The “I” in API is for Identity (Nordic APIS April 2014)

pingidentity.com

THE “I” IN API IS FOR IDENTITY

David Gorton

Senior Program Manager

Copyright © 2014 Ping Identity Corp. All rights reserved.

2

Identity is the Key

• Identity unlocks access to resources – Web Resources – APIs

• Identities are Everywhere and Expanding


3

Enterprise APIs Are The Same…but Different


4

Public APIS B2B APIS

ü  Authen1ca1on ü  Authoriza1on ü  Audit

Re-Use Identities with Standards

• Increase Adoption

• Reduce Risk • Interoperability • Flexibility


5

Available API Identity Standards

• OAuth 2 (Authorization)

• SAML (Authentication)

• OpenID Connect (Both)


6

OAuth 2 – Authorization

Written for API clients to securely interact with APIs on behalf of users


7

OAuth 2 – Details

•  “Authorization Server” runs the show • Client Requests a Token with a Scope

– User Authenticates – User Authorizes Client for a Scope

• Access token returned that represents a scope for the authenticated user for use by the client

Multiple flows (profiles) exist based on the trust between the client, server, and user.


8

OAuth In Action


9

API Client OAuth AuthZ API Resource

Request Access Token with Creden1als

Return Access Token

Request Data From API

Validate Access Token

Return API Response

Return Valida1on Response

Request Client Scope Authoriza1on

Grant Client Scope Authoriza1on

SAML – Federation

Enable authentication & federation across domains & organizations

Copyright © 2014 Ping Identity Corp. All rights reserved. 10

SAML - Details

• Establish Trust Between Organizations • Signed and Encrypted Tokens Transfer

Identity


SAML + OAuth

• Authentication brokered by SAML • SAML Token Exchanged for OAuth Access

Token • Access Token used to access APIs


SAML + OAuth In Action


OAuth Client OAuth AuthZ & Federa1on API Resource

Request Access Token

Redirect to OAuth Server with SAML


Validate Access Token

Return API Response


Iden1ty Provider

Redirect to Iden1ty Provider

Request to Start AuthN Flow

Request Access Token with SAML

Return Access Token

OpenID Connect – The New Kid on the Block


Connect

OpenID Connect

• OIDC Token contains –  Identity Token – OAuth Access Token

• Trust Model for Federation • Lower Maintenance


OIDC In Action


Mobile OIDC Server API Resource

Request OIDC Token

Return OIDC Token


Validate OIDC Token

Return API Response


Iden1ty Provider

Redirect to Iden1ty Provider

Request to Start AuthN Flow

Validate OIDC Token


Architecting API Identity

• Start with API & Client


• Add OAuth 2.0 • Add SAML

• Or Use OpenID Connect

What is the best option?

SAML + OAuth 2 + Broad Adop1on of SAML

-‐ More complex

-‐ Requires browser interac1on

+ Uses OAuth Access Tokens


OpenID Connect -‐ Limited Enterprise Adop1on

+ One Standard

+ Works with all clients

+ Uses OAuth Access Tokens

Ping Identity Solution


ü  OAuth 2 ü  SAML ü  OpenId Connect

ü  Authoriza1on ü  Audi1ng

The “I” in API is for Identity (Nordic APIS April 2014)

Software

Transcript of The “I” in API is for Identity (Nordic APIS April 2014)