Understanding how emerging standards like OAuth and OpenID Connect impact federation
Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience.
This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards.
You Will Learn
Best practices for federating identity across mobile and cloud
How emerging identity federation standards will impact your infrastructure
How to implement an identity-centric API security and management infrastructure
Presenters
Ehud Amiri
Director, Product Management, CA Technologies
Francois Lascelles
Chief Architect, Layer 7
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
1. Federation evolved:
How cloud, mobile & APIs change the way we broker identity
Francois Lascelles Ehud Amiri
o c oud, ob e & s c a ge t e ay e b o e de t ty
Chief Architect
Layer 7 Technologies
Director, Product Management
CA
2. Webinar Housekeeping
Questions
-Chat any questions you have and we’ll answer them at the
Webinar Housekeeping
end of this webinar
TwitterTwitter
- Today’s event hashtag: #L7webinar
Follow us on Twitter:Follow us on Twitter:
@layer7
@forrester
Layer 7 Confidential 2
3. CA/L7 Webinars
Following previous webinar
“Unifying Security Across Web,
APIs and Mobile”
http://api.co/unifySEC
Today we will introduce the
“Federation Evolved”
Layer 7 Confidential 3
5. Survival Of The Fittest
“It is not the strongest of species
that survives not the mostthat survives, not the most
intelligent that survives. It is the one
that is most adaptable to change”
Charles Darwin
Layer 7 Confidential 5
6. Macro Trends Impacting the “New Federation”p g
f i ti
Cloud ServicesPartners/Divisions
1 43B
social network
b 2012¹
of organizations are
using SaaS³79%
Cloud Services1.43B users by 2012¹
mobile app downloads
by 2016²305B
Developer CommunityMobile Apps
connected devices
by 2020450B
IoT / Big Data
of data by 20205
35ZB
Social Registration
Layer 7 Confidential 6
7. The History Of SAML
Security Assertion Markup Language
Layer 7 Confidential 7
8. SAML 2.0 Published in 2007
Key Use Case: Browser Single Sign-ony g g
2. IDP
Discovery
Application
(Relying Party)
Identity
Provider
5. Redirect back
with <Response>Provider
3. Redirect to IDP
with <AuthnRequest>
with Response
6. Return
1. Request
resource
6. Return
resource
4. Login
flow
Layer 7 Confidential 8
9. Single Sign-On for SaaS Applications
SAML 2.0 “Fountain of Youth”
SaaS
ApplicationIdentity
Provider
S SSaaS
ApplicationIdentity
Provider
SaaS
Application
Identity
Layer 7 Confidential 9
Application
Provider
10. Major success in SaaS enterprise applications
Customer story – large global financial organization
• 2007 obtained SiteMinder Federation for 5 partnerships
• 2012 using about 100 partnerships many of them are enterprise SaaS applications
• 2013 planning 500 1000• 2013 planning 500-1000
for partner ecosystem
Layer 7 Confidential 10
11. CA Federation Partner Program
• CA Federation Partner program
- Test and templatized standard based SSO between CA’s Federation and top
cloud business applications
• Some of the validated SaaS Applications
Layer 7 Confidential 11
12. CA CloudMinder™ 1.1
suite of IAM cloud services
Identity and access management capabilities
Id tit M t F d t d SSO
Strong
delivered as a service
Identity Management Federated SSO
Strong
Authentication
• User management
• Access request
• Standards-based
federation (SAML,
• Software Tokens, QnA,
OATH, certificatesccess equest
• Provisioning &
de-provisioning
• Identity synchronization
ede at o (S ,
WS-Fed, OAuth,…)
• Employee/Partner SSO
• Social Sign-on
• Just-in-time provisioning
O , ce t cates
• Risk analysis & adaptive
authentication
• Device identification
• Fraud preventionp g p
USER
Layer 7 Confidential 12
14. Mobile access control - secure what?
… the data source
Mobile browser Web
Any other app APIs
Layer 7 Confidential 14
15. Reconciling Mobile UX and Security: Single Sign-Ong y g g
• Single sign-on on mobile devices is essential to mitigating mobile UX disruptors
Identify
yourself
Show me my
data
Layer 7 Confidential 15
16. Mobile app isolationpp
User-agent
Webapp 1
Cookie domain A
Domain A
• Mobile web
Webapp 2
Cookie domain B
Webapp 3
(can be different parties)
Access token 1
APP A
API 1
(can be different parties)
Domain A
API 2
Access token 2
APP B Mobile apps
Layer 7 Confidential 16
API 3
Access token 3
APP C
17. Client-side sharing of authentication contextg
• Client side platforms allow applications within a domain to share a Key
ChainChain
- Share an authentication context
- Only for apps published by the same developer key
KC A KC B Shared Key ChainKC A KC B Shared Key Chain
App A App B App A App B
Layer 7 Confidential 17
18. Cross domain mobile SSO
• Client side redirections and callback
- App register URL scheme to allow switching between apps
- Passing a token in a redirection callback allows an authentication context to be
extended to a 3rd party app
openURL AppA://something?callback=AppB://somethingelse
step 1
App A App B
openURL AppA://something?callback AppB://somethingelse
openURL AppB://somethingelse?arg=that_thing_you_need
Layer 7 Confidential 18
step 2
19. App-to-app redirection limitations, riskspp pp
• Un-verified URL schemes opens possibility of “app-in-the-middle” attack
APPLE:
“If more than one third-party app registers to handle
the same URL scheme, there is currently no process
for determining which app will be given that scheme ”for determining which app will be given that scheme.
Layer 7 Confidential 19
20. App wrappingpp pp g
• Single sign-on across mobile apps normally requires the active participation of
each appeach app
- Wrapping an app can compensate for a 3rd party app’s lack of awareness
• Adding a wrapper to an existing app re-signs app and enables access to shared
authentication context
- On the API side, federation still requires active participation or API calls
themselves need be redirected
3rd P
App
Auth Context
?
Layer 7 Confidential 20
App A App B
3rd P API
?
21. Cloud API consumption from mobilep
• The enterprise does not actively participate
• Shared password is a security riskShared password is a security risk
@corp: Promotion
@corp: Something Funny
@ RT S
Kevin
@corp: RT Someone
James
:(
Brent
Layer 7 Confidential 21
22. Enterprise API brokeringp g
Kevin
@corp: Promotion
@corp: Something Funny
[@corp: RT Someone]
JamesJames
BrentBrent
Layer 7 Confidential 22
23. Enterprise API brokeringp g
• Client-side redirected API call
- New app
- Localhost proxy (?)
- Wrapper
@corp
Wrapper
user@corp
API BrokeringAPI Brokering
- User authentication, lookup delegation
permission
@ t t i t
Layer 7 Confidential 23
- @corp account secret remains secret
24. Standard: OAuth
1. Handshake issues token to app -> grant types
2 App uses token to consume API -> resource server2. App uses token to consume API > resource server
API ProviderClient
Token endpointApp
API Call with creds (or context)
Authz endpointBrowser
Web Redirection (optional)
Layer 7 Confidential 24
25. Social Login Patterng
• A service redirects user to an OAuth authorization server
• User consents service to get basic user info from social providerUse co se ts se ce to get bas c use o o soc a p o de
• Service leverages this context to delegate authentication and avoid setting up a
shared secret with user
Social provider
Do you authorize
[service] to access your
basic information?
[_] Yes
In: access token
Out: user info
[_] No
Layer 7 Confidential 25
Service (Web, Api/App, …)
26. Standard: OpenID Connectp
• The use of OAuth to delegate authentication (social login) is formalized by OpenIDg ( g ) y p
Connect
- JSON based identity claims, use of JWT (ID Token)
Define scopes user info api- Define scopes, user info api
• OpenID connect lets an IdP provide federated authentication in a way that is
‘lightweight’ for the relying party
- No SAML
- No XML
- No dsigNo dsig
Layer 7 Confidential 26
27. Standard: Federated access token grantsg
• App gets an access token in exchange for another token
- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]
- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]
• Let apps leverage authentication context without disturbing UXLet apps leverage authentication context without disturbing UX
API ProviderClient
API Call incl proof of authentication
Token endpointApp
API Call incl proof of authentication
Get back access token
Layer 7 Confidential 27
28. Layer 7 Mobile Access Gatewayy y
Mobile API Delivery
• Secure Mobile EndpointSecure Mobile Endpoint
• Manage permissions across
users, devices, apps
• Integration, Scaling
Access Control, UX
Increased Developer
Velocity
• Mobile PKI Provisioning
• Mobile app-to-app SSO
• Latest standards (OAuth,
OpenID Connect
• Mobile SDK for iOS and
Android
• Configure, not code
• Form factors deployment
Layer 7 Confidential 28
OpenID Connect,
JWT/JWS/JWE)
Form factors, deployment
options
29. Identity and Multi-channel security are Critical
Capabilitiesp
Key Enablers of the
Cloud ServicesPartners/Divisions
y
Open Enterprise
Cloud Services
Identity
Mobile Apps Developer Community
Multi-channel
Engagement
IoT / Big Data Social Registration
Layer 7 Confidential 29
Internal / External Threats
30. Secure the Mobile, Cloud-Connected Enterprise
Identity is the New Perimeter
SaaSContractors
Access
G
Secure
Single Sign on
On/Off-Boarding
Partners Cloud
Apps/Platforms
Governance Single Sign-on
Employees
Identity
Apps/Platforms
& Web Services
User
Self Service
Data Discovery &
Classification Enterprise
Apps
Administrators On Premise
Self Service
Enterprise Mobility
Classification
Layer 7 Confidential 30
31. The New Business Services
APIs Drive the Modern Business
Mobile Apps Browser
Web
Smart Devices
Cloud Services
API
B i P t
Cloud Services
Layer 7 Confidential 31
Developer Access
Business Partners
Business Divisions
32. The Rise of The “New Federation”
Enable Access to Secure New Business Services
APIs Drive the Modern Business
Mobile Apps Browser
Single
Centralized
Security Policy
Web
Smart Devices
Single
Sign‐on
Accelerate
Data Access
Social
Registration
Identity
Cloud Services
Optimize
Traffic
Protect
Federation
Advanced
Authentication
API
B i P t
Cloud Services
Identity / Device
Management
Protect
Data
Layer 7 Confidential 32
Developer Access
Business Partners
Business Divisions
g
33. Federation Evolved
CA CloudMinder & Layer 7
Modern Federation Across ChannelsModern Federation Across Channels
The “New Federation” is
here:
• Standard based
• Enables Cloud, Mobile &
SocialSocial
• Protect the Web & API
Layer 7 Confidential 33