Post on 08-May-2015
pingidentity.com
THE “I” IN API IS FOR IDENTITY
David Gorton
Senior Program Manager
Copyright © 2014 Ping Identity Corp. All rights reserved.
2
Identity is the Key
• Identity unlocks access to resources – Web Resources – APIs
• Identities are Everywhere and Expanding
Copyright © 2014 Ping Identity Corp. All rights reserved.
3
Enterprise APIs Are The Same…but Different
Copyright © 2014 Ping Identity Corp. All rights reserved.
4
Public APIS B2B APIS
ü Authen1ca1on ü Authoriza1on ü Audit
Re-Use Identities with Standards
• Increase Adoption
• Reduce Risk • Interoperability • Flexibility
Copyright © 2014 Ping Identity Corp. All rights reserved.
5
Available API Identity Standards
• OAuth 2 (Authorization)
• SAML (Authentication)
• OpenID Connect (Both)
Copyright © 2014 Ping Identity Corp. All rights reserved.
6
OAuth 2 – Authorization
Written for API clients to securely interact with APIs on behalf of users
Copyright © 2014 Ping Identity Corp. All rights reserved.
7
OAuth 2 – Details
• “Authorization Server” runs the show • Client Requests a Token with a Scope
– User Authenticates – User Authorizes Client for a Scope
• Access token returned that represents a scope for the authenticated user for use by the client
Multiple flows (profiles) exist based on the trust between the client, server, and user.
Copyright © 2014 Ping Identity Corp. All rights reserved.
8
OAuth In Action
Copyright © 2014 Ping Identity Corp. All rights reserved.
9
API Client OAuth AuthZ API Resource
Request Access Token with Creden1als
Return Access Token
Request Data From API
Validate Access Token
Return API Response
Return Valida1on Response
Request Client Scope Authoriza1on
Grant Client Scope Authoriza1on
SAML – Federation
Enable authentication & federation across domains & organizations
Copyright © 2014 Ping Identity Corp. All rights reserved. 10
SAML - Details
• Establish Trust Between Organizations • Signed and Encrypted Tokens Transfer
Identity
Copyright © 2014 Ping Identity Corp. All rights reserved. 11
SAML + OAuth
• Authentication brokered by SAML • SAML Token Exchanged for OAuth Access
Token • Access Token used to access APIs
Copyright © 2014 Ping Identity Corp. All rights reserved. 12
SAML + OAuth In Action
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
OAuth Client OAuth AuthZ & Federa1on API Resource
Request Access Token
Redirect to OAuth Server with SAML
Request Data From API
Validate Access Token
Return API Response
Return Valida1on Response
Iden1ty Provider
Redirect to Iden1ty Provider
Request to Start AuthN Flow
Request Access Token with SAML
Return Access Token
OpenID Connect – The New Kid on the Block
Copyright © 2014 Ping Identity Corp. All rights reserved. 14
Connect
OpenID Connect
• OIDC Token contains – Identity Token – OAuth Access Token
• Trust Model for Federation • Lower Maintenance
Copyright © 2014 Ping Identity Corp. All rights reserved. 15
OIDC In Action
Copyright © 2014 Ping Identity Corp. All rights reserved. 16
Mobile OIDC Server API Resource
Request OIDC Token
Return OIDC Token
Request Data From API
Validate OIDC Token
Return API Response
Return Valida1on Response
Iden1ty Provider
Redirect to Iden1ty Provider
Request to Start AuthN Flow
Validate OIDC Token
Return Valida1on Response
Architecting API Identity
• Start with API & Client
Copyright © 2014 Ping Identity Corp. All rights reserved. 17
• Add OAuth 2.0 • Add SAML
• Or Use OpenID Connect
What is the best option?
SAML + OAuth 2 + Broad Adop1on of SAML
-‐ More complex
-‐ Requires browser interac1on
+ Uses OAuth Access Tokens
Copyright © 2014 Ping Identity Corp. All rights reserved. 18
OpenID Connect -‐ Limited Enterprise Adop1on
+ One Standard
+ Works with all clients
+ Uses OAuth Access Tokens
Ping Identity Solution
Copyright © 2014 Ping Identity Corp. All rights reserved. 19
ü OAuth 2 ü SAML ü OpenId Connect
ü Authoriza1on ü Audi1ng
? Copyright © 2014 Ping Identity Corp. All rights reserved.
20