identity Server – User Authentication

The user authentication framework of WSO2, was built by the team member themselves during

the early days of the WSO2 Identity Server. The architecture is so flexible, that it supports any

other authentication protocol and converts it to standard protocol and makes sure that the user

gets authenticated without any hassle, as needed by the system.

The user authentication architecture of the WSO2 Identity Server can be separated into three

main authenticators and they are as follows. This knowledge was gained by myself during the

inception phase of my project, where I had to dig deep into the Identity Server Architecture to

figure out how to integrate my project into it.

Inbound Authenticator: Inbound Authentitcator of the Identity Server is what captures

incoming authentication requests from different service providers. No matter what the request

protocol is, the inbound authenticator will standardize it so that the Identity Server can process

it with ease.

23

Local Authenticator: The local Authenticator is what uses the traditional username, password

approach where, this is also known as the basic authenticator. The general idea is to do the

authentication process using local mechanisms, rather than using the support of an external

party.

Federated Authenticator: This is one of the interesting features in the WSO2 Identity Server. It

can redirect the authentication process to an external party like, social media, mobile connect

and so on. By this, what happens is, the external party will authenticate the user and sends back

a confirmation so that the System can authenticate the user from the system with that

confirmation. The following diagram was figured out by me, and I validated its correctness

with the seniors as well.

Figure 2.6 Authentication Framework

2.2.4 My Project – The Mobile Connect Federated Authenticator

What was discussed in the section 2.2.3.2 is directly related to my project I was supposed to

finish within the given time period. It was a novel idea, where the concept was out there, but

no one had implemented it within the WSO2 Identity Server. The documentation available

online regarding mobile connect as not sufficient and most of those online documentations

were inaccurate and outdated. My mentor, Mr. Parabath Siriwardena (Director of Security

Architecture), had written a well described blog regarding this, and I read that to get the general

idea on what I was supposed to implement.

In the meantime, since my mentor was abroad, Mr. Harsha Thirimanne (Associate Technical

Lead) was the one who helped me throughout the process. He practically learned about mobile

connect where one I learned from him, and the next day I was teaching him. He stood by my

side and helped me understand everything and if not for him, I would have been stuck halfway,

24

a long time back. Despite all his work, he never rejected any of my help requests, where I can

remember, once he was sick at home, but came online for a discussion with me and stayed on

the discussion for over three hours, just to get the matters sorted as soon as possible. I was

wondering, if it was someone else, he would have probably asked me to wait till tomorrow to

discuss about it. But Mr. Harsha was the one who pushed me to complete this project, and I am

still thankful for the way he helped me.

All the findings about mobile connect which will be explained in the following sections, are

all my research because there was no proper documentation available online. I remember, once

I felt like giving up everything because it practically felt impossible to carry out something

which no one even knows. But with effort and motivation, I tried my best and achieved the

completion within the given time period, where Mobile Connect is one the main functionalities

that is being used by many users around the world.

2.2.4.1 Initial Mobile Connect Meeting

The initial mobile connect meeting was held in WSO2 Engineering building where my mentor,

Mr. Prabath Siriwardena (Director Security Architecture), Mr. Vernura Mendis (Chief

Technical Officer – WSO2 Telco), Mr. Johann Nallathamby (Technical Lead WSO2 Identity

Server), Mr. Harsha Thirimanne (Assistant Technical Lead – WSO2 Identity Server) and

myself being present at the meeting.

This went over an hour, where we discussed about the resources available within the company

to implement this kind of a product. My mentor gave me a set of guidelines to follow, in order

to finalize it within the given date, and publish it as one of the main connectors for the WSO2

Identity Server. The Chief Technical Officer of WSO2 Telco, Mr. Venura Mendis worked

alongside my project and gave me a lot of help in achieving the success of it.

At the end of the first meeting, it was discussed to get help from the WSO2 Telco, and finalize

a federated authenticator for the WSO2 Identity Server.

2.2.4.2 What is Mobile Connect?

This section explains what I, as an intern learned about mobile connect after all my researching.

I have written many blogs thanks to Mr. Prabath Siriwardena (Director Security Architecture),

because he was the one who encouraged me to write blogs about everything I learned. Since

25

there was no proper resource available online, I decided to write a resource so that everyone

can use my documentation to learn about this upcoming technology.

Mobile connect is the mobile operator facilitated authentication solution, that provides simple,

secure and convenient access to online services. It is the convenient alternative to passwords

that protect customer privacy. This is a concept introduced by the GSMA (GSM Association),

which provides a global and secure authentication platform, by combining the user's unique

mobile number and PIN, to verify and authenticate the user, anywhere anytime. It also allows

the user to log into swiftly, without the need of any usernames or passwords [5].

2.2.4.3 How Does Mobile Connect Work?

Figure 2.7 How Mobile Connect Works

The given sequence above depicts the mobile connect flow, from signup/login to the complete

authentication in just 4 steps. The authentication process is carried out through your mobile

device rather than your personal device.

Step 1: Click on the "Sign up" or "Log in" button

Step 2: Enter your mobile number (optional)

Step 3: Confirm your authentication via the mobile device (USSD, SMS etc)

Step 4: Log in process is complete

26

2.2.4.4 Why Mobile Connect?

The 21st century is a Digital Era where cyber-attacks have become a critical problem and many

organizations are still concerned on how secure their systems and products are. The levels of

security needed for data and information provided today, has made the access to these resources

unavailable without proper registration with the resource provider. Therefore, it becomes

mandatory for users to Sign Up with the system which results in remembering numerous

usernames and passwords. What if we had a simple and secure mechanism to carry out the

authentication process without much hassle, in just seconds?

By reducing the need for remembering the number of usernames and passwords, Mobile

Connect eliminates the frustration of the end user, drives more repeat business and ensures less

abandoned transactions.

The following statistics were obtained by the "GSMA’s 2015 Consumer Research" which is

related to user's perspective on Cyber Security. From overall number of users,

87% - Would prefer just one Strong Password to remember

86% - Have left websites when asked to register or signup

86% - Are concerned about security when online

88% - Want reduced risk of identity theft and credit card frauds

81% - Don't feel that they are getting much value from their personal data as third parties do

68% - Are more likely to return to a site that remembers them without a username or a password

This gives a much stronger argument as to why Mobile Connect will dominate the Digital

Authentication industry in the near future.

2.2.4.5 Mobile Connect Flow

The following diagram depicts the high-level view of how the sequence of activities occur in

terms of Mobile Connect Authentication.

27

Figure 2.8 Mobile Connect Flow

End user clicks on Mobile Connect button to access service

Application requests end user operator details from the Discovery service

Discovery responds with the operator details

Application makes an authentication request to the end user operator, using OpenID with

Mobile Connect profile

Operator sends authentication request to end user

End user authenticates themselves using their mobile device

A PCR specifying a specific end user is returned

Access granted

2.2.4.6 What is Discovery API

The Discovery API service contains information related to many Mobile Network Operators

and its purpose is to provide necessary details of the Mobile Network Operators (MNOs) and

also provide the relevant endpoints of each MNO, which can be used to contact each MNO's

Mobile Connect API.

Every Mobile Network Operator has a MNC (Mobile Network Code) , and a MCC (Mobile

Country Code). The Discovery API service will identify the relevant MNO and identifies the

MNC and MCC required to proceed with the authentication process.

28

The Discovery API requires details related to the user's MSISDN (Mobile Station International

Subscriber Directory Number) or MCC_MNC. The Service will automatically identify these

details if the user is using a Mobile Internet Connection (i.e. GPRS, 3G, 4G etc.). This scenario

is called "On-Net Mobile Connect".

If the user is using any other connection like a WiFi connection or a Broadband connection,

then the user will be prompted for the MSISDN or the name of the MNO. The Discovery API

will redirect to its own UI called " Operator Selection User Interface". This scenario is called

"Off-Net Mobile Connect".

This is a web based user interface provided by the Discovery API the determine the user's home

operator (MNO). This interface also supports multi languages to provide flexibility to users all

around the globe. This interface will be prompted by the service whenever it cannot

automatically identify the Mobile Network Operator of the user. Upon a successful lookup

from the information provided by the user, it will provide the MNO's MCC and the MNC to

the redirect URL that we specify at the application registration. To enable this functionality,

the Mobile Network Operator has to implement this feature by injecting custom Http headers

and other relevant information.

Following are some use cases of the Discover API

Mobile Internet Connection + Mobile Device - The authentication process will

happen seamlessly. No user interaction at all

Mobile Internet Connection + Computer - The service will try the retrieve the relevant

information from the sim. If failed, it will prompt for the user information, and

manual authorization is required

Broadband/ WiFi Connection + Computer/Mobile - The user will have to input

relevant information and manual authorization is also required.

2.2.4.7 What is Mobile Connect API

Mobile Connect API is a service which is based OpenID Connect and it is an extension which

includes more flexibility to the entire process. And this extended version is called the Mobile

Connect Profile or the Mobile Connect API. The Mobile Connect API is normally an

implementation done from an IDP (Identity Provider) and instead of the normal Authorization

mechanism which uses the traditional username and password, this uses the mobile number to

access the mobile device for authorization.

29

2.2.4.8 Social Media vs Mobile Connect Authentication

After crunching all the numbers and information, you must be wondering, how is this different

from Social Media Federated Authenticators. Almost in most of the web services and service

providers, "Log in with Social Media" plays a major role.

The collaboration and sharing made possible by Web 2.0 also comes with a specific set of risks,

in terms of privacy. Social networking sites are user hubs, where it is meant for collecting a set

of users to one place. And this is like the jackpot for attackers where they can use the

information to earn a lot of return on investment, if they are going after the social media users.

Mobile Connect is a powerful tool that can be used to move us all away from using social

media as an easier way to log in, which is tagged along with a lot of unnecessary risks. Even

though social networks can eliminate the need for passwords, there is no assurance that this

information is secure. But with mobile connect and its privacy policies, empowered by the

GSMA, no information is available to the service providers, without the user's consent, making

logging in and signing up much safer and private.

2.2.4.9 Safety of Mobile Connect

The levels of security in each application is different from its environment and purpose of use.

For example, a bank or a e-payment site would need a higher level of security than an ordinary

information system. Considering these possibilities, Mobile Connect provides the developer

with options on selecting a level of Security, which is also known as the Level of Assurance

(LoA).

LoA or the Level of Assurance, describes the degree of confidence, in various security

processes including authentication. (According to the ISO/IEC 29115 Standard). It provides

assurance that the entity claiming a particular identity, is the entity to which that identity was

assigned.

During the Mobile Connect Authorization process, the application declares the degree of

confidence required in the returned identity (For more: read Mobile Connect for Developers).

The greater the risk associated with an erroneous authentication, the higher the Level of

Assurance recommended.

There are four Levels of Assurance (LoA)

30

1) Level of Assurance 1 (not supported by Mobile Connect)

2) Level of Assurance 2 (Requires a simple key press)

3) Level of Assurance 3 (Requires a simple key press)

4) Level of Assurance 4 (not supported by Mobile Connect)

Each and every operator, should implement at least one type of authenticator per LoA. MNO's

define authenticators in order to confirm that the user is who he/she claims to be. Following

are the mechanisms used by the Mobile Connect API as authentications.

SMS + URL: SMS sent to the user's device with a unique one-time only URL (LoA 2)

USSD: The operator will push a message to the terminal and can require a response

(LoA 3)

SIM Applet: A binary SMS will be sent to trigger the SIM applet (LoA 3)

2.2.4.10 Mobile Connect Credentials

The Mobile Connect process flow consists of two main APIs, namely, "Discovery API" and

the "Mobile Connect API" (see image below). To access the "Discovery API" the developer

needs a pair of "client_id" and "client_secret" which can be used to gain authorization to the

"Discovery API". On the other hand, the "Mobile Connect API" runs on top of the OpenID

Connect Protocol and it contains three main endpoints that need credentials to access them. So,

the main question now is, "which credentials do we really need?"

In the Mobile Connect process flow, the credentials required to access the "Discovery API"

should be obtained from the GSMA or the Official Mobile Connect Developer site. In the

response sent back by the "Discovery API", we will receive a set of credentials to access the

"Mobile Connect API". This set of credentials will be used to access all three endpoints of the

"Mobile Connect API". Therefore, once we obtain the "Discovery API" credentials, that is

more than enough for us to proceed with the "Mobile Connect Authentication" process flow.

Refer to Mobile Connect Specifications for more details.

2.2.4.11 Mobile Connect Application On-Boarding Process

The "Application On-boarding Process" refers to the registration of the relevant service

provider with the Official Mobile Connect Developer Website.

31

2.2.4.12 How to Get UserInfo Endpoint Access?

The claims supported by the "UserInfo Endpoint" are "email", "address", "phone" and

"offline_access". But all of this information are sensitive information and it contains

information about the relevant MSISDN users. Therefore most "Mobile Network Operators"

do not provide access to any of the claims mentioned above. The Mobile Connect API of each

MNO, will only provide a field named as "sub" which is a default response from the "UserInfo

Endpoint" according to the OpenID Connect Protocol.

But you must be wondering, whether this scenario will comply with the "Mobile Connect

Privacy Principles". Yes, all the projects that will be using Mobile Connect should be able to

agree to the "Privacy Principles". But at first, even though we promote our application and

obtain "Production Credentials" it doesn't necessarily mean that the "MNO"s believe the fact

that our application can be trusted in terms of "Sensitive Information". Therefore if you need

to gain access to the "Mobile Connect UserInfo Endpoint" of the respective MNO, you need to

contact the "MNO" separately.

2.2.5 Assisting Project – OpenID Connect Protocol

While working under the Mobile Connect project, I came up with this concept named OpenID

Connect, where the Mobile Connect Protocol, was written on top of OpenID Connect. These

are all my findings, where I had to do a lot of research and write blogs related to these. Some

information about these projects are given below. From statistics, I see today, there are lots of

visitors reading my blog even today and I am really happy about it. All of this was possible

because I picked the “Mobile Connect” project under the WSO2 internships.

2.2.5.1 What is OpenID Connect?

OpenID Connect is a simple authentication protocol, built on top of the OAuth2 protocol as a

separate identity layer. OAuth2 is an authorization protocol, which is being extended by the

OIDC, to implement its authentication mechanism. OIDC allows the applications to

authenticate and verify the end users based on the authentication performed by an

Authorization Server, which supports OIDC. This also allows the application to obtain basic

profile information, about the end-user in an inter-operable and REST-like manner. It uses

straightforward REST/JSON message flows with a design goal of “making simple things

simple and complicated things possible” [6].

32

(Identity, Authentication) + (OAuth 2.0) = (OpenID Connect)

The OpenID Connect protocol is very flexible in which it gives the power to the client, to easily

customize the authentication process according to their needs. OIDC gives the power to clients

of all types, including Web-Based, mobile and JavaScript clients, to request and receive

information regarding the authenticated sessions and end users. The main extensible features

provided by the OIDC protocol are,

1) Encryption of Identity Data

2) Discovery of OpenID Providers

3) Session Management

2.2.5.2 History of OpenID Connect

OpenID Connect is the third generation of OpenID Technology. The original OpenID

authentication protocol was developed by Brad Fitzpatick in May 2005. This was more like a

visionary's tool which never got much commercial adoption, but it got people to think of its

possibilities and extensions. In the meantime, OpenID and OAuth were focused on two

different aspects of internet identity, whilst OpenID played the role of authentication, whereas

the OAuth played the role of authorization. Since these two extensions were playing a huge

role in each of its domains, the need to combine both these protocols arose.

As the second generation of OpenID, it came as an extension for OAuth, which was named as

OpenID 2.0. This was better than the earlier version, and it provided much more security and

worked seamlessly when implemented properly. Even though it had some design limitations,

the implementation of OpenID 2.0 was fully thought through.

The third generation of OpenID is the "OpenID Connect." Unlike OpenID 2.0, this was built

on top of the OAuth 2.0 as a separate identity layer. The "OpenID Connect's goal is to be much

more developer friendly, and providing a wide range of use cases where it can be implemented.

Currently this has been very successful and deployments are happening in huge scales.

2.2.5.3 Mobile Network Operators and OpenID Connect

In the modern digital era, we can see a considerable increase in the number of users using

online services via mobile devices and due to this reason, there is an increase in identity thefts

all around the world. The GSMA created a valuable business proposal for Mobile Network

33

Operators so that they can join hands with OIDC to implement and render many services to its

customers. This business model states that MNO's, with their differentiated identity and

authentication assets, have the ability to provide sufficient authentication to enable consumers,

businesses, and governments to interact in private, trusted and secure environment and enable

access to services.

MNOs increasingly are interested in identity services currently being used online (i.e. login,

marketing, post sales engagement, payments, etc.), to mitigate some of the pain points

encountered in existing services, in order to meet the rapidly increasing market demand for

mobile identity services.

2.2.5.4 OpenID Connect vs OpenID 2.0

The functionalities available in the OIDC and OpenID 2.0 are pretty much the same whereas

the OIDC provides a much more API-friendly and usable implementation for native mobile

applications. "OpenID Connect" defines optional capabilities for robust signing and

encryption. To integrate OpenID 2.0 and OAuth 1.0, we require an extension, whereas in

OIDC, OAuth 2.0 protocols, OAuth 2.0 functionalities are integrated within the protocols itself.

OpenID 2.0 used XML and custom message signature scheme that in practice, sometimes

proved to be difficult for developers to implement. But in OAuth 2.0, the OIDC outsources the

necessary encryption to the web's built-in TLS (also called HTTPS or SSL) infrastructure,

which is universally implemented on both client and server platforms. OIDC uses standard

JSON Web Tokens (JWT) when signatures are required. Since JWT is more familiarized and

easier to use, this makes OIDC dramatically easier for developers to implement, and practically

has resulted in much better inter-operability.

2.2.5.5 About the OpenID Connect Foundation

The OpenID Foundation was formed in June 2007, and it is an international non-profit

organization of individuals and companies committed to enabling, promoting and protecting

OpenID technologies. The OIDF serves as a public trust organization representing the open

community of developers, vendors, and users.

This foundation provides much needed infrastructure to the community and helps in promoting

and expanding OpenID technologies. This entails managing intellectual property and brand

marks as well as fostering viral growth and global participation in the proliferation of OpenID.

34

Contributors included a diverse international representation of industry, academia and

independent technology leaders: AOL, Deutsche Telekom, Facebook, Google, Microsoft,

Mitre Corporation, mixi, Nomura Research Institute, Orange, PayPal, Ping Identity, Salesforce,

Yahoo! Japan, among other individuals and organizations.

2.2.5.6 OpenID Connect Flow

OpenID Connect in abstract, follows the following sequence of steps.

RP - Relying Party

OP - OpenID Provider

(1) The RP (Client) sends a request to the OpenID Provider (OP)

(2) The OP authenticates the End-User and obtains authorization

(3) The OP responds with an ID Token and usually an Access Token

(4) The RP can send a request with the Access Token to the UserInfo Endpoint

(5) The UserInfo Endpoint returns Claims about the End-User

2.2.6 WSO2 Mobile Connect Webinar

One of my major achievement during the time of internships, is the chance to do a webinar at

WSO2. A webinar is a seminar conducted over the Internet. WSO2 normally conducts a lot of

webinars as part of their marketing campaigns, and whenever there is a release or a new product

coming in, the company will do a webinar and pass the message to all the customers and

interested parties of the company.

I did a webinar at WSO2 and it was based on my project Mobile Connect. The webinar was

titled, ‘Securing Access to SaaS Apps with GSMA Mobile Connect’. The following three

members were the speakers for the Webinar, and I am proud that I am also in it.

35

Figure 2.9 Presenters of Webinar titled Securing Access to SaaS Apps with GSMA Mobile Connect

The following description is about the webinar, I was the one who demonstrated my product at

the webinar. Normally for WSO2 webinars, we expect a crowd of around 20 to 30 listeners,

whereas for my webinar, there were over 50 listeners and I was really proud of that.

Mobile Connect is an initiative by GSM Association (GSMA). GSMA represents the interests

of mobile operators worldwide, uniting nearly 800 operators with more than 250 companies in

the broader mobile ecosystem. The Mobile Connect initiative focuses on building a standard

for user authentication and identity services between mobile network operators and service

providers.

SAML, OpenID Connect and WS-Federation have become the most popular ways of

implementing identity federation and single sign-on (SSO) for many service providers. This

webinar will explore an approach to help service providers migrate from their existing

protocols to Mobile Connect in a zero-code-change approach, with the WSO2 Identity Server.

It will also discuss how to secure access to your most precious SaaS applications with Mobile

Connect [7].

The following parts were discussed during the webinar.

Introduction to Mobile Connect

Introduction to WSO2 Telco and the WSO2 Identity Server

36

How to migrate from OpenID Connect or SAML to Mobile Connect

How to login to Salesforce/Google Apps via Mobile Connect

This opportunity to present in the WSO2 Webinar, was given to me by, Mr. Prabath

Siriwardena (Director Security Architecture) and I am really thankful for it.

2.3 Life at WSO2

The life at WSO2 is a wording brought up by the company itself, where the whole purpose is

to let everyone know what kind of an environment is present within the WSO2 culture. There

are a lot of fun activities happening around the company and most of them are directly related

to the unique culture that WSO2 has, despite its professional environment. Following are the

main events that I came across during my stay as an intern at WSO2. All of these activities

made me love the current working environment that WSO2 has.

2.3.1 Inter House Tea Time Championships

WSO2 has four houses within the company and every year, they organize a session of games

for all the houses to compete in during the tea time. It includes games like carom, table tennis,

foosball and pool. It was really fun because most of the time, when we come down for tea, we

normally play all these for fun, but now, we had to play with some copetition in order to bring

the reputation of the house up in the ladder.

I myself took part in almost all of these competitions made my house win, which is CloudBots

and I was really entertaining.

2.3.2 Inter House Badminton Tournament

The company has booked a badminton court in Colombo every week on Thursdays and Fridays,

where employees can go and play in those courts. I didn’t actually get a chance to go there and

play on a regular day, but I took part in the inter house badminton tournament and it was held

on a Saturday where most of the employees took part in it.

It was also a day filled with fun and entertainment, where most of the interns actually took part

in it.

37

Figure 2.10 WSO2 Interhouse Badminton Tournament

2.3.3 WSO2 Smart Ass Quiz

This is also an inter house quiz where questions on general knowledge were asked during the

team time a selected set of team. I also took part in this, and it was more like a fun activity

where everyone was laughing and enjoying during the time of the quiz. The quiz was based on

different areas like, movies, music, food, wine and so on.

At first I thought that this would be a very technical quiz but when I got there, I was really

happy to know that it was actually a fun quiz based on general knowledge. Our house came

first place in that competition.

2.3.4 Secret Santa

This is a tradition that is being continued every year at WSO2 and the whole purpose it to

exchange gifts during the Christmas time, and to keep the person who gives the gift a secret,

hence the name “Secret Santa”. I heard that this tradition is being carried out by other

companies from time to time, but not consistently like at WSO2.

It was really fun, where we collected a lot of chocolates when the santas came to our floor, and

we managed to snatch a selfie with both the santas as well.

38

Figure 2.11 Selfie with the Santas

2.3.5 Karaoke Session

This is a session where we all select a song to sing, and sing it during the tea time where

everyone would listen to. It was also a fun activity. Even though I didn’t take part in it, I enjoyed

listening to those songs during the tea time. Most of all, the funny part was when some of the

singers started to dance, where it was really entertaining and fun.

2.3.6 Whack Internal Hackathon

This was a hackathon conducted by WSO2 itself and it was only open to employees in the

company. The purpose of this hackathon was to get the competitors to compete with a given

data set and come up with a plan to increase sales and marketing of the company.

This was a really fun session where most of the interns took part in it, and I also took part with

a team of my own. It was an overnight hackathon where we had to analyze the given data set,

and come up with a very strong plan to increase sales of the company.

We had a lot of workshops, fun activities during the time of the hackathon and it was a new

experience for all of us. The best part was, after we presented the presentation and the

demonstration of the product, Mr Sanjiva Weerawarana (CEO and Founder of WSO2) called

us gave us an honourable mentions award for the hard work and dedication we had put into the

product.

39

Figure 2.12 After getting the award from the Whack Hackathon

A diagram of the work done at the hackathon is as follows.

Figure 2.13 Whack Work Diagram of our team

2.3.7 WSO2 Intern Life

The WSO2 intern life is very extraordinary and it was really fun to work in a company like

this. Not only the interns from University of Moratuwa, but we became friends with other

interns and bonded up really quickly. It was very diverse but we managed to win everyone

heart and become a loved bunch within the other interns and within the company as well.

During the last day of our program, the WSO2 interns gave us a small ceremony because we

all were leaving on that day. It was a big surprise where we never knew that they had organized

something like this, especially for us. They gifted us with a mug and gave us speeches and talks

40

where we really missed the fact that we are leaving a bunch of friends like this, and it was

really sad, even though we were happy for the surprise.

2.3.7.1 WSO2 Interns Trip

This was a new tradition started by the University of Moratuwa interns where we organized a

trip for all the interns at WSO2 to go on a trip with us. We see people going on trips and that

is mostly within the team where only 1 percent of the team actually takes part in these. Our trip

was organized for all the interns at WSO2 and as a count, there were around 60 interns currently

training at WSO2 at that time. And out of all of them, we were really happy to see 50 of them

turning up and it was a really turning point where we all bonded up with other university

students and became friendly with them.

We went to see the Aberdeen Falls and came back by one day. The purpose of the trip was to

make a recognition within the company to show that, the interns from University of Moratuwa

are a really friendly sent of interns, and as well as to unite all the interns at WSO2 despite

where they came from or what their university is.

Figure 2.14 WSO2 Interns Trip

41

2.3.8 WSO2 Year End Party

This is the year end party of the company where everyone gets together and says goodbye to

the current year and enter a new year. This party always happens in a very grand style where

every employee takes part and enjoys the party.

The theme for the year 2016 was, neon, and all of tried our best to shine and be colourful as

possible at the party. During the party, there were plenty of games wehre we took part in most

of them and enjoyed the night.

At the entrance of the party, there were neon face painters where we drew stuff on our faces

and hands so that it will shine when the lights go out.

Figure 2.15At the WSO2 year-end party

42

3 Conclusion

This training report is based on the experience I had when was working at WSO2 as an intern

during my internship period of University of Moratuwa. This report contains three chapters

where the first chapter explains about the training establishment and its core functions. This

chapter contains information about the training establishment, its main functions,

organizational structure and hierarchical levels. The information about the training

establishment contains information like what this company is all about and the history of the

company. In the mid-section of the chapter, it explains the core functionalities of the company

and the platform that the company uses, alongside its main products. And in the latter part of

the chapter, it mentions a SWOT analysis and my suggestions to improve its overall

performance, with the contribution of the company towards the IT industry of Sri Lanka.

The second chapter includes information related to the training experience I had, during my

time of stay at the training establishment. This chapter emphasizes on the work carried out at

the training establishment as an intern. It includes information regarding how I saw the

company from my perspective and what I experienced as an intern. From the first day itself, I

was well treated by the company and I really loved the culture of WSO2 where it was really

friendly and relaxed. The orientation program we had was also very interesting, where we

learned a lot about the company within just two weeks.

When I joined the Identity Server team of WSO2, I felt like I’m entering a different culture.

All the activities and fun stuff which was unique to that team only, was a different experience

that I had never felt before. I was working on a project named, “Mobile Connect Federated

Authenticator for Identity Server” and it gave me a different perspective to my career. I had to

start and research from scratch where I gained a lot of knowledge on Mobile Connect, as well

as the OpenID Connect Protocol.

During my intern life at WSO2, I met many friends from different backgrounds and different

attitudes, but all them were very helpful all the time. I really enjoyed my training period at

WSO2 and it all finished with a bang, with the WSO2 year-end party where we all attended

and enjoyed the end of the year.

43

3.1 A different exposure from university life

During the time spent inside the university, our lives were mainly focused on the aspects of

gaining marks for the final exam and getting a good grade for the subjects we sit in. Most of

the interns who went to WSO2 with me, did not have any prior working experience and it was

a whole new level of exposure for all of us.

During the training period, I felt that the life was getting simpler and comfortable, because we

didn’t have any assignment deadlines or exams like in the university. So, we used to call all

the interns and go for tea breaks, lunch breaks and game sessions at the beginning of the training

period. But even with time, after getting assigned to projects, it was not that stressful from my

experience, because I was able to finish work on time, and get help from proper people when

needed.

When doing my project at WSO2, what I realized was, it was way different from the projects

we do at university. In the university, our main target is to finish the project and get the marks

from the lecturers. But here there was a much bigger risk at hand, because we had to deploy

this project to the customers of WSO2, and a simple mistake would cause the entire system to

go down. Therefore, we used to have meetings every day at work, discuss the code lines and

inform everyone about the work I’m doing actually reduced that risk and stress because it was

methodical in some manner.

Something new I learned by working at WSO2, is the transparency of work. We had to email

and inform everyone about our progress and keep everyone updated on the work we are

currently carrying out. This made me feel comfortable and easy when working, because I used

to get a lot of replies and comments on the work I was doing.

Also, the flat hierarchy of the company gave a different perspective to my communication skills

where professionalism was needed in the emailing and informality was needed when talking

with someone face to face. I even have had chats with the senior management whenever they

came down for tea. The way we communicate in university and at office showed two different

perspectives it was great to have that diverse perspective during our training period.

3.2 How to improve my final year at university?

Do every work in a methodical manner so it does not feel complicated and stressful

44

Transparency in the work we do when we work with team members, because having

every team member updated is always beneficial

Communicating everyone in a professional manner when at meetings and

presentations.

Keep meeting minutes for all the meetings I have, so that everyone can keep track of

the content that was explained during the meeting

Write blogs about everything you learn, so that someone else also can gain from

whatever I do.

Have a friendly perspective on everyone and help other team members when you are

working in a team, because the team should move together as one to achieve its

milestones.

Before starting any project, set milestones and deadlines, so that you have self-

conscious about the work and timeline to finish your project.

3.3 Quality of the training I received

From the six month stay at WSO2, I never felt any discomfort or stress because of the

environment I had to work in. If I am to rate the training I receives, I would give it ten out of

ten because I don’t have any complaints to report. Starting from the orientation program, it was

really fun and enthusiastic to learn about the WSO2 culture and gain industry exposure as we

all were expecting to have. I was actually eagerly waiting for the orientation to finish, because

I was really interested in working under a team with a new project of my own.

Before going for internships, I heard rumors where most of the companies, give simple stuff

like bug fixing, code checking and feature updates as intern projects. And I was a bit

demotivated by this story, but after coming to WSO2, all the projects which were presented to

us were new projects which were not actually any side projects, but projects that actually

contribute to the overall functionality of WSO2.

My mentor was Mr. Prabath Siriwardena who was the director of security architecture at

WSO2, helped me a lot in completing my product within the given time period. At first I

thought that he would not have time to communicate with me because I heard that he was a

very busy person in the team. But, despite the fact that he was working abroad, he always

checked on me and progress and helped me in every step possible. He was a really good mentor,

and he was the one who encouraged me to write blogs on everything I learn. I would

45

recommend him as a good mentor because I felt lucky to have him as a mentor, as a guide and

as a friend.

The other aspects like, food, environment, friendly people and fun activities also caught my

attention and all I wanted to do was to take part in all of them and be social as much as possible.

I was able to do that within a few days’ time. The quality of the overall training period is great

and on the very last day of my training period, I was actually wishing to have more time with

the company, because it was very sad to leave all that experience and fun.

3.4 Comments on the training program organized by the university and NAITA

The training program organized by the university was really good, and I can proudly mention

that it is one of the best times of my university career so far. Unlike other universities, I prefer

to have the training period as we are having now, and 24 weeks of training is the ideal time for

us to learn about the industry exposure and gain what we really need to achieve at the end of

the program.

We all had to submit monthly training reports to the industrial training division of the university

and I found that a little troublesome because most of us were not actually staying near the

university during the internship period. I prefer it to be online, because that would have made

the submission process a lot faster than the manual process.

NAITA visited our training place on the last week of the training program, and only one person

came to assess all 30 training undergraduates. It took a very long time and I prefer if they had

sent some more to assess the students, which would have made the overall process a lot faster.

Nevertheless, the advices given to us and the guidance we got from NAITA should be

appreciated because the person who assessed us gave some real practical examples to all the

advices he mentioned.

46

4 References

[1] "WSO2 - Wikipedia," Wikipedia, [Online]. Available:

https://en.wikipedia.org/wiki/WSO2.

[2] "WSO2 Platform," WSO2, [Online]. Available: http://wso2.com/platform.

[3] "WSO2 Identity Server," WSO2, [Online]. Available: http://wso2.com/products/identity-

server/.

[4] "WSO2 IS User Management Architecture," WSO2, [Online]. Available:

https://docs.wso2.com/display/IS510/User+Management+Architecture.

[5] "Keet Malin - What is Mobile Connect," Keet Malin Sugathadasa, [Online]. Available:

http://keetmalin.wixsite.com/keetmalin/single-post/2016/09/30/What-is-Mobile-Connect.

[6] "What is OpenID Connect - Keet Malin," Keet Malin Sugathadasa, [Online]. Available:

http://keetmalin.wixsite.com/keetmalin/single-post/2016/11/17/What-is-OpenID-

Connect-OIDC.

[7] "securing-access-to-saas-apps-with-gsma-mobile-connect Webinar," WSO2, [Online].

Available: http://wso2.com/library/webinars/2016/11/securing-access-to-saas-apps-with-

gsma-mobile-connect/.

47

5 Table of Figures

Figure 1.1 WSO2 Platform ........................................................................................................ 3

Figure 1.2 Company Hierarchy of WSO2 ................................................................................. 6

Figure 2.1 WSO2 Carbon Kernel Modules.............................................................................. 15

Figure 2.2 Identity Server Management Console Main Menu ................................................ 17

Figure 2.3 Identity Server Team with Interns .......................................................................... 18

Figure 2.4 IS Musical Nights ................................................................................................... 20

Figure 2.5 WSO2 Virtual User Store ....................................................................................... 22

Figure 2.6 Authentication Framework ..................................................................................... 23

Figure 2.7 How Mobile Connect Works .................................................................................. 25

Figure 2.8 Mobile Connect Flow ............................................................................................. 27

Figure 2.9 Presenters of Webinar titled Securing Access to SaaS Apps with GSMA Mobile

Connect .................................................................................................................................... 35

Figure 2.10 WSO2 Interhouse Badminton Tournament .......................................................... 37

Figure 2.11 Selfie with the Santas ........................................................................................... 38

Figure 2.12 After getting the award from the Whack Hackathon............................................ 39

Figure 2.13 Whack Work Diagram of our team ...................................................................... 39

Figure 2.14 WSO2 Interns Trip ............................................................................................... 40

Figure 2.15At the WSO2 year-end party ................................................................................. 41