With the ever increasing growth of mobile applications and API technologies the topics of identity management, authentication and authorisation are as important as ever. The technologies mean that those responsible for identity management and security increasingly have more to consider when deploying and enforcing security. With rapid time to market demands from the business there is much to consider when delivering an open but secure environment for the business and their users. This session will look at some of the considerations and issues faced in designing and delivering IdM in this emerging space. We will look at how topics such as OAuth, OpenID connect and single sign on play their part in these policies and how governance plays a key role alongside security to protect the environment.

3. Topics
§ Define API’s
§ How are they being used
§ What are the issues
§ What's being used
§ One approach

4. Web API
=
Technology

5. Mobile and API identity – The New
Challenges
Aran White
Solution Architect
awhite@layer7.com

6. Is it a Web API?
REST/JSON? Yes.
SOAP/XML? Yes.
HTTP/CSV? Yes.

7. Modern Timeline of Web APIs
2005
2004 2010
First Web 2.0 Programmable
web.com Salesforce
Conference adds HTTP API
launched
2002 54 APIs
Amazon API registered.
2005
2000 ebay makes 2008 2012
Salesforce API APIs free Programmable
ebay API Programmable
web.com has web.com has
2004 2006 1000 registered 7144 registered
Flickr API Twitter API APIs APIs
Facebook API
Google (Maps) Sources: apievangelist.com
programmableweb.com
API internetarchive.com
Steve Yegge Rant
oreilly.com

8. How have they grown, or exploded

9. Mobile is driving API publishers

10. The enterprise model:
Start with private APIs…

11. …consider going public
in the future

12. API’s From Internal Services
§ Create a new shiny API or enable our existing services
§ Integration for messages and security
§ Internal security verses external security
§ Who is using the service the most
§ How do we control the use

13. Applications Or Users
§ We don’t just want to trust the user what about the application?
§ Developers
- On boarding
- Controlling access
- Monitoring
- Managing
§ Will you allow application to store user credentials? Long term or per session
§ Do we trust all devices or platforms?
§ Do we trust Jail broken devices?

14. Single sign on issues
§ Multiple Applications
§ Multiple devices
§ Multiple APIs
§ Multiple API providers
§ Integration with cloud services

15. How are we tackling this
§ New security models
§ Oauth
§ Open ID connect
§ SAML
§ Tried and tested approaches
- SSL, Basic Auth, WS Security, XML security
- Standard threats
§ Multiple approaches per API
§ Brokering between the new world and the existing security

16. OAuth
§ Drafts keep changing (or did !!)
§ Can be complex
§ Picking the correct flow
§ Components which do I use.
§ Extensions
§ Brokering with existing security

17. Open ID Connet
§ OAuth based solution for authentication
§ Gives access to attributes.
§ Giving access to identities outside the enterprise
§ Helps scale and agility
§ Who is coming through the door
§ Tracking and audit

18. SAML
§ Still there as a very valid solution
§ Supported for federated SSO such as SFDC
§ Can be considered heavyweight and complex
§ B2B solutions still like SAML
§ STS deployments

19. Flexibility is the new challenge
SAML
PKI
LDAP WS-­‐*

20. The primary API management
challenge:
Balancing
Control and Accessibility

21. API publishers want to encourage
utilization

22. Low barriers to access
Self service
Self documenting

23. But, API publishers also want to
restrict access to APIs

24. Smart rate limiting
Security enforcement
Brand control

25. Architects want API gateways
API
Gateway
API

26. Thank you
Aran White
awhite@layer7.com