Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
1
Managing Identities in the World of APIs
Ian Cooper, Technology Architect, Thomson Reuters
Jason Kobus, Director, API Ba...
Agenda
2
1111. API Identity Architecture
Subra
Kumaraswamy
2. Case Study – Thomson Reuters Ian Cooper
3. Case Study – Sili...
Identity for end-to-end security
App
Developer
User APIApp Backend
API Developer
IT Manager
Business User
Authentication
A...
SAML or OAuth?
4
Trading Identity for Authorization
Ian Cooper
Technology
Architect, Thomson
Reuters 5
• Heavily invested in SAML, it works well for SSO
and is corporate standard
• Push towards a Microservices based architect...
• Single Sign On has been important to enterprises
for some time
• Enterprise targeted Identity solutions support SAML
• S...
• SAML can assert identity and more, OAuth allows
authorization of API resources
• OAuth 2.0 SAML Bearer profile allows a ...
• Not possible to swap SAML assertion from login flow
with authorization server. SAML assertions have an
audience which mu...
Architecture
10
1. User logs into
application
2. Application requests a
SAML assertion from
the STS
3. SAML assertion
exchanged for OAuth
...
Implementation
12©2015 Apigee. All Rights Reserved.
Client
App
IdP
STS
Auth
Server
Resource
Server
Login
Request SAML Asse...
• Other similar options exist
• OAuth 2.0 JWT Bearer (RFC 7523) is very similar
to the OAuth 2.0 SAML Bearer flow - uses a...
Partner Integration –
Does Identity play a major role?
14
Identity and Pushing the API Partner
Perimeter
Jason Kobus
Director, API Banking
15
The opinions expressed in this present...
Bank - Fintech Integration current state
16©2015 Apigee. All Rights Reserved.
Using APIs to Deepen Partner Integration
17©2015 Apigee. All Rights Reserved.
1. OAuth tokens exchanged for user credentia...
Q&A
18
Próxima SlideShare
Cargando en…5
×

Managing Identities in the World of APIs

832 visualizaciones

Publicado el

Security architects from Thompson Reuters, SVB, and APigee discuss Managing Identities in the World of APIs at I Love APIs 2015

Publicado en: Software
  • Sé el primero en comentar

Managing Identities in the World of APIs

  1. 1. 1 Managing Identities in the World of APIs Ian Cooper, Technology Architect, Thomson Reuters Jason Kobus, Director, API Banking, SVB, Subra Kumaraswamy, Apigee
  2. 2. Agenda 2 1111. API Identity Architecture Subra Kumaraswamy 2. Case Study – Thomson Reuters Ian Cooper 3. Case Study – Silicon Valley Bank Jason Kobus ©2015 Apigee. All Rights Reserved.
  3. 3. Identity for end-to-end security App Developer User APIApp Backend API Developer IT Manager Business User Authentication Authorization, Auditing (AAA) Services • OpenID Connect • Social Login • 2FA • X.509 Cert Enterprise Identity Stores • App Identity • OAuth • TLS • Identity • SSO • RBAC • API Key • Threat Protection • Credential Mediation • Secure Token Storage • SAML/OAuth • Identity • SSO • RBAC • SAML • Audit
  4. 4. SAML or OAuth? 4
  5. 5. Trading Identity for Authorization Ian Cooper Technology Architect, Thomson Reuters 5
  6. 6. • Heavily invested in SAML, it works well for SSO and is corporate standard • Push towards a Microservices based architecture for our internal systems • Want standards based interactions between client applications and backend services • Need to be able to identify users at the Microservice level to perform fine grained authorization Our Problem 6©2015 Apigee. All Rights Reserved.
  7. 7. • Single Sign On has been important to enterprises for some time • Enterprise targeted Identity solutions support SAML • Standards based SSO can dramatically improve enterprise security over custom solutions • Many enterprises have a lot invested in SAML solutions and integrations Why SAML in the Enterprise 7©2015 Apigee. All Rights Reserved.
  8. 8. • SAML can assert identity and more, OAuth allows authorization of API resources • OAuth 2.0 SAML Bearer profile allows a SAML assertion to be exchanged for an OAuth 2.0 token for authentication and/or authorization • Recently ratified by IETF - https://tools.ietf.org/html/rfc7522 • Has certain advantages over vanilla 3-legged Oauth flows because authorization is implicit, no need to ask user to authorize access - great when composing lots of APIs together, as often happens in the enterprise Can SAML and OAuth Play Nice? 8©2015 Apigee. All Rights Reserved.
  9. 9. • Not possible to swap SAML assertion from login flow with authorization server. SAML assertions have an audience which must be honored • After login must get or generate a new SAML assertion that can be exchanged for an OAuth access token • Generating a SAML assertion in the client application may be acceptable sometimes, generally go to a Security Token Service to get the assertion. STS could be original IdP. 9©2015 Apigee. All Rights Reserved. Can SAML and OAuth Play Nice?
  10. 10. Architecture 10
  11. 11. 1. User logs into application 2. Application requests a SAML assertion from the STS 3. SAML assertion exchanged for OAuth access token 4. OAuth access token used for resource requests In Practice 11©2015 Apigee. All Rights Reserved. Client App IdP STS Auth Server Resource Server Login Request SAML Assertion Exchange SAML Assertion for OAuth access token Get Resource OAuth 2.0 Bearer Token Trust 1 2 3 4
  12. 12. Implementation 12©2015 Apigee. All Rights Reserved. Client App IdP STS Auth Server Resource Server Login Request SAML Assertion Exchange SAML Assertion for OAuth access token Get Resource OAuth 2.0 Bearer Token Trust 1 2 3 4
  13. 13. • Other similar options exist • OAuth 2.0 JWT Bearer (RFC 7523) is very similar to the OAuth 2.0 SAML Bearer flow - uses a JWT instead of SAML Assertion • OpenID Connect, AuthN solution built on OAuth Is SAML/OAuth the only way? 13©2015 Apigee. All Rights Reserved.
  14. 14. Partner Integration – Does Identity play a major role? 14
  15. 15. Identity and Pushing the API Partner Perimeter Jason Kobus Director, API Banking 15 The opinions expressed in this presentation are my own, and don't necessarily represent Silicon Valley Bank’s positions, strategies, or opinions.
  16. 16. Bank - Fintech Integration current state 16©2015 Apigee. All Rights Reserved.
  17. 17. Using APIs to Deepen Partner Integration 17©2015 Apigee. All Rights Reserved. 1. OAuth tokens exchanged for user credentials reduces risk 2. OAuth grants tied to business purpose & respecting privacy 3. Higher risk  Stronger authentication 4. Banks as a trusted identity store (~high fidelity IdP) 5. APIs>Integration arbitrage – Harness fintech innovation – Partners get more! – Bi-directional API treaties – Triangulate on mutual clients Considerations:
  18. 18. Q&A 18

×