Managing Identities in the World of APIs
Transcript of Managing Identities in the World of APIs
1
Managing Identities in the World of APIsIan Cooper, Technology Architect, Thomson ReutersJason Kobus, Director, API Banking, SVB,Subra Kumaraswamy, Apigee
2©2015 Apigee. All Rights Reserved.
Agenda
1111. API Identity Architecture Subra Kumaraswamy
2. Case Study – Thomson Reuters Ian Cooper
3. Case Study – Silicon Valley Bank Jason Kobus
Identity for end-to-end security
AppDeveloperUser APIApp Backend
API Developer
IT Manager
Business User
Authentication Authorization, Auditing
(AAA) Services
• OpenID Connect
• Social Login• 2FA• X.509 Cert
Enterprise IdentityStores
• App Identity• OAuth• TLS
• Identity• SSO• RBAC• API Key
• Threat Protection
• Credential Mediation
• Secure Token Storage
• SAML/OAuth
• Identity• SSO• RBAC• SAML• Audit
SAML or OAuth?
4
Trading Identity for AuthorizationIan CooperTechnology Architect, Thomson Reuters 5
6©2015 Apigee. All Rights Reserved.
• Heavily invested in SAML, it works well for SSO and is corporate standard
• Push towards a Microservices based architecture for our internal systems
• Want standards based interactions between client applications and backend services
• Need to be able to identify users at the Microservice level to perform fine grained authorization
Our Problem
7©2015 Apigee. All Rights Reserved.
• Single Sign On has been important to enterprises for some time
• Enterprise targeted Identity solutions support SAML
• Standards based SSO can dramatically improve enterprise security over custom solutions
• Many enterprises have a lot invested in SAML solutions and integrations
Why SAML in the Enterprise
8©2015 Apigee. All Rights Reserved.
• SAML can assert identity and more, OAuth allows authorization of API resources
• OAuth 2.0 SAML Bearer profile allows a SAML assertion to be exchanged for an OAuth 2.0 token for authentication and/or authorization
• Recently ratified by IETF - https://tools.ietf.org/html/rfc7522 • Has certain advantages over vanilla 3-legged Oauth flows
because authorization is implicit, no need to ask user to authorize access - great when composing lots of APIs together, as often happens in the enterprise
Can SAML and OAuth Play Nice?
9©2015 Apigee. All Rights Reserved.
• Not possible to swap SAML assertion from login flow with authorization server. SAML assertions have an audience which must be honored
• After login must get or generate a new SAML assertion that can be exchanged for an OAuth access token
• Generating a SAML assertion in the client application may be acceptable sometimes, generally go to a Security Token Service to get the assertion. STS could be original IdP.
Can SAML and OAuth Play Nice?
Architecture
10
11©2015 Apigee. All Rights Reserved.
1. User logs into application2. Application requests a
SAML assertion from the STS
3. SAML assertion exchanged for OAuth access token
4. OAuth access token used for resource requests
In Practice
Client App
IdP
STS
Auth Server
Resource Server
Login
Request SAML Assertion
Exchange SAML Assertion for OAuth access token
Get ResourceOAuth 2.0 Bearer Token
Trust
1
2
3
4
12©2015 Apigee. All Rights Reserved.
Implementation
Client App
IdP
STS
Auth Server
Resource Server
Login
Request SAML Assertion
Exchange SAML Assertion for OAuth access token
Get ResourceOAuth 2.0 Bearer Token
Trust
1
2
3
4
13©2015 Apigee. All Rights Reserved.
• Other similar options exist• OAuth 2.0 JWT Bearer (RFC 7523) is very
similar to the OAuth 2.0 SAML Bearer flow - uses a JWT instead of SAML Assertion
• OpenID Connect, AuthN solution built on OAuth
Is SAML/OAuth the only way?
Partner Integration – Does Identity play a major role?
14
Identity and Pushing the API Partner PerimeterJason KobusDirector, API Banking
15The opinions expressed in this presentation are my own, and don't necessarily represent Silicon Valley Bank’s positions, strategies, or opinions.
16©2015 Apigee. All Rights Reserved.
Bank - Fintech Integration current state
17©2015 Apigee. All Rights Reserved.
Using APIs to Deepen Partner Integration1. OAuth tokens exchanged for user credentials reduces risk2. OAuth grants tied to business purpose & respecting
privacy3. Higher risk Stronger authentication4. Banks as a trusted identity store (~high fidelity IdP)5. APIs>Integration arbitrage– Harness fintech innovation– Partners get more!– Bi-directional API treaties– Triangulate on mutual clients
Considerations:
Q&A
18