Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC
-
Upload
ca-technologies -
Category
Technology
-
view
132 -
download
1
Transcript of Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC
World®’16
WorkshoponPolicyCreationandManagementOlaMogstadDirector,SoftwareEngineeringCATechnologies
DO3X51E
DEVOPS
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
ThisworkshopwilldiveintosomeofthemanycapabilitiesoftheCAAPIGatewayandintroducetheaudiencetotheGateway’sownconfigurationpolicylanguage.
Thespeakerswillwalkyouthroughsomefundamentaltopicssuchasthebasicsofpolicy,policycreation,andpolicymanagement– butwillalsotransitionintomoreadvancedusecasessuchasleveragingexternalAPIsandexistingauthorizationstandardslikeOAuth andOpenIDConnect.
OlaMogstad
Director,SoftwareEngineeringCATechnologies
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Sascha PreibischPrincipalSoftwareArchitect
DeveloperProductsVancouver,BC@nascarlogin
OlaMogstadDirector,SoftwareEngineering
DeveloperProductsVancouver,BC@OlaMogstad
AboutUs
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
DO3X50ECAMobileAPIGateway(MAG):HowtoProvideYourMobileUserWithaConvenient,YetSecure,OnboardingExperienceThroughOAuth andSAML
11/14/2016at4:00pm
DO3X40ECAAPIDeveloperPortal:PolicyWritingforthePortalusingthenewContextVariablesandAPIKeyCustomFields
11/15/2016at9:00am
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
WHATISTHECAAPIGATEWAY?
INTRODUCTIONTOPOLICY
CREATINGANDMANAGINGPOLICY
SOMESIMPLEEXAMPLES
INTEGRATINGAPISWITHOAUTH
1
2
3
4
5
BONUSMATERIAL6
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCAAPIGateway
CorporateNetwork
Servers
Data
Identities
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCAAPIGateway
CorporateNetwork
Servers
Data
Identities
APIGateway
DMZ
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCAAPIGateway
CorporateNetwork
Servers
Data
Identities
APIGateway
DMZ
Message TransformationThreatProtection
PolicyEnforcement
ServiceOrchestration
Encryption&Decryption
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCAAPIGateway
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCAAPIGateway
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatisPolicy?
§ TheGatewayishighlyconfigurable
§ Policy“tellsitwhattodo”
§ Assertionsarecodemodulesthatdospecificthings
§ Request->Response
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PolicyisactuallyXML
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Assertionsarethebuildingblocksofpolicies
§ Everythinginapolicyisanassertion
§ Someincludedoutofthebox
§ CustomassertionSDK
§ Powerfulassertionscanbeverysimple
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Policiescangetprettysophisticated
§ Conditionallogicthatmimicif/elsebehavior
§ Reusablesnippetscalledfragments
§ Policy-backedassertionscalledencapsulatedassertions
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Whathappenshere?
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Performanceiscritical
§ Withpowercomesresponsibility
§ A“perrequest”mindset
§ Doingversuswaiting– Policyexecution– Networklatency– Backendlatency
§ Caching
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Policylife-cyclebecomesimportant
§ “Treatpolicylikecode”
§ Migrationandenvironment-specificconfiguration– ToolinglikeRESTMANandGMU/CMT
§ Engineeringbestpractices– Modularity,separationofconcerns– Comments
§ RBACandSecurityZones
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OAuthandOIDC
§ Authorization
§ “Canyoudothis?”
§ Delegatelimitedaccesstothirdparties
§ Usesredirection
§ Pre-definedproviders
§ Authentication
§ “Whoareyou?”
§ Leveragingexistinguseraccountswiththirdparties
§ Usesredirection
§ Autodiscovery
OAuth2.0 OpenIDConnect
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAAPIGatewayOAuthToolkit
§ GatewayextensiontosupportOAuth1.0,OAuth2.0,andOIDC
§ Implementedlargelyinpolicy
§ Highlycustomizableandmodular
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Stayconnectedatcommunities.ca.com
Thankyou.
@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.23 @CAWORLD#CAWORLD
DevOps– APIManagementandApplicationDevelopment
FormoreinformationonDevOps– APIManagementandApplicationDevelopment,pleasevisit:http://cainc.to/DL8ozQ