Ma#  Cochran  Architect,  GE  Corporate  mdc@ge.com    

Prac%cal  deployments  Enterprise  cloud  access  management  pla;orm    

Disclaimer  

The  views  and  opinions  expressed  in  this  presentaAon  are  my  own  and  do  not  necessarily  represent  the  views  or  opinions  of  the  General  Electric  Company  or  any  of  its  subsidiaries.  

A changing IT landscape

Close 32 datacenters & migrate 8000+ apps to cloud

Enterprise WAM capability needs to grow with use cases

App

s

Legacy WAM

Partners Customers

Self service

Improve services around B2B & B2C

Mobile, SaaS & 3rd party use cases on the rise

Focus on self service & enabling automation

Client  

Cloud  Mobile  SaaS  

API dev

Risk  pla9orm  

Legacy  AM  

Biz  AuthZ  data  

Extended  user  data  

Biz  APIs  

Corp  APIs  

Admin

App dev

Developers

Enterprise WAM – Legacy model End User

Firewall  

Internal  app  

SM  agent  

ü  Application logic ü  Consuming headers ü  Bolt on security at end

ü  Agent support ü  Biz specific policy

ü  Network dependent ü  Stateful

Support teams

Operations

Data owners

Platform teams

Federa%on   Trusted  ID  Ex   API  GW  

Client  

Cloud  Mobile  SaaS  

API dev

Risk  pla9orm  

Legacy  AM  

Biz  AuthZ  data  

Extended  user  data  

Biz  APIs  

Corp  APIs  

Admin

App dev

Developers

Strategy – Cloud Access Management End User

Standards based AM platform

Network independent stateless

Cross platform

Federation: OpenID Connect Authentication Trusted ID Ex: Attributes for Authorization

API Gateway: access to protected resources

Platform components

Support teams

Operations

Data owners

Platform teams

Federa%on   Trusted  ID  Ex   API  GW  

Client  

Cloud  Mobile  SaaS  

API dev

Request  portal  

Risk  pla9orm  

Legacy  AM  

Biz  AuthZ  data  

Extended  user  data  

Biz  APIs  

Corp  APIs  

Admin

App dev

Developers

Strategy  –  Cloud  Access  Management End User

Self  service  API  

Standards based AM platform

Self service portal Request portal: Self service workflows & documentation Self service API: Secured admin APIs for self service regi.

Developer tools

Support teams

Operations

Data owners

Platform teams

Federa%on   Trusted  ID  Ex   API  GW  

Client  

Cloud  Mobile  SaaS  

API dev

Cloud  AM  portal  

Risk  pla9orm  

Legacy  AM  

Biz  AuthZ  data  

Extended  user  data  

Biz  APIs  

Corp  APIs  

Admin

App dev

Developers

Strategy  –  Cloud  Access  Management End User

Self  service  API  

Standards based AM platform

Self service portal

Transition responsibility

App  

BYO  auth  solu%on  

Corporate owns platform Business owns auth approach & strategy

Apps own implementation

Responsibility

Support teams

Operations

Data owners

Platform teams

Federa%on   Trusted  ID  Ex   API  GW  

BYO  auth  solu%on  

Client  

App  

API dev

Cloud  AM  portal  

Risk  pla9orm  

Legacy  AM  

Biz  AuthZ  data  

Extended  user  data  

Biz  APIs  

Corp  APIs  

Admin

App dev

OpenID Connect

REST / SCIM Developers

ü  Seamless ü  It just works

ü  Self service ü  Standards based ü  Cross platform

ü  Improve platform ü  Focus on architecture ü  Refine solutions

Cloud AM: Cross platform design pattern End User

Self  service  API  

Request Client_id: mattsApp Client_secret: wut Scopes: openid, profile, api1

Response { “id_token” : “abc.def.geh”, “access_token” : “abc123”, “refresh_token” : “1234567” }

Support teams

Operations

Data owners

Platform teams

Federa%on   Trusted  ID  Ex   API  GW  

Client  

OpenID Connect

Cloud AM: Web applications

Web  Server  

Mod  auth  openidc  

App  server  

App  code  

App  

Deployment example •  mod auth openidc, written by Hans Zandbelt •  Open source apache plugin Features •  Fully implemented OpenID Connect OP •  Language agnostic (apache plugin) •  Easy setup – Chef •  Can write path specific attribute policy for AuthZ •  Can bind to virtual directory for biz specific attributes

Other solutions •  Mod_ox from Gluu •  Apache Oltu •  Spring Security •  Forgerock OpenIG •  PingAccess

Federa%on   Trusted  ID  Ex   API  GW  

Mobile  device  

Cloud AM: Mobile applications

Managed  app  1  (hybrid)  

Mobile  device  –  Corporate  container    

Deployment example Swift: https://github.com/p2/OAuth2 ObjC: https://github.com/nxtbgthng/OAuth2Client Hybrid: homegrown library Features •  Authenticate users via in-app OS browser using

custom URL schemes, eg. Myapp://redirect_url •  Browser used as “NAPPS Light” for cross

application SSO (apps reuse session stored in browser cookie)

•  Refresh tokens can be stored in keychain, unlocked with touchID or pin (depending on use case)

Other solutions •  NAPPS Authorization agents •  Auth0 •  CA API Management (Layer 7) SSO

Managed  app  2  (na%ve)  

Auth  lib   Auth  lib  

Safari  

SSO  session  

OpenID Connect

OAuth2 access token

AuthorizaAon  –  fine  grain,  risk  based  

Gen  2  API  Management  integraAon  

B2B:  IDP  as  a  service,  3rd  party  in  use  cases  (IDaaS)  

IdenAty  assurance  

Next steps

Appendix  

Cloud AM: Strategy

Push responsibility to business - App teams (not Corporate) own implementation & support

Provide repeatable design patterns, documentation & guidance

Create network independent, standards based, self service abstraction layer on top of legacy AM

Trus

ted

netw

ork

Exp

osed

mobile   Cloud   SaaS   3rd  Party  

Legacy  WAM  

Directories  

Federation: OpenID Connect Authentication

Platform Components Federa%on   Trusted  ID  Ex   API  GW  

Trusted ID Ex: Attributes for Authorization

API Gateway: access to protected resources