Post on 31-May-2020
Modern APIs for Single Sign-On, Authentication, and Access Management in the Hybrid Cloud World Richard Sand, IDF Connect
2 www.idfconnect.com
Agenda
1. SSO/Rest – a modern approach to Web Access Management
2. Why use security APIs?
3. The crucial role of simplicity
4. “Declare-and-Go” for turnkey protection
5. How it works
6. Architectural flexibility
3 www.idfconnect.com
SSO/Rest – a Modern Approach to Web Access Management
4 www.idfconnect.com
What is Web Access Management (WAM) - and how has cloud migration affected it?
• Don’t confuse WAM with federation (e.g. SAML, OAuth).
• What was lost as apps moved to the Cloud?
• How does SSO/Rest restore WAM’s full capabilities?
5 www.idfconnect.com
Centralized Audit
Centralized Audit
Common WAM gaps in the Cloud
Authentication Management
Access Control Enforcement
Single Sign On
Idle Session Timeout
Session Maximum
Time-to-Live
01
03
06
Session Management
Risk Scoring & Analytics
Access Control Enforcement
02 Web Access Management (Gaps in the
Cloud)
04
05
6 www.idfconnect.com
Authentication Management
Access Control Enforcement
Single Sign On
Risk Scoring & Analytics
Session Management
Centralized Audit
Web Access Management
06 01
02
03 04
05
SSO/Rest provides a complete WAM solution
7 www.idfconnect.com
Applications, any platform, anywhere!
Identity Store
.Net / Core, Azure App Container
IDF Connect SSO/Rest
Plugin IDF Connect
SSO/Rest Gateway
Policy queries
SSO-Integrated Apps
IDF Connect SSO/Rest
Plugin
Identity queries
NodeJS, NGINX Linux VM on EC2
IDF Connect SSO/Rest
Plugin
Java J2EE, Google App Engine
IDF Connect SSO/Rest
Plugin
Attribute queries
SSO/Rest (JSON over HTTPS)
Policy Decision
Point
9 www.idfconnect.com
How security APIs improve the process...
Centrally declare
• Declare security policies centrally, rather than locally via code or descriptors.
Consistent approach
• Use a consistent security approach across apps and platforms.
Uniform user experience
• Provide a consistent user experience for login, sessions, single sign-on, etc.
Ensure effectiveness
• Because security is important!
and the results:
11 www.idfconnect.com
Simplicity is key to enabling application development. SSO/Rest is built with this in mind:
Works on developers’ own environments
• App developers use their own laptops, VMs, etc. to develop. If the API doesn’t work the way developers work, it will fail.
Works with app development tools • Apps are developed and deployed using Agile, CI/CD methodologies.
Makes containerization easy • Containerization must be trivial – installers, dependencies all add complexity.
12 www.idfconnect.com
But most of all, app developers want simple APIs!
Login Give userid and credential and get back a yes/no and a session.
Is this session alive? Yes/no
Is user JSMITH <a manager> | <allowed to access this app/page/resource> | <in the admin group> | <in the U.S.>?
How much time is left in this session? 1683 seconds
Yes/no
15 www.idfconnect.com
Platform support
Web Servers:
App Servers:
App Platforms: Web services for all manner of integrations
…and other thick clients!
17 www.idfconnect.com
SSO/Rest’s self-contained, dependency-free library means:
• Can be bundled directly into applications. • No code changes needed! • Especially important in PaaS (Platform-as-a-Service)
environments. • lets you simply “declare-and-go,” using your build management
system of choice • Extreme flexibility with respect to CI/CD methodologies • Drop-in integration to platforms, containers, and servers for
turnkey, Cloud-enabled single sign-on, authentication, and access control enforcement.
18 www.idfconnect.com
The “slim plugin” approach of SSO/Rest
• Sit immediately in front of applications, enforcing access control policy.
• Communicate with the SSO/Rest Gateway via RESTful, HTTPS-based interactions.
• Processor-consuming cryptographic operations or token validations are deferred to the Gateway
• Small footprint and HTTP-based means they are deployable both inside and outside enterprise perimeters
20 www.idfconnect.com
OpenAPI compliant
• Works with mockup and test generation tools
• Includes Swagger UI
Access Policy Graph screenshot of “TestWeb” sample app
Screenshot of Policy with Request Header Advice
Screenshot of Policy with Authentication Obligation and Session TTL Advice
Screenshot of SSO/Rest Attribute Dictionary
27 www.idfconnect.com
SSO/Rest was designed to maximize architectural flexibility.
• Virtual access control perimeter that can encompass resources on premises or in the Cloud.
• Ability to implement robust access control on AJAX, SPA, and mobile apps.
• Deliver web access management as a service.
28 www.idfconnect.com
BEFORE: Applications in the Traditional Data Center
SSO-Integrated Apps
Access Mgmt
Agent/Proxy
SSO-Integrated Apps
Access Mgmt
Agent/Proxy
SSO-Integrated Apps
Access Mgmt
Agent/Proxy
Access Manager
Local Users
Local Users
Access Management Traffic (vendor-proprietary)
Active Directory Database, etc.
LDAP
29 www.idfconnect.com
AFTER: Complete enterprise-grade IAM 100% in the Cloud
Apps, Anywhere!
SSO/Rest Plugin (JSON over HTTPS)
Multi-Factor Authentication
Service
Cloud Directory, Azure AD, IDaaS
Provider
Axiomatics APS SSO/Rest Gateway
App in the Cloud
SSO Integrated App
IDF Connect SSO/Rest
Plugin
App in the Cloud
SSO Integrated App
IDF Connect SSO/Rest
Plugin
App in the Cloud
Web-based Application
IDF Connect SSO/Rest
Plugin
30 www.idfconnect.com
Authentication
Policy Decision Point
Local Users
Local Users
Active Dir, Database, etc.
LDAP
IDF Connect SSO/Rest Gateway
Data Center
SSO-Integrated Apps
IDF Connect SSO/Rest
Plugin
SSO-Integrated Apps
IDF Connect SSO/Rest
Plugin
XACML Policy Store
SSO/Rest XACML queries
Policy Evaluation
SSO/Rest Plugin (JSON over HTTPS)
Session tokens only!
Cloud Multi-Factor
Authentication
Cloud Directory / IDaaS Provider
SSO-Integrated Apps
IDF Connect SSO/Rest
Plugin
SSO/Rest transforms traditional access management
31 www.idfconnect.com
You should be interested in this technology if…
• You are building rich applications (mobile, AJAX) and require web services for seamless access management integrations.
• You don’t want an SDK.
• You want your WAM solution to be autonomous from central IT.
• You want a technology built around, and committed to, standards.
• Support mobile applications as well as browser heavy apps, SPA.
• You want an easy way to bootstrap and containerize a complete environment.
• Your organization utilizes Agile / CICD.
• You have an existing SSO/WAM solution and are moving applications to the Cloud.
32 www.idfconnect.com
And you should also be interested in this technology if…
• You want or need the assurance that every request is VETTED and SCORED before ever touching your application.
• You require fine-grained access controls and centralized policy management.
• You require a complete audit trail of end-user activity within a given session.
• You need a web access management solution that is modern and leverages today’s tools and capabilities (e.g. ELK, Docker, Kubernetes).
• You are interested in offering Web Access Management as a managed service.
• You have an API Gateway and want a modern Policy Decision Point for its Auth & Auth requirements.
T H A N K YO U ! For More Information, Please Visit
IDF Connect, Inc. 2207 Concord Pike #359 Wilmington, DE 19803
Phone: (888) 765-1611 Fax: (888) 765-7284
www.idfconnect.com
www.linkedin.com/in/rsand
@IDFConnect
www.facebook.com/IDFConnect
@rsand2
Turn SSO/Rest into your Enterprise 2-Factor Auth Solution with SSO/MobileKey. For more details visit www.idfconnect.com/products/sso-mobilekey/
Also check out our other products: www.idfconnect.com/products