Identity, Access & Privacy in the New Hybrid Enterprise featuring Forrester Research, Inc.
Make sense of OAuth, OpenID Connect and UMA
Overview
In the new hybrid enterprise, organizations need to manage business functions that flow across their domain boundaries in all directions: partners accessing internal applications; employees using mobile devices; internal developers mashing up Cloud services; internal business owners working with third-party app developers.
Integration increasingly happens via APIs and native apps, not browsers. Zero Trust is the new starting point for security and access control and it demands Internet scale and technical simplicity – requirements the go-to Web services solutions of the past decade, like SAML and WS-Trust, struggle to solve.
This webinar from Layer 7 Technologies, featuring special guest Eve Maler of Forrester Research, Inc., will:
• Discuss emerging trends for access control inside the enterprise
• Provide a blueprint for understanding adoption considerations
You Will Learn
• Why access control is evolving to support mobile, Cloud and API-based interactions
• How the new standards (OAuth, OpenID Connect and UMA) compare to technologies like SAML
• How to implement OAuth and OpenID Connect, based on case study examples
• Futures around UMA and enterprise-scale API access
Presented by
• Scott Morrison
CTO, Layer 7 Technologies
• Eve Maler
Principle Analyst, Forrester Research, Inc.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Identity access and privacy in the new hybrid enterprise slides
1. Identity, Access & Privacy in the New Hybrid
Enterprise
Scott Morrison Eve Maler
CTO, Layer 7 Technologies Principal Analyst, Forrester Research, Inc.
May 17, 2012
2. Housekeeping
Questions
- Chat any questions you have and we’ll answer them at the end of this call
Twitter facebook.com/layer7
- Today’s event hashtag:
layer7.com/linkedin
- #L7webinar
layer7.com/blogs
- Follow us on Twitter:
- @layer7
- @forrester
- @xmlgrrl
- @kscottmorrison
32. The Old Enterprise
Line of
Formal and structured security & connectivity business
VPNs & prop. Protocols for thick clients servers
HTTP(s) for browsers
SOAP+WS-* for B2B
Firewall
VPN
Enterprise
Road Network
Warriors with
VPN
SSL WS-S
Browser Formal
Clients Trading
Partners
33. The New Hybrid Enterprise
Line of
Highly agile security & connectivity business
REST, OAuth, OpenID Connect, UMA servers
Firewall
Enterprise
Mobile Network
Devices
Clouds
Informal,
API-driven
integrations
34. The Hybrid Enterprise Made Possible By APIs
API
Server
Mobile App
An API is a
RESTful service
Web Client
Web App
5
5
35. For Example:
GET http://services.layer7.com/staff/Scott
6
40. What Do These Do?
OAuth To get access to an API.
OpenID To share information about users.
Connect
UMA To give a user the power to control
how their attributes are shared.
42. How to Make OAuth Easy
Simple, drop-in virtual or hardware Protected
gateway SecureSpan
Resource
Acts as both Authorization Server (AS) and Gateway
Protecting RS
Resource Server (RS)
Advanced security on all APIs
Directory
Threat detection, audit, QoS mgmt, etc Firewall
Enterprise
Network
SecureSpan
Mobile Gateway as
Devices AS
All Authorization Grants
➠ Authorization code
Clouds,
Webapps, etc ➠ Implicit
Informal, ➠ Resource owner password
API-driven credentials
integrations
➠ Client credentials
46. How to Make OAuth Web Scale
SecureSpan Secure Zone Protected
Gateway Resource
Firewall 2
cluster RS
DMZ
Firewall 1 Directory
SecureSpan
Gateway as
Secure Token
Store
SecureSpan
Gateway
cluster as AS
47. How to Make OAuth Scale – Architecture
Resource provider
Internal (secure) network DMZ Internet
• Who is asking
• Which API?
• What scope?
• Is token valid?
Resource • etc…
Accessed when Server
API Proxy
client requests
resources
Server • Prove who you are
• Authorize entitlement
• etc…
OVP
Accessed when Authorization client
Client
client requests Server
user authorization Store
and tokens
Token Token
Store Server
• Create
• Check
IDMS • Expire
• Revoke
• etc…
Accessible through an LDAP query
Endpoints accessible through an API
Endpoints accessible through OAuth protocol API
48. Priority #2: Introduce OpenID Connect
Resource provider
Internal (secure) network DMZ Internet
Core
• Provide IDtoken
• Validate and return claims
Resource CheckID
Server
UserInfo • Provide access token
• Get attributes (eg:
family_name, picture,
gender, birthdate, etc)
OVP Optional
SessionMgmt
client
Client
Store Optional
1. Refresh endpoint
DynamicReg 2. End session endpoint
Token
Store
Discovery
IDMS
Accessible through an LDAP query
Endpoints accessible through an API
Endpoints accessible to outside clients
49. Summary
Implement OAuth now!
- Don’t roll your own
- Plan for failure
- Plan for scale
Plan for OpenID Connect
- Understand what you need to share
- Look to integration with existing identity providers
Keep a very close eye on UMA
- This is the missing piece in the puzzle
- Maturing very fast
50. Questions?
Scott Morrison Eve Maler
CTO Principal Analyst
Layer 7 Technologies Forrester Research, Inc.
smorrison@layer7.com emaler@forrester.com