Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity

Federation evolved:How cloud, mobile & APIs change the way we broker identity

Francois Lascelles Ehud Amiri

o c oud, ob e & s c a ge t e ay e b o e de t ty

Chief ArchitectLayer 7 Technologies

Director, Product ManagementCA

Webinar HousekeepingQuestions-Chat any questions you have and we’ll answer them at the

Webinar Housekeeping

end of this webinar

TwitterTwitter- Today’s event hashtag: #L7webinar

Follow us on Twitter:Follow us on Twitter: @layer7@forrester

Layer 7 Confidential 2

CA/L7 Webinars

Following previous webinar“Unifying Security Across Web,

APIs and Mobile”http://api.co/unifySEC

Today we will introduce the “Federation Evolved”


The Identity Standards


Survival Of The Fittest

“It is not the strongest of species that survives not the mostthat survives, not the most

intelligent that survives. It is the one that is most adaptable to change”

Charles Darwin


Macro Trends Impacting the “New Federation”p g

f i ti

Cloud ServicesPartners/Divisions 1 43B social networkb 2012¹

of organizations are using SaaS³79%

Cloud Services1.43B users by 2012¹

mobile app downloads by 2016²305B

Developer CommunityMobile Appsconnected devices by 2020450B

IoT / Big Dataof data by 2020535ZB

Social Registration


The History Of SAMLSecurity Assertion Markup Language


SAML 2.0 Published in 2007Key Use Case: Browser Single Sign-ony g g

2. IDP Discovery

Application(Relying Party)Identity

Provider5. Redirect backwith <Response>Provider

3. Redirect to IDPwith <AuthnRequest>

with Response

6. Return

1. Request resource

6. Returnresource

4. Loginflow


Single Sign-On for SaaS ApplicationsSAML 2.0 “Fountain of Youth”

SaaSApplicationIdentity

Provider

S SSaaSApplicationIdentity

Provider

SaaSApplicationIdentity


ApplicationProvider

Major success in SaaS enterprise applications

Customer story – large global financial organization• 2007 obtained SiteMinder Federation for 5 partnerships

• 2012 using about 100 partnerships many of them are enterprise SaaS applications

• 2013 planning 500 1000• 2013 planning 500-1000 for partner ecosystem


CA Federation Partner Program

• CA Federation Partner program

- Test and templatized standard based SSO between CA’s Federation and top cloud business applications

• Some of the validated SaaS Applications


CA CloudMinder™ 1.1suite of IAM cloud services

Identity and access management capabilities

Id tit M t F d t d SSO Strong

delivered as a service

Identity Management Federated SSO Strong Authentication

• User management • Access request

• Standards-based federation (SAML,

• Software Tokens, QnA, OATH, certificatesccess equest

• Provisioning & de-provisioning

• Identity synchronization

ede at o (S ,WS-Fed, OAuth,…)

• Employee/Partner SSO• Social Sign-on• Just-in-time provisioning

O , ce t cates• Risk analysis & adaptive

authentication• Device identification• Fraud prevention p g p

USER


Mobile First


Mobile access control - secure what?

… the data source

Mobile browser Web

Any other app APIs


Reconciling Mobile UX and Security: Single Sign-Ong y g g

• Single sign-on on mobile devices is essential to mitigating mobile UX disruptors

Identify yourself

Show me my data


Mobile app isolationpp

User-agent

Webapp 1Cookie domain A

Domain A

• Mobile webWebapp 2

Cookie domain B

Webapp 3

(can be different parties)

Access token 1

APP A

API 1

(can be different parties)

Domain A

API 2Access token 2

APP B Mobile apps


API 3

Access token 3

APP C

Client-side sharing of authentication contextg

• Client side platforms allow applications within a domain to share a Key ChainChain

- Share an authentication context

- Only for apps published by the same developer key

KC A KC B Shared Key ChainKC A KC B Shared Key Chain

App A App B App A App B


Cross domain mobile SSO

• Client side redirections and callback

- App register URL scheme to allow switching between apps

- Passing a token in a redirection callback allows an authentication context to be extended to a 3rd party app

openURL AppA://something?callback=AppB://somethingelse

step 1

App A App B

openURL AppA://something?callback AppB://somethingelse

openURL AppB://somethingelse?arg=that_thing_you_need


step 2

App-to-app redirection limitations, riskspp pp

• Un-verified URL schemes opens possibility of “app-in-the-middle” attack

APPLE:“If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme ”for determining which app will be given that scheme.


App wrappingpp pp g

• Single sign-on across mobile apps normally requires the active participation of each appeach app

- Wrapping an app can compensate for a 3rd party app’s lack of awareness

• Adding a wrapper to an existing app re-signs app and enables access to shared authentication context

- On the API side, federation still requires active participation or API calls themselves need be redirected

3rd PApp

Auth Context

?


App A App B3rd P API ?

Cloud API consumption from mobilep

• The enterprise does not actively participate

• Shared password is a security riskShared password is a security risk

@corp: Promotion@corp: Something Funny@ RT SKevin @corp: RT Someone

James:(

Brent


Enterprise API brokeringp g

Kevin

@corp: Promotion@corp: Something Funny[@corp: RT Someone]

JamesJames

BrentBrent


Enterprise API brokeringp g

• Client-side redirected API call

- New app

- Localhost proxy (?)

- Wrapper

@corpWrapper

user@corp

API BrokeringAPI Brokering

- User authentication, lookup delegation permission

@ t t i t


- @corp account secret remains secret

Standard: OAuth

1. Handshake issues token to app -> grant types

2 App uses token to consume API -> resource server2. App uses token to consume API > resource server

API ProviderClient

Token endpointAppAPI Call with creds (or context)

Authz endpointBrowserWeb Redirection (optional)


Social Login Patterng

• A service redirects user to an OAuth authorization server

• User consents service to get basic user info from social providerUse co se ts se ce to get bas c use o o soc a p o de

• Service leverages this context to delegate authentication and avoid setting up a shared secret with user

Social providerDo you authorize [service] to access your basic information?[_] Yes

In: access tokenOut: user info

[_] No


Service (Web, Api/App, …)

Standard: OpenID Connectp

• The use of OAuth to delegate authentication (social login) is formalized by OpenIDg ( g ) y pConnect

- JSON based identity claims, use of JWT (ID Token)

Define scopes user info api- Define scopes, user info api

• OpenID connect lets an IdP provide federated authentication in a way that is ‘lightweight’ for the relying party

- No SAML

- No XML

- No dsigNo dsig


Standard: Federated access token grantsg

• App gets an access token in exchange for another token

- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]

- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]

• Let apps leverage authentication context without disturbing UXLet apps leverage authentication context without disturbing UX

API ProviderClient

API Call incl proof of authentication

Token endpointApp

API Call incl proof of authentication

Get back access token


Layer 7 Mobile Access Gatewayy y

Mobile API Delivery

• Secure Mobile EndpointSecure Mobile Endpoint• Manage permissions across

users, devices, apps• Integration, Scaling

Access Control, UX Increased Developer Velocity

• Mobile PKI Provisioning• Mobile app-to-app SSO• Latest standards (OAuth,

OpenID Connect

• Mobile SDK for iOS and Android

• Configure, not code• Form factors deployment


OpenID Connect, JWT/JWS/JWE)

Form factors, deployment options

Identity and Multi-channel security are Critical Capabilitiesp

Key Enablers of the

Cloud ServicesPartners/Divisions

yOpen Enterprise

Cloud Services

Identity

Mobile Apps Developer CommunityMulti-channelEngagement

IoT / Big Data Social Registration


Internal / External Threats

Secure the Mobile, Cloud-Connected EnterpriseIdentity is the New Perimeter

SaaS Contractors AccessG

SecureSingle Sign on

On/Off-Boarding

Partners Cloud Apps/Platforms

Governance Single Sign-on

Employees

Identity

Apps/Platforms& Web Services

UserSelf Service

Data Discovery & Classification Enterprise

Apps

Administrators On Premise

Self Service

Enterprise Mobility

Classification


The New Business Services

APIs Drive the Modern Business

Mobile Apps Browser

Web

Smart Devices

Cloud Services

API

B i P t

Cloud Services


Developer AccessBusiness PartnersBusiness Divisions

The Rise of The “New Federation”Enable Access to Secure New Business Services

APIs Drive the Modern Business

Mobile Apps Browser

Single

Centralized Security Policy

Web

Smart Devices

Single Sign‐on

Accelerate Data Access

SocialRegistration

Identity

Cloud Services

OptimizeTraffic

Protect

Federation

Advanced Authentication

API

B i P t

Cloud Services

Identity / Device Management

Protect Data


Developer AccessBusiness PartnersBusiness Divisions

g

Federation Evolved

CA CloudMinder & Layer 7Modern Federation Across ChannelsModern Federation Across Channels

The “New Federation” is here:• Standard based• Enables Cloud, Mobile &

SocialSocial• Protect the Web & API


Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity

Technology

Transcript of Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity