CIS14: Enterprise Identity APIs
0 likes460 views
The document discusses enterprise authentication APIs, emphasizing the need for standardization and separation of concerns within identity and access management (IAM). It outlines the benefits of a modular approach to APIs, improved security practices, and dynamic integration with various IAM systems. The goal is to simplify authentication processes while enhancing control and user experience across applications.
CIS14: Enterprise Identity APIs
- 1. Enterprise Auth APIs ...WHEEL GREASE FOR IAM BHAGYA PRABHAKAR E*TRADE FINANCIAL
- 2. Enterprise Auth APIs § What? § Standard IAM APIs for the enterprise § Why? § Separa6on of concerns § How? § IAM exper6se and good so<ware engineering
- 3. Familiar? Internet OAuth Server Auth Agent API API API App Access Tokens SAML Server SAML Asser6ons Mutual Authen6ca6on Client Side SSL HTML Basic HTML Basic User App Sec Developers Kerberos App
- 4. Desiderata something that is needed or wanted § Standardized solu6on across applica6ons § Consistent user experience § Loose coupling to IAM systems § New auth methods, minimal/no app changes § Enforce policy § More control and granularity
- 5. Enterprise Auth API Internet OAuth Server Auth Agent API SAML Server SAML Asser6ons Mutual Authen6ca6on Over SSL HTML Basic HTML Basic User App Sec Developers API API App Enterprise Auth API/SDK Enterprise Auth API Core Impl Kerberos App
- 6. Example : Get AuthenIcated User’s Details thisMustBeSimpler () { SecurityContext securityContext=SecurityContextHolder.getContext(); if (securityContext != null) { Authen6ca6on authen6ca6on=securityContext.getAuthen6ca6on(); if (authen<ca<on != null) { if (authen<ca<on.getPrincipal() instanceof EnterpriseUserDetails) { EnterpriseUserDetails userDetails=(EnterpriseUserDetails) authen6ca6on.getPrincipal(); String sessionId=userDetails.getServerSessionId(); } } } }
- 7. With an Enterprise Auth API Authen<ca<onInfo { isAuthen<cated(); getUserId(); getUserName(); getRoles(); getUserDetails(); } nowThisIsMuchBeLer() { Authen6ca6onInfo authnInfo = Authen<ca<onInfo.newInstance(); UserDetails userDetails=authnInfo .getUserDetails(); String sessionId=userDetails.getServerSessionId(); }
- 8. A Couple More Examples Federator { federate(aLributes, endpoint); } Authoriza<onInfo { hasRole(role); getRoles(); }
- 9. CreaIng an API …THAT DEVELOPERS WANT TO USE
- 10. GeQng Started § Derive from exis6ng use-‐cases § Talk to applica6on developers § Beware of an6 paXerns -‐ bullet point engineering, abstrac6on inversion § Build on top of modular Auth framework § Spring Security, Shiro, my-‐favorite-‐framework § Simplify and constrain § Enterprise specific rules
- 11. Make it Modular and Portable § No kitchen sink of all APIs to integrate with § Separate API and impl modules § Consumers depend on API § Swap out underlying impl § Integra6on in other languages § Dis6ll into a web service layer § Language specific SDK
- 12. Maintain...Maintain...Maintain § Support the developers who use it § Help developers proac6vely § Implement fixes and extensions quickly § Keep up with the IAM industry § Make it SOLID § Use Seman6c Versioning
- 13. Return on Investments § De facto standard auth API in the Enterprise § Mix and match several IAM systems § No vendor lock in § Rapid prototype development § Quick applica6on integra6on § Improved upon our applica6on security prac6ce § Detec6on and remedia6on
- 14. What’s Important... § Façade away auth frameworks and IAM systems § Enhance and constrain 3rd party components with organiza6on rules § Make it modular, portable and easy to use § Keep up with the IAM industry
- 15. So? § Benefit from a standardized IAM solu6on across applica6ons
- 16. Thanks! To Adam Migus and E*TRADE Financial E-‐mail: bhagyashree.prabhakar@etrade.com Links hXp://semver.org/ hXp://en.wikipedia.org/wiki/SOLID_(object-‐oriented_design) hXp://projects.spring.io/spring-‐security/ hXp://shiro.apache.org/ hXp://en.wikipedia.org/wiki/Desiderata