Modern APIs for Single Sign-On, Authentication, and Access ... · Applications, any platform,...

Modern APIs for Single Sign-On, Authentication, and Access Management in the Hybrid Cloud World Richard Sand, IDF Connect

2 www.idfconnect.com

Agenda

1. SSO/Rest – a modern approach to Web Access Management

2. Why use security APIs?

3. The crucial role of simplicity

4. “Declare-and-Go” for turnkey protection

5. How it works

6. Architectural flexibility

http://www.idfconnect.com/


SSO/Rest – a Modern Approach to Web Access Management



What is Web Access Management (WAM) - and how has cloud migration affected it?

• Don’t confuse WAM with federation (e.g. SAML, OAuth).

• What was lost as apps moved to the Cloud?

• How does SSO/Rest restore WAM’s full capabilities?



Centralized Audit

Centralized Audit

Common WAM gaps in the Cloud

Authentication Management

Access Control Enforcement

Single Sign On

Idle Session Timeout

Session Maximum

Time-to-Live

01

03

06

Session Management

Risk Scoring & Analytics


02 Web Access Management (Gaps in the

Cloud)

04

05



Authentication Management


Single Sign On

Risk Scoring & Analytics

Session Management

Centralized Audit

Web Access Management

06 01

02

03 04

05

SSO/Rest provides a complete WAM solution



Applications, any platform, anywhere!

Identity Store

.Net / Core, Azure App Container

IDF Connect SSO/Rest

Plugin IDF Connect

SSO/Rest Gateway

Policy queries

SSO-Integrated Apps


Plugin

Identity queries

NodeJS, NGINX Linux VM on EC2


Plugin

Java J2EE, Google App Engine


Plugin

Attribute queries

SSO/Rest (JSON over HTTPS)

Policy Decision

Point



Why Use Security APIs?



How security APIs improve the process...

Centrally declare

• Declare security policies centrally, rather than locally via code or descriptors.

Consistent approach

• Use a consistent security approach across apps and platforms.

Uniform user experience

• Provide a consistent user experience for login, sessions, single sign-on, etc.

Ensure effectiveness

• Because security is important!

and the results:



The Crucial Role of Simplicity



Simplicity is key to enabling application development. SSO/Rest is built with this in mind:

Works on developers’ own environments

• App developers use their own laptops, VMs, etc. to develop. If the API doesn’t work the way developers work, it will fail.

Works with app development tools • Apps are developed and deployed using Agile, CI/CD methodologies.

Makes containerization easy • Containerization must be trivial – installers, dependencies all add complexity.



But most of all, app developers want simple APIs!

Login Give userid and credential and get back a yes/no and a session.

Is this session alive? Yes/no

Is user JSMITH <a manager> | <allowed to access this app/page/resource> | <in the admin group> | <in the U.S.>?

How much time is left in this session? 1683 seconds

Yes/no



How It Works



Platform support

Web Servers:

App Servers:

App Platforms: Web services for all manner of integrations

…and other thick clients!



“Declare-and-Go” for Turnkey Protection



SSO/Rest’s self-contained, dependency-free library means:

• Can be bundled directly into applications. • No code changes needed! • Especially important in PaaS (Platform-as-a-Service)

environments. • lets you simply “declare-and-go,” using your build management

system of choice • Extreme flexibility with respect to CI/CD methodologies • Drop-in integration to platforms, containers, and servers for

turnkey, Cloud-enabled single sign-on, authentication, and access control enforcement.



The “slim plugin” approach of SSO/Rest

• Sit immediately in front of applications, enforcing access control policy.

• Communicate with the SSO/Rest Gateway via RESTful, HTTPS-based interactions.

• Processor-consuming cryptographic operations or token validations are deferred to the Gateway

• Small footprint and HTTP-based means they are deployable both inside and outside enterprise perimeters



Product Screenshots



OpenAPI compliant

• Works with mockup and test generation tools

• Includes Swagger UI



Includes ELK Stack and Kibana Dashboards


Access Policy Graph screenshot of “TestWeb” sample app

Screenshot of Policy with Request Header Advice

Screenshot of Policy with Authentication Obligation and Session TTL Advice

Screenshot of SSO/Rest Attribute Dictionary


Architectural Flexibility



SSO/Rest was designed to maximize architectural flexibility.

• Virtual access control perimeter that can encompass resources on premises or in the Cloud.

• Ability to implement robust access control on AJAX, SPA, and mobile apps.

• Deliver web access management as a service.



BEFORE: Applications in the Traditional Data Center

SSO-Integrated Apps

Access Mgmt

Agent/Proxy

SSO-Integrated Apps

Access Mgmt

Agent/Proxy

SSO-Integrated Apps

Access Mgmt

Agent/Proxy

Access Manager

Local Users

Local Users

Access Management Traffic (vendor-proprietary)

Active Directory Database, etc.

LDAP



AFTER: Complete enterprise-grade IAM 100% in the Cloud

Apps, Anywhere!

SSO/Rest Plugin (JSON over HTTPS)

Multi-Factor Authentication

Service

Cloud Directory, Azure AD, IDaaS

Provider

Axiomatics APS SSO/Rest Gateway

App in the Cloud

SSO Integrated App


Plugin

App in the Cloud

SSO Integrated App


Plugin

App in the Cloud

Web-based Application


Plugin



Authentication

Policy Decision Point

Local Users

Local Users

Active Dir, Database, etc.

LDAP

IDF Connect SSO/Rest Gateway

Data Center

SSO-Integrated Apps


Plugin

SSO-Integrated Apps


Plugin

XACML Policy Store

SSO/Rest XACML queries

Policy Evaluation

SSO/Rest Plugin (JSON over HTTPS)

Session tokens only!

Cloud Multi-Factor

Authentication

Cloud Directory / IDaaS Provider

SSO-Integrated Apps


Plugin

SSO/Rest transforms traditional access management



You should be interested in this technology if…

• You are building rich applications (mobile, AJAX) and require web services for seamless access management integrations.

• You don’t want an SDK.

• You want your WAM solution to be autonomous from central IT.

• You want a technology built around, and committed to, standards.

• Support mobile applications as well as browser heavy apps, SPA.

• You want an easy way to bootstrap and containerize a complete environment.

• Your organization utilizes Agile / CICD.

• You have an existing SSO/WAM solution and are moving applications to the Cloud.



And you should also be interested in this technology if…

• You want or need the assurance that every request is VETTED and SCORED before ever touching your application.

• You require fine-grained access controls and centralized policy management.

• You require a complete audit trail of end-user activity within a given session.

• You need a web access management solution that is modern and leverages today’s tools and capabilities (e.g. ELK, Docker, Kubernetes).

• You are interested in offering Web Access Management as a managed service.

• You have an API Gateway and want a modern Policy Decision Point for its Auth & Auth requirements.


T H A N K YO U ! For More Information, Please Visit

IDF Connect, Inc. 2207 Concord Pike #359 Wilmington, DE 19803

Phone: (888) 765-1611 Fax: (888) 765-7284

www.idfconnect.com

www.linkedin.com/in/rsand

@IDFConnect

www.facebook.com/IDFConnect

@rsand2

Turn SSO/Rest into your Enterprise 2-Factor Auth Solution with SSO/MobileKey. For more details visit www.idfconnect.com/products/sso-mobilekey/

Also check out our other products: www.idfconnect.com/products

https://twitter.com/apivio


http://www.linkedin.com/in/rsand

https://twitter.com/IDFConnect

http://www.facebook.com/IDFConnect

https://twitter.com/rsand2





http://www.idfconnect.com/products/sso-mobilekey/



http://www.idfconnect.com/products

Modern APIs for Single Sign-On, Authentication, and Access ... · Applications, any platform,...

Documents

Transcript of Modern APIs for Single Sign-On, Authentication, and Access ... · Applications, any platform,...