Presentation by Hans Zandbelt from Ping Identity (pingidentity.com) from Nordic APIs (nordicapis.com) Stockholm March 2013 about the need of identity services when publishing an API.
1. Criticality of Identity
The Importance of Knowing Who
Your API Consumer Is
Hans Zandbelt
CTO Office - Ping Identity
1 Copyright Š2012 Ping Identity Corporation. All rights reserved.
2. Overview
1
Cloud & APIs: The Trends
- History, state-of-the-art, trends,
2
Identity and APIs
- What, why, how
3
Recommendations
- API strategy
2 Copyright Š2012 Ping Identity Corporation. All rights reserved.
3. [section lead-in]
CLOUD & APIS: THE TRENDS
3 Copyright Š2012 Ping Identity Corporation. All rights reserved.
4. Cloud 1.0
FIREWALL
SaaS database
APP
SaaS
APP
SaaS
directory
4 Copyright Š2012 Ping Identity Corporation. All rights reserved.
6. How it should be: Cloud 2.0
database
SaaS firewall database
APP
SaaS
directory
SaaS APP
6 Copyright Š2012 Ping Identity Corporation. All rights reserved.
7. Consequences
FIREWALL
Traditional firewall and enterprise domain-based
security cannot deal with Cloud Apps and Mobile
devices and applications.
IDENTITY IS THE NEW PERIMETER
7 Copyright Š2012 Ping Identity Corporation. All rights reserved.
8. IDENTITY & APIS
8 Copyright Š2012 Ping Identity Corporation. All rights reserved.
9. The Internet Scale Identity Concept
⢠Identity Provider
â Authoritative
â Scale
â Manageability
verify
⢠UNIFORM across
Web SSO & API
Access
⢠Security AND
Convenience
⢠How to extend
enterprise security
policies to the cloud:
a MUST have
9 Copyright Š2012 Ping Identity Corporation. All rights reserved.
10. Playfield
User Provisioning
Web SSO API Access
10 Copyright Š2012 Ping Identity Corporation. All rights reserved.
11. The API Economy Drivers
⢠SaaS
â API access to
data/services vs.
browser access
â Cloud, Mobile/Big
Data, BYOD
â Salesforce.com >
60%
⢠APIs of PaaS
offerings
â Expose own cloud
services
⢠Clear trend for APIs
towards REST
11 Copyright Š2012 Ping Identity Corporation. All rights reserved.
12. API Access
⢠HTTP
⢠SOAP
SERVICE â WS-Security/WS-
Trust
⢠REST
â?
SOAP / REST
⢠TOKEN
â Obtain
â Use
Token
â Validate
⢠Passwords??
CLIENT
12 Copyright Š2012 Ping Identity Corporation. All rights reserved.
13. Password anti-pattern
⢠3rd party client
store user
passwords
⢠Teaches users to
be indiscriminate
with passwords
⢠No multi-factor or
federated
authentication
⢠No granularity
⢠No differentiation
⢠No revocation
13 Copyright Š2012 Ping Identity Corporation. All rights reserved.
14. Drivers
Lack Password
Of Anti
Standards Pattern
Native REST
Mobile Cloud
Apps APIs
14 Copyright Š2012 Ping Identity Corporation. All rights reserved.
15. OAuth 2.0
⢠Secure API
authorization
â simple & standard
â desktop, mobile web
⢠Auth & Authz for
RESTful APIs
⢠Delegated
authorization
â mitigates password
anti-pattern
⢠Issue tokens for
granular access
â Without divulging
your credentials
15 Copyright Š2012 Ping Identity Corporation. All rights reserved.
16. OAuth 2.0 Benefits
⢠Security & Usability
⢠Revocation
⢠Granularity
⢠Use Cases*
Scopes
⢠Passwords vs.
Oauth == creditcard
vs. checks
16 Copyright Š2012 Ping Identity Corporation. All rights reserved.
17. SSO for Mobile Apps: Authorization Agent (AZA)
⢠Aggregate OAuth
flows and logins
⢠Bootstrap through
WebSSO with
OpenID Connect or
OAUTH SSO
SAML
⢠Oauth-as-a-Service
+ SAML-as-a-
Service
17 Copyright Š2012 Ping Identity Corporation. All rights reserved.
18. [section lead-in]
RECOMMENDATIONS
18 Copyright Š2012 Ping Identity Corporation. All rights reserved.
19. Something to think about: cloud IAM strategy
⢠Multi-use case,
multi-device, multi-
channel, multi
protocolâŚ
â Identity is the
connector
⢠Interoperability and
standards
⢠IAM not just an
internal technical
issue: also a
strategic business
enabler
⢠Architect for agility
19 Copyright Š2012 Ping Identity Corporation. All rights reserved.
20. Identity for APIs strategy
⢠Implement your API for:
â externalized authentication and authorization
â tokens instead of passwords
â consumer identity AND enterprise identity
⢠By leveraging identity we can:
â address API access (server2server, mobile) in the
same way as Web SSO
â reuse existing security and identity policies
â connect your existing identity store
⢠Possibly implement this in a single system(!)
20 Copyright Š2012 Ping Identity Corporation. All rights reserved.
21. Expect More Change
⢠Continued trend to
SaaS, PaaS, IDaaS,
leveraging APIs
⢠Continued evolution
and adoption of
open standards
such as OAuth 2.0
and OpenID
Connect; 2013 is the
year of Identity
Standards
21 Copyright Š2012 Ping Identity Corporation. All rights reserved.
22. COME AND SEE US!
Hans Zandbelt
Twitter: @hanszandbelt
www.pingidentity.com
22 Copyright Š2012 Ping Identity Corporation. All rights reserved.
Hinweis der Redaktion
Today: a mix of on-premise applications and SaaS or cloud applications, both web and mobile native apps.User authentication and access control based on app-specific accounts and credentials, some SSO to web apps, mostly internal.Firewall applies to some applications, hosted on the corporate network.
The expansion of cloud usage brings along 3 dimensions of change:Users: different use cases, more and more inbound too. Consumer identity: 70% dropoff on registration.Devices: mobile, smaller screens, different capabilities, no longer exclusively owned by the enterprise.
Applications reside both on-premises and in the cloud, but also directories and databases.Users can access these applications from anywhere, using a variety of devices.User accounts and Access control demand to be harmonized over cloud and on-premises for compliancy reasons, following the corporate IT security policy.The firewall can no longer be the center of the universe: access control needs to be handled on a different level.
It is clear that a corporate firewall cannot meet the demands for cloud, mobile and hybrid use cases.Identity is the concept that is shared between all contexts, what binds everything together in IAM.We must concludethat identity is the new perimeter, or at least the new paradigm to leverage.
What is the role that identity can play for APIs.
Separate identity information from the application. Leverage the remote identity through the client accessing the application.Identity on internet scale leverages a 2rd or 3rd party that is well positioned to manage and publish identity information (concept holds for both enterprise and consumer scenarioâs).We should strive to use identity across the web world (browser-based apps, Web SSO) and the native world (mobile and rich desktop clients): no need to do things twiceSSO is about convience for users, but more importantly: addressing a bunch of security issues. SSO using 3rd party asserted identity actually is a rare exampleWhere convenience and security go hand in hand.Applying this concept in a uniform way will allow enterprise businesses to extend their enterprise security policies to the cloud.That is a must have for compliancy reasons.
APIs are becoming important rapidly especially because of the rise of mobile apps and big data.
How would you secure web apis:SOAP: WS-SecurityREST: nothing there yet until recently. Only passwords.What we need is a token based method to access APIs: will explain in the next slide.
Deprecated way of dealing with API access: hand out your password to a client or third party service.Bad: store pwd, indiscriminate, no multi-factor, no granularity, no differentation, no revocation.Need something better.
Enter Oauth 2.0: a protocol for secure API authorization.Simple standard or framework, based on REST and JSON, meant for the mobile web world.Delegated authorization, tokens are issued, obtained and used to mitigate the anti-password pattern.Granular, revokable access to specified parties, without exposing your credentials.
Framework, allows for a variety of use cases over enterprise and consumer domains.Balance between security and usablilty by using 2 types of tokens: access tokens and refresh tokens.Scopes: allow for fine grained granularity, of access control, much like entitlements.
Recent development: leverageOauth to achieve SSO across native apps.Until now each app would do its own Oauth flow which may result in a user logging in and granting access to an app on an individual basis, repeatably.This shows how to leverage an existing Web SSO investment, eg. SAML or OpenID Connect for native mobile app SSO.
In the new cloud world we need to be prepared with a variety of use cases, devices, channels and hence protocols.Identity however is a constant factor and really the constant connector between all. Interoperability and standards are important: cloud is about doing things across multi-domains: interoperability only comes with standards. Choose products that implement standards, if possibleMany standards at once!IAM as a business enabler: it can streamline the way in which youâre doing business, adding convenience and security for all parties you deal with (employees, customers, partners)Across devices preferred by your partners/users.Agility: cloud IT is meant to cope with ever changing demands, static infrastructure is legacy, have more flexibility, rapid changing IT environment; architect your IT for that
Externalization of authentication and authorization: make your API use tokens, not passwords. Some of your APIs may eventually have to deal with both enterprise as well as consumer identity. Be sure that you can handle that.Design your API so that you can handle both the browser based, the server2server communication as well as native mobile applications inA unified way.Reuse your existing security and identity policies across the 3 worlds and use your existing identity store to do that. No need to build custom silosFor doing this.And best of all: you donât need to implement that, you can use an existing server or implementation. Come and talk to Ping!
Cloud will expand and change.2013 is the year of the Identity standards, OpenID Connect (ratitication) and OAuth 2.0 (large deployments and convergence)Ping will be at the forefront of these changes, actively developing and implementing the new standards.