SlideShare a Scribd company logo

Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity

CA API Management
CA API Management

Understanding how emerging standards like OAuth and OpenID Connect impact federation Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience. This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards. You Will Learn Best practices for federating identity across mobile and cloud How emerging identity federation standards will impact your infrastructure How to implement an identity-centric API security and management infrastructure Presenters Ehud Amiri Director, Product Management, CA Technologies Francois Lascelles Chief Architect, Layer 7

1 of 34
Download to read offline
Federation evolved:  How cloud, mobile & APIs change the way we broker identity Francois Lascelles Ehud Amiri o c oud, ob e & s c a ge t e ay e b o e de t ty Chief Architect Layer 7 Technologies Director, Product Management CA
Webinar Housekeeping Questions -Chat any questions you have and we’ll answer them at the Webinar Housekeeping end of this webinar TwitterTwitter - Today’s event hashtag: #L7webinar Follow us on Twitter:Follow us on Twitter: @layer7 @forrester Layer 7 Confidential 2
CA/L7 Webinars Following previous webinar “Unifying Security Across Web, APIs and Mobile” http://api.co/unifySEC Today we will introduce the “Federation Evolved” Layer 7 Confidential 3
The Identity Standards Layer 7 Confidential 4
Survival Of The Fittest “It is not the strongest of species that survives not the mostthat survives, not the most intelligent that survives. It is the one that is most adaptable to change” Charles Darwin Layer 7 Confidential 5
Macro Trends Impacting the “New Federation”p g f i ti Cloud ServicesPartners/Divisions 1 43B social network b 2012¹ of organizations are using SaaS³79% Cloud Services1.43B users by 2012¹ mobile app downloads by 2016²305B Developer CommunityMobile Apps connected devices by 2020450B IoT / Big Data of data by 20205 35ZB Social Registration Layer 7 Confidential 6
The History Of SAML Security Assertion Markup Language Layer 7 Confidential 7
SAML 2.0 Published in 2007 Key Use Case: Browser Single Sign-ony g g 2. IDP Discovery Application (Relying Party) Identity Provider 5. Redirect back with <Response>Provider 3. Redirect to IDP with <AuthnRequest> with Response 6. Return 1. Request resource 6. Return resource 4. Login flow Layer 7 Confidential 8
Single Sign-On for SaaS Applications SAML 2.0 “Fountain of Youth” SaaS ApplicationIdentity Provider S SSaaS ApplicationIdentity Provider SaaS Application Identity Layer 7 Confidential 9 Application Provider
Major success in SaaS enterprise applications Customer story – large global financial organization • 2007 obtained SiteMinder Federation for 5 partnerships • 2012 using about 100 partnerships many of them are enterprise SaaS applications • 2013 planning 500 1000• 2013 planning 500-1000 for partner ecosystem Layer 7 Confidential 10
CA Federation Partner Program • CA Federation Partner program - Test and templatized standard based SSO between CA’s Federation and top cloud business applications • Some of the validated SaaS Applications Layer 7 Confidential 11
CA CloudMinder™ 1.1 suite of IAM cloud services Identity and access management capabilities Id tit M t F d t d SSO Strong delivered as a service Identity Management Federated SSO Strong Authentication • User management • Access request • Standards-based federation (SAML, • Software Tokens, QnA, OATH, certificatesccess equest • Provisioning & de-provisioning • Identity synchronization ede at o (S , WS-Fed, OAuth,…) • Employee/Partner SSO • Social Sign-on • Just-in-time provisioning O , ce t cates • Risk analysis & adaptive authentication • Device identification • Fraud preventionp g p USER Layer 7 Confidential 12
Mobile First Layer 7 Confidential 13
Mobile access control - secure what? … the data source Mobile browser Web Any other app APIs Layer 7 Confidential 14
Reconciling Mobile UX and Security: Single Sign-Ong y g g • Single sign-on on mobile devices is essential to mitigating mobile UX disruptors Identify yourself Show me my data Layer 7 Confidential 15
Mobile app isolationpp User-agent Webapp 1 Cookie domain A Domain A • Mobile web Webapp 2 Cookie domain B Webapp 3 (can be different parties) Access token 1 APP A API 1 (can be different parties) Domain A API 2 Access token 2 APP B Mobile apps Layer 7 Confidential 16 API 3 Access token 3 APP C
Client-side sharing of authentication contextg • Client side platforms allow applications within a domain to share a Key ChainChain - Share an authentication context - Only for apps published by the same developer key KC A KC B Shared Key ChainKC A KC B Shared Key Chain App A App B App A App B Layer 7 Confidential 17
Cross domain mobile SSO • Client side redirections and callback - App register URL scheme to allow switching between apps - Passing a token in a redirection callback allows an authentication context to be extended to a 3rd party app openURL AppA://something?callback=AppB://somethingelse step 1 App A App B openURL AppA://something?callback AppB://somethingelse openURL AppB://somethingelse?arg=that_thing_you_need Layer 7 Confidential 18 step 2
App-to-app redirection limitations, riskspp pp • Un-verified URL schemes opens possibility of “app-in-the-middle” attack APPLE: “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme ”for determining which app will be given that scheme. Layer 7 Confidential 19
App wrappingpp pp g • Single sign-on across mobile apps normally requires the active participation of each appeach app - Wrapping an app can compensate for a 3rd party app’s lack of awareness • Adding a wrapper to an existing app re-signs app and enables access to shared authentication context - On the API side, federation still requires active participation or API calls themselves need be redirected 3rd P App Auth Context ? Layer 7 Confidential 20 App A App B 3rd P API ?
Cloud API consumption from mobilep • The enterprise does not actively participate • Shared password is a security riskShared password is a security risk @corp: Promotion @corp: Something Funny @ RT S Kevin @corp: RT Someone James :( Brent Layer 7 Confidential 21
Enterprise API brokeringp g Kevin @corp: Promotion @corp: Something Funny [@corp: RT Someone] JamesJames BrentBrent Layer 7 Confidential 22
Enterprise API brokeringp g • Client-side redirected API call - New app - Localhost proxy (?) - Wrapper @corp Wrapper user@corp  API BrokeringAPI Brokering - User authentication, lookup delegation permission @ t t i t Layer 7 Confidential 23 - @corp account secret remains secret
Standard: OAuth 1. Handshake issues token to app -> grant types 2 App uses token to consume API -> resource server2. App uses token to consume API > resource server API ProviderClient Token endpointApp API Call with creds (or context) Authz endpointBrowser Web Redirection (optional) Layer 7 Confidential 24
Social Login Patterng • A service redirects user to an OAuth authorization server • User consents service to get basic user info from social providerUse co se ts se ce to get bas c use o o soc a p o de • Service leverages this context to delegate authentication and avoid setting up a shared secret with user Social provider Do you authorize [service] to access your basic information? [_] Yes In: access token Out: user info [_] No Layer 7 Confidential 25 Service (Web, Api/App, …)
Standard: OpenID Connectp • The use of OAuth to delegate authentication (social login) is formalized by OpenIDg ( g ) y p Connect - JSON based identity claims, use of JWT (ID Token) Define scopes user info api- Define scopes, user info api • OpenID connect lets an IdP provide federated authentication in a way that is ‘lightweight’ for the relying party - No SAML - No XML - No dsigNo dsig Layer 7 Confidential 26
Standard: Federated access token grantsg • App gets an access token in exchange for another token - SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer] - JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer] • Let apps leverage authentication context without disturbing UXLet apps leverage authentication context without disturbing UX API ProviderClient API Call incl proof of authentication Token endpointApp API Call incl proof of authentication Get back access token Layer 7 Confidential 27
Layer 7 Mobile Access Gatewayy y Mobile API Delivery • Secure Mobile EndpointSecure Mobile Endpoint • Manage permissions across users, devices, apps • Integration, Scaling Access Control, UX Increased Developer Velocity • Mobile PKI Provisioning • Mobile app-to-app SSO • Latest standards (OAuth, OpenID Connect • Mobile SDK for iOS and Android • Configure, not code • Form factors deployment Layer 7 Confidential 28 OpenID Connect, JWT/JWS/JWE) Form factors, deployment options
Identity and Multi-channel security are Critical Capabilitiesp Key Enablers of the Cloud ServicesPartners/Divisions y Open Enterprise Cloud Services Identity Mobile Apps Developer Community Multi-channel Engagement IoT / Big Data Social Registration Layer 7 Confidential 29 Internal / External Threats
Secure the Mobile, Cloud-Connected Enterprise Identity is the New Perimeter SaaSContractors Access G Secure Single Sign on On/Off-Boarding Partners Cloud Apps/Platforms Governance Single Sign-on Employees Identity Apps/Platforms & Web Services User Self Service Data Discovery & Classification Enterprise Apps Administrators On Premise Self Service Enterprise Mobility Classification Layer 7 Confidential 30
The New Business Services APIs Drive the Modern Business Mobile Apps Browser Web Smart Devices Cloud Services API B i P t Cloud Services Layer 7 Confidential 31 Developer Access Business Partners Business Divisions
The Rise of The “New Federation” Enable Access to Secure New Business Services APIs Drive the Modern Business Mobile Apps Browser Single Centralized    Security Policy Web Smart Devices Single  Sign‐on Accelerate  Data Access Social Registration Identity  Cloud Services Optimize Traffic Protect Federation Advanced  Authentication API B i P t Cloud Services Identity / Device  Management Protect    Data Layer 7 Confidential 32 Developer Access Business Partners Business Divisions g
Federation Evolved CA CloudMinder & Layer 7 Modern Federation Across ChannelsModern Federation Across Channels The “New Federation” is here: • Standard based • Enables Cloud, Mobile & SocialSocial • Protect the Web & API Layer 7 Confidential 33
Q&A

More Related Content

Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity

  • 1. Federation evolved:  How cloud, mobile & APIs change the way we broker identity Francois Lascelles Ehud Amiri o c oud, ob e & s c a ge t e ay e b o e de t ty Chief Architect Layer 7 Technologies Director, Product Management CA
  • 2. Webinar Housekeeping Questions -Chat any questions you have and we’ll answer them at the Webinar Housekeeping end of this webinar TwitterTwitter - Today’s event hashtag: #L7webinar Follow us on Twitter:Follow us on Twitter: @layer7 @forrester Layer 7 Confidential 2
  • 3. CA/L7 Webinars Following previous webinar “Unifying Security Across Web, APIs and Mobile” http://api.co/unifySEC Today we will introduce the “Federation Evolved” Layer 7 Confidential 3
  • 4. The Identity Standards Layer 7 Confidential 4
  • 5. Survival Of The Fittest “It is not the strongest of species that survives not the mostthat survives, not the most intelligent that survives. It is the one that is most adaptable to change” Charles Darwin Layer 7 Confidential 5
  • 6. Macro Trends Impacting the “New Federation”p g f i ti Cloud ServicesPartners/Divisions 1 43B social network b 2012¹ of organizations are using SaaS³79% Cloud Services1.43B users by 2012¹ mobile app downloads by 2016²305B Developer CommunityMobile Apps connected devices by 2020450B IoT / Big Data of data by 20205 35ZB Social Registration Layer 7 Confidential 6
  • 7. The History Of SAML Security Assertion Markup Language Layer 7 Confidential 7
  • 8. SAML 2.0 Published in 2007 Key Use Case: Browser Single Sign-ony g g 2. IDP Discovery Application (Relying Party) Identity Provider 5. Redirect back with <Response>Provider 3. Redirect to IDP with <AuthnRequest> with Response 6. Return 1. Request resource 6. Return resource 4. Login flow Layer 7 Confidential 8
  • 9. Single Sign-On for SaaS Applications SAML 2.0 “Fountain of Youth” SaaS ApplicationIdentity Provider S SSaaS ApplicationIdentity Provider SaaS Application Identity Layer 7 Confidential 9 Application Provider
  • 10. Major success in SaaS enterprise applications Customer story – large global financial organization • 2007 obtained SiteMinder Federation for 5 partnerships • 2012 using about 100 partnerships many of them are enterprise SaaS applications • 2013 planning 500 1000• 2013 planning 500-1000 for partner ecosystem Layer 7 Confidential 10
  • 11. CA Federation Partner Program • CA Federation Partner program - Test and templatized standard based SSO between CA’s Federation and top cloud business applications • Some of the validated SaaS Applications Layer 7 Confidential 11
  • 12. CA CloudMinder™ 1.1 suite of IAM cloud services Identity and access management capabilities Id tit M t F d t d SSO Strong delivered as a service Identity Management Federated SSO Strong Authentication • User management • Access request • Standards-based federation (SAML, • Software Tokens, QnA, OATH, certificatesccess equest • Provisioning & de-provisioning • Identity synchronization ede at o (S , WS-Fed, OAuth,…) • Employee/Partner SSO • Social Sign-on • Just-in-time provisioning O , ce t cates • Risk analysis & adaptive authentication • Device identification • Fraud preventionp g p USER Layer 7 Confidential 12
  • 13. Mobile First Layer 7 Confidential 13
  • 14. Mobile access control - secure what? … the data source Mobile browser Web Any other app APIs Layer 7 Confidential 14
  • 15. Reconciling Mobile UX and Security: Single Sign-Ong y g g • Single sign-on on mobile devices is essential to mitigating mobile UX disruptors Identify yourself Show me my data Layer 7 Confidential 15
  • 16. Mobile app isolationpp User-agent Webapp 1 Cookie domain A Domain A • Mobile web Webapp 2 Cookie domain B Webapp 3 (can be different parties) Access token 1 APP A API 1 (can be different parties) Domain A API 2 Access token 2 APP B Mobile apps Layer 7 Confidential 16 API 3 Access token 3 APP C
  • 17. Client-side sharing of authentication contextg • Client side platforms allow applications within a domain to share a Key ChainChain - Share an authentication context - Only for apps published by the same developer key KC A KC B Shared Key ChainKC A KC B Shared Key Chain App A App B App A App B Layer 7 Confidential 17
  • 18. Cross domain mobile SSO • Client side redirections and callback - App register URL scheme to allow switching between apps - Passing a token in a redirection callback allows an authentication context to be extended to a 3rd party app openURL AppA://something?callback=AppB://somethingelse step 1 App A App B openURL AppA://something?callback AppB://somethingelse openURL AppB://somethingelse?arg=that_thing_you_need Layer 7 Confidential 18 step 2
  • 19. App-to-app redirection limitations, riskspp pp • Un-verified URL schemes opens possibility of “app-in-the-middle” attack APPLE: “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme ”for determining which app will be given that scheme. Layer 7 Confidential 19
  • 20. App wrappingpp pp g • Single sign-on across mobile apps normally requires the active participation of each appeach app - Wrapping an app can compensate for a 3rd party app’s lack of awareness • Adding a wrapper to an existing app re-signs app and enables access to shared authentication context - On the API side, federation still requires active participation or API calls themselves need be redirected 3rd P App Auth Context ? Layer 7 Confidential 20 App A App B 3rd P API ?
  • 21. Cloud API consumption from mobilep • The enterprise does not actively participate • Shared password is a security riskShared password is a security risk @corp: Promotion @corp: Something Funny @ RT S Kevin @corp: RT Someone James :( Brent Layer 7 Confidential 21
  • 22. Enterprise API brokeringp g Kevin @corp: Promotion @corp: Something Funny [@corp: RT Someone] JamesJames BrentBrent Layer 7 Confidential 22
  • 23. Enterprise API brokeringp g • Client-side redirected API call - New app - Localhost proxy (?) - Wrapper @corp Wrapper user@corp  API BrokeringAPI Brokering - User authentication, lookup delegation permission @ t t i t Layer 7 Confidential 23 - @corp account secret remains secret
  • 24. Standard: OAuth 1. Handshake issues token to app -> grant types 2 App uses token to consume API -> resource server2. App uses token to consume API > resource server API ProviderClient Token endpointApp API Call with creds (or context) Authz endpointBrowser Web Redirection (optional) Layer 7 Confidential 24
  • 25. Social Login Patterng • A service redirects user to an OAuth authorization server • User consents service to get basic user info from social providerUse co se ts se ce to get bas c use o o soc a p o de • Service leverages this context to delegate authentication and avoid setting up a shared secret with user Social provider Do you authorize [service] to access your basic information? [_] Yes In: access token Out: user info [_] No Layer 7 Confidential 25 Service (Web, Api/App, …)
  • 26. Standard: OpenID Connectp • The use of OAuth to delegate authentication (social login) is formalized by OpenIDg ( g ) y p Connect - JSON based identity claims, use of JWT (ID Token) Define scopes user info api- Define scopes, user info api • OpenID connect lets an IdP provide federated authentication in a way that is ‘lightweight’ for the relying party - No SAML - No XML - No dsigNo dsig Layer 7 Confidential 26
  • 27. Standard: Federated access token grantsg • App gets an access token in exchange for another token - SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer] - JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer] • Let apps leverage authentication context without disturbing UXLet apps leverage authentication context without disturbing UX API ProviderClient API Call incl proof of authentication Token endpointApp API Call incl proof of authentication Get back access token Layer 7 Confidential 27
  • 28. Layer 7 Mobile Access Gatewayy y Mobile API Delivery • Secure Mobile EndpointSecure Mobile Endpoint • Manage permissions across users, devices, apps • Integration, Scaling Access Control, UX Increased Developer Velocity • Mobile PKI Provisioning • Mobile app-to-app SSO • Latest standards (OAuth, OpenID Connect • Mobile SDK for iOS and Android • Configure, not code • Form factors deployment Layer 7 Confidential 28 OpenID Connect, JWT/JWS/JWE) Form factors, deployment options
  • 29. Identity and Multi-channel security are Critical Capabilitiesp Key Enablers of the Cloud ServicesPartners/Divisions y Open Enterprise Cloud Services Identity Mobile Apps Developer Community Multi-channel Engagement IoT / Big Data Social Registration Layer 7 Confidential 29 Internal / External Threats
  • 30. Secure the Mobile, Cloud-Connected Enterprise Identity is the New Perimeter SaaSContractors Access G Secure Single Sign on On/Off-Boarding Partners Cloud Apps/Platforms Governance Single Sign-on Employees Identity Apps/Platforms & Web Services User Self Service Data Discovery & Classification Enterprise Apps Administrators On Premise Self Service Enterprise Mobility Classification Layer 7 Confidential 30
  • 31. The New Business Services APIs Drive the Modern Business Mobile Apps Browser Web Smart Devices Cloud Services API B i P t Cloud Services Layer 7 Confidential 31 Developer Access Business Partners Business Divisions
  • 32. The Rise of The “New Federation” Enable Access to Secure New Business Services APIs Drive the Modern Business Mobile Apps Browser Single Centralized    Security Policy Web Smart Devices Single  Sign‐on Accelerate  Data Access Social Registration Identity  Cloud Services Optimize Traffic Protect Federation Advanced  Authentication API B i P t Cloud Services Identity / Device  Management Protect    Data Layer 7 Confidential 32 Developer Access Business Partners Business Divisions g
  • 33. Federation Evolved CA CloudMinder & Layer 7 Modern Federation Across ChannelsModern Federation Across Channels The “New Federation” is here: • Standard based • Enables Cloud, Mobile & SocialSocial • Protect the Web & API Layer 7 Confidential 33
  • 34. Q&A