Security as a Service - Tian Wang
0 likes314 views
The document provides an overview of security services available on the Cloud Foundry platform including UAA (Universal Authentication and Authorization) and Credhub. UAA provides identity and access management capabilities including single sign-on (SSO), OAuth 2.0/OpenID Connect protocols, and user authentication and authorization. Credhub provides secure credential management through generation, storage, and rotation of credentials. The document discusses how Spring applications can leverage these services through UAA's identity broker and Spring CredHub client to integrate SSO and manage credentials in a Cloud Foundry deployment. Demo sections show examples of UAA for SSO and Credhub for credential management.
Security as a Service - Tian Wang
- 1. Version 1.0 October 10, 2018 Security as a Service How Your Spring Apps Can Benefit From Cloud Foundry
- 2. Cover w/ Image Agenda ■ What does the Cloud Foundry platform provide for my apps? ■ What is OAuth and OIDC? ■ How can I use it? ■ What is Credhub? ■ How can I use it?
- 3. Cloud Foundry 💚 Spring How does the platform benefit my apps?
- 4. A platform for running your apps... BOSH AWS Azure GCP On-Prem VM VM VMVM VM VM VM IaaS PaaS Appscf push Routing CAPI UAA ...Diego App ● Buildpacks ● Routing ● Scaling ● Monitoring ● Backup and Restore ● Services Marketplace● Services Marketplace
- 5. ● Security Services for App ○ UAA (SSO) Identity as a Service ○ Credhub Credential Management A platform with security services for your apps... BOSH AWS Azure GCP On-Prem VM VM VMVM VM VM VM IaaS PaaS Appscf push Routing CAPI UAA ...Diego App
- 6. Security services to help you build your apps... cf push AppsApp PaaSCredhubUAA ● Identity Proxy ● User AuthN/AuthZ ● Service-to-Service Authn/AuthZ ● Credential Generation ● Credential Storage ● Credential Rotation
- 7. Cloud Native Protocols What is OAuth? I’ll do you one better: Why is OAuth?
- 8. SAML LDAP
- 9. Authorization Server Client Resource Server Resource Server OAuth 2.0 (Authorization) - Access Token OpenID Connect (Authentication) - ID Token Resource Owner
- 10. What’s a Token Look Like? JSON Web Token (JWT)Bearer Token
- 11. What’s a Token Look Like? Authentication Method (“External”) External User Attributes External Groups
- 12. What’s a Token Look Like? Scopes for Role Based Access Control User allowed to have scope (UAA group) Client allowed to have scope (client config) User consented client can use scope (to prevent malicious apps)
- 15. Authorization Server Client Resource Servers as892jd as892jd Authorization Code Grant Flow (UI Flow) Super Secure Back Channel Tokens as892jd
- 16. Authorization Server Client Resource Servers Implicit Grant Flow (UI Flow) Front end only (Single Page App) / short lifetime
- 17. Authorization Server Client Resource Servers Password Grant Flow (Non-Browser Flow) Trusted Native Apps - CLIs or Mobile
- 18. Authorization Server Client Resource Servers Client Credential Grant Flow (Non-User Flow) Apps on behalf of itself Clients can be configured with scopes as authorities for RBAC RBAC
- 19. Authorization Server Client or Resource Server Resource Servers Token Exchange SAML or JWT from external identity providers External Identity Provider
- 20. Authorization Server Resource Server Resource Servers Token Passing Not Even A Grant Flow - But Be Careful
- 21. UAA and PCF SSO Identity as a Service
- 22. Official Identity Provider of Cloud Foundry, BOSH, OpsManager, PAS, PKS, and more Production proven at scales of over 2 million tokens per day UAA Cloud Foundry and PCF LDAP Lightweight Directory Access Protocol OpenID Connect UAA SAML Powered by UAA BOSH OpsMan PKS
- 23. Identity Service Broker, Identity Sample Apps, and Spring SSO Connector Beyond UAA and into the customer experience Starting with Spring Boot for Java & SteelToe for .NET SSO Pivotal SSO Service Customer Applications Enterprise/ Internal Applications Mobile Applications LDAP Lightweight Directory Access Protocol OpenID Connect OpenID Connect UAA SAML SSO Operator Dashboard - Identity Providers SSO Integration Guides SSO Identity Service Broker Spring SSO Connector Frameworks like Spring Boot / SteelToe (Not Owned by Team) Identity Sample Apps Operator App Developer We become both a bridge and a buffer between the old world and the new world SSO Developer Dashboard - Apps and Resources Powered by UAA
- 24. Demo UAA and SSO
- 25. Credhub RRR Matey - Rotate, Repave, Repair
- 26. What is Credhub?
- 27. How does it work?
- 31. Credential Usage Spring CredHub provides client-side support for storing, retrieving, and deleting credentials from a CredHub server running in a Cloud Foundry platform. The CredHubTemplate is used to interact with CredHub, typically used through its CredHubOperations interface.
- 32. Demo Credhub
- 33. Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.