Bhagyashree Prabhakar, E*Trade How to create APIs that enable developers without IAM expertise to implement IAM consistently and correctly.

1. Enterprise Auth APIs
...WHEEL GREASE FOR IAM
BHAGYA PRABHAKAR
E*TRADE FINANCIAL

2. Enterprise Auth APIs
§ What?
§ Standard
IAM
APIs
for
the
enterprise
§ Why?
§ Separa6on
of
concerns
§ How?
§ IAM
exper6se
and
good
so<ware
engineering

3. Familiar?
Internet
OAuth
Server
Auth
Agent
API
API
API
App
Access
Tokens
SAML
Server
SAML
Asser6ons
Mutual
Authen6ca6on
Client
Side
SSL
HTML
Basic
HTML
Basic
User
App
Sec
Developers
Kerberos
App

4. Desiderata something that is needed or wanted
§ Standardized
solu6on
across
applica6ons
§ Consistent
user
experience
§ Loose
coupling
to
IAM
systems
§ New
auth
methods,
minimal/no
app
changes
§ Enforce
policy
§ More
control
and
granularity

5. Enterprise Auth API
Internet
OAuth
Server
Auth
Agent
API
SAML
Server
SAML
Asser6ons
Mutual
Authen6ca6on
Over
SSL
HTML
Basic
HTML
Basic
User
App
Sec
Developers
API
API
App
Enterprise
Auth
API/SDK
Enterprise
Auth
API
Core
Impl
Kerberos
App

6. Example : Get AuthenIcated User’s Details
thisMustBeSimpler
()
{
SecurityContext
securityContext=SecurityContextHolder.getContext();
if
(securityContext
!=
null)
{
Authen6ca6on
authen6ca6on=securityContext.getAuthen6ca6on();
if
(authen<ca<on
!=
null)
{
if
(authen<ca<on.getPrincipal()
instanceof
EnterpriseUserDetails)
{
EnterpriseUserDetails
userDetails=(EnterpriseUserDetails)
authen6ca6on.getPrincipal();
String
sessionId=userDetails.getServerSessionId();
}
}
}
}

7. With an Enterprise Auth API
Authen<ca<onInfo
{
isAuthen<cated();
getUserId();
getUserName();
getRoles();
getUserDetails();
}
nowThisIsMuchBeLer()
{
Authen6ca6onInfo
authnInfo
=
Authen<ca<onInfo.newInstance();
UserDetails
userDetails=authnInfo
.getUserDetails();
String
sessionId=userDetails.getServerSessionId();
}

8. A Couple More Examples
Federator
{
federate(aLributes,
endpoint);
}
Authoriza<onInfo
{
hasRole(role);
getRoles();
}

9. CreaIng an API
…THAT DEVELOPERS WANT TO USE

10. GeQng Started
§ Derive
from
exis6ng
use-­‐cases
§ Talk
to
applica6on
developers
§ Beware
of
an6
paXerns
-­‐
bullet
point
engineering,
abstrac6on
inversion
§ Build
on
top
of
modular
Auth
framework
§ Spring
Security,
Shiro,
my-­‐favorite-­‐framework
§ Simplify
and
constrain
§ Enterprise
specific
rules

11. Make it Modular and Portable
§ No
kitchen
sink
of
all
APIs
to
integrate
with
§ Separate
API
and
impl
modules
§ Consumers
depend
on
API
§ Swap
out
underlying
impl
§ Integra6on
in
other
languages
§ Dis6ll
into
a
web
service
layer
§ Language
specific
SDK

12. Maintain...Maintain...Maintain
§ Support
the
developers
who
use
it
§ Help
developers
proac6vely
§ Implement
fixes
and
extensions
quickly
§ Keep
up
with
the
IAM
industry
§ Make
it
SOLID
§ Use
Seman6c
Versioning

13. Return on Investments
§ De
facto
standard
auth
API
in
the
Enterprise
§ Mix
and
match
several
IAM
systems
§ No
vendor
lock
in
§ Rapid
prototype
development
§ Quick
applica6on
integra6on
§ Improved
upon
our
applica6on
security
prac6ce
§ Detec6on
and
remedia6on

14. What’s Important...
§ Façade
away
auth
frameworks
and
IAM
systems
§ Enhance
and
constrain
3rd
party
components
with
organiza6on
rules
§ Make
it
modular,
portable
and
easy
to
use
§ Keep
up
with
the
IAM
industry

15. So?
§ Benefit
from
a
standardized
IAM
solu6on
across
applica6ons

16. Thanks!
To
Adam
Migus
and
E*TRADE
Financial
E-­‐mail:
bhagyashree.prabhakar@etrade.com
Links
hXp://semver.org/
hXp://en.wikipedia.org/wiki/SOLID_(object-­‐oriented_design)
hXp://projects.spring.io/spring-­‐security/
hXp://shiro.apache.org/
hXp://en.wikipedia.org/wiki/Desiderata