Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
-
Upload
ca-api-management -
Category
Technology
-
view
1.005 -
download
0
Transcript of Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation evolved:How cloud, mobile & APIs change the way we broker identity
Francois Lascelles Ehud Amiri
o c oud, ob e & s c a ge t e ay e b o e de t ty
Chief ArchitectLayer 7 Technologies
Director, Product ManagementCA
Webinar HousekeepingQuestions-Chat any questions you have and we’ll answer them at the
Webinar Housekeeping
end of this webinar
TwitterTwitter- Today’s event hashtag: #L7webinar
Follow us on Twitter:Follow us on Twitter: @layer7@forrester
Layer 7 Confidential 2
CA/L7 Webinars
Following previous webinar“Unifying Security Across Web,
APIs and Mobile”http://api.co/unifySEC
Today we will introduce the “Federation Evolved”
Layer 7 Confidential 3
Survival Of The Fittest
“It is not the strongest of species that survives not the mostthat survives, not the most
intelligent that survives. It is the one that is most adaptable to change”
Charles Darwin
Layer 7 Confidential 5
Macro Trends Impacting the “New Federation”p g
f i ti
Cloud ServicesPartners/Divisions 1 43B social networkb 2012¹
of organizations are using SaaS³79%
Cloud Services1.43B users by 2012¹
mobile app downloads by 2016²305B
Developer CommunityMobile Appsconnected devices by 2020450B
IoT / Big Dataof data by 2020535ZB
Social Registration
Layer 7 Confidential 6
SAML 2.0 Published in 2007Key Use Case: Browser Single Sign-ony g g
2. IDP Discovery
Application(Relying Party)Identity
Provider5. Redirect backwith <Response>Provider
3. Redirect to IDPwith <AuthnRequest>
with Response
6. Return
1. Request resource
6. Returnresource
4. Loginflow
Layer 7 Confidential 8
Single Sign-On for SaaS ApplicationsSAML 2.0 “Fountain of Youth”
SaaSApplicationIdentity
Provider
S SSaaSApplicationIdentity
Provider
SaaSApplicationIdentity
Layer 7 Confidential 9
ApplicationProvider
Major success in SaaS enterprise applications
Customer story – large global financial organization• 2007 obtained SiteMinder Federation for 5 partnerships
• 2012 using about 100 partnerships many of them are enterprise SaaS applications
• 2013 planning 500 1000• 2013 planning 500-1000 for partner ecosystem
Layer 7 Confidential 10
CA Federation Partner Program
• CA Federation Partner program
- Test and templatized standard based SSO between CA’s Federation and top cloud business applications
• Some of the validated SaaS Applications
Layer 7 Confidential 11
CA CloudMinder™ 1.1suite of IAM cloud services
Identity and access management capabilities
Id tit M t F d t d SSO Strong
delivered as a service
Identity Management Federated SSO Strong Authentication
• User management • Access request
• Standards-based federation (SAML,
• Software Tokens, QnA, OATH, certificatesccess equest
• Provisioning & de-provisioning
• Identity synchronization
ede at o (S ,WS-Fed, OAuth,…)
• Employee/Partner SSO• Social Sign-on• Just-in-time provisioning
O , ce t cates• Risk analysis & adaptive
authentication• Device identification• Fraud prevention p g p
USER
Layer 7 Confidential 12
Mobile access control - secure what?
… the data source
Mobile browser Web
Any other app APIs
Layer 7 Confidential 14
Reconciling Mobile UX and Security: Single Sign-Ong y g g
• Single sign-on on mobile devices is essential to mitigating mobile UX disruptors
Identify yourself
Show me my data
Layer 7 Confidential 15
Mobile app isolationpp
User-agent
Webapp 1Cookie domain A
Domain A
• Mobile webWebapp 2
Cookie domain B
Webapp 3
(can be different parties)
Access token 1
APP A
API 1
(can be different parties)
Domain A
API 2Access token 2
APP B Mobile apps
Layer 7 Confidential 16
API 3
Access token 3
APP C
Client-side sharing of authentication contextg
• Client side platforms allow applications within a domain to share a Key ChainChain
- Share an authentication context
- Only for apps published by the same developer key
KC A KC B Shared Key ChainKC A KC B Shared Key Chain
App A App B App A App B
Layer 7 Confidential 17
Cross domain mobile SSO
• Client side redirections and callback
- App register URL scheme to allow switching between apps
- Passing a token in a redirection callback allows an authentication context to be extended to a 3rd party app
openURL AppA://something?callback=AppB://somethingelse
step 1
App A App B
openURL AppA://something?callback AppB://somethingelse
openURL AppB://somethingelse?arg=that_thing_you_need
Layer 7 Confidential 18
step 2
App-to-app redirection limitations, riskspp pp
• Un-verified URL schemes opens possibility of “app-in-the-middle” attack
APPLE:“If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme ”for determining which app will be given that scheme.
Layer 7 Confidential 19
App wrappingpp pp g
• Single sign-on across mobile apps normally requires the active participation of each appeach app
- Wrapping an app can compensate for a 3rd party app’s lack of awareness
• Adding a wrapper to an existing app re-signs app and enables access to shared authentication context
- On the API side, federation still requires active participation or API calls themselves need be redirected
3rd PApp
Auth Context
?
Layer 7 Confidential 20
App A App B3rd P API ?
Cloud API consumption from mobilep
• The enterprise does not actively participate
• Shared password is a security riskShared password is a security risk
@corp: Promotion@corp: Something Funny@ RT SKevin @corp: RT Someone
James:(
Brent
Layer 7 Confidential 21
Enterprise API brokeringp g
Kevin
@corp: Promotion@corp: Something Funny[@corp: RT Someone]
JamesJames
BrentBrent
Layer 7 Confidential 22
Enterprise API brokeringp g
• Client-side redirected API call
- New app
- Localhost proxy (?)
- Wrapper
@corpWrapper
user@corp
API BrokeringAPI Brokering
- User authentication, lookup delegation permission
@ t t i t
Layer 7 Confidential 23
- @corp account secret remains secret
Standard: OAuth
1. Handshake issues token to app -> grant types
2 App uses token to consume API -> resource server2. App uses token to consume API > resource server
API ProviderClient
Token endpointAppAPI Call with creds (or context)
Authz endpointBrowserWeb Redirection (optional)
Layer 7 Confidential 24
Social Login Patterng
• A service redirects user to an OAuth authorization server
• User consents service to get basic user info from social providerUse co se ts se ce to get bas c use o o soc a p o de
• Service leverages this context to delegate authentication and avoid setting up a shared secret with user
Social providerDo you authorize [service] to access your basic information?[_] Yes
In: access tokenOut: user info
[_] No
Layer 7 Confidential 25
Service (Web, Api/App, …)
Standard: OpenID Connectp
• The use of OAuth to delegate authentication (social login) is formalized by OpenIDg ( g ) y pConnect
- JSON based identity claims, use of JWT (ID Token)
Define scopes user info api- Define scopes, user info api
• OpenID connect lets an IdP provide federated authentication in a way that is ‘lightweight’ for the relying party
- No SAML
- No XML
- No dsigNo dsig
Layer 7 Confidential 26
Standard: Federated access token grantsg
• App gets an access token in exchange for another token
- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]
- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]
• Let apps leverage authentication context without disturbing UXLet apps leverage authentication context without disturbing UX
API ProviderClient
API Call incl proof of authentication
Token endpointApp
API Call incl proof of authentication
Get back access token
Layer 7 Confidential 27
Layer 7 Mobile Access Gatewayy y
Mobile API Delivery
• Secure Mobile EndpointSecure Mobile Endpoint• Manage permissions across
users, devices, apps• Integration, Scaling
Access Control, UX Increased Developer Velocity
• Mobile PKI Provisioning• Mobile app-to-app SSO• Latest standards (OAuth,
OpenID Connect
• Mobile SDK for iOS and Android
• Configure, not code• Form factors deployment
Layer 7 Confidential 28
OpenID Connect, JWT/JWS/JWE)
Form factors, deployment options
Identity and Multi-channel security are Critical Capabilitiesp
Key Enablers of the
Cloud ServicesPartners/Divisions
yOpen Enterprise
Cloud Services
Identity
Mobile Apps Developer CommunityMulti-channelEngagement
IoT / Big Data Social Registration
Layer 7 Confidential 29
Internal / External Threats
Secure the Mobile, Cloud-Connected EnterpriseIdentity is the New Perimeter
SaaS Contractors AccessG
SecureSingle Sign on
On/Off-Boarding
Partners Cloud Apps/Platforms
Governance Single Sign-on
Employees
Identity
Apps/Platforms& Web Services
UserSelf Service
Data Discovery & Classification Enterprise
Apps
Administrators On Premise
Self Service
Enterprise Mobility
Classification
Layer 7 Confidential 30
The New Business Services
APIs Drive the Modern Business
Mobile Apps Browser
Web
Smart Devices
Cloud Services
API
B i P t
Cloud Services
Layer 7 Confidential 31
Developer AccessBusiness PartnersBusiness Divisions
The Rise of The “New Federation”Enable Access to Secure New Business Services
APIs Drive the Modern Business
Mobile Apps Browser
Single
Centralized Security Policy
Web
Smart Devices
Single Sign‐on
Accelerate Data Access
SocialRegistration
Identity
Cloud Services
OptimizeTraffic
Protect
Federation
Advanced Authentication
API
B i P t
Cloud Services
Identity / Device Management
Protect Data
Layer 7 Confidential 32
Developer AccessBusiness PartnersBusiness Divisions
g
Federation Evolved
CA CloudMinder & Layer 7Modern Federation Across ChannelsModern Federation Across Channels
The “New Federation” is here:• Standard based• Enables Cloud, Mobile &
SocialSocial• Protect the Web & API
Layer 7 Confidential 33