Identity enabling Web Services  Ashish Jain, Director of Technology, Ping Identity  Peter Dapkus, Product Manager, Salesfo...
Agenda <ul><ul><li>Introduction  </li></ul></ul><ul><ul><li>WS-Trust Overview </li></ul></ul><ul><ul><li>OAuth Overview </...
Introduction <ul><li>   </li></ul><ul><ul><li>Server to Server Mashup </li></ul></ul><ul><ul><li>Enterprise SOA </li></ul>...
WS-Trust <ul><li>  To provide a framework for requesting and issuing security tokens, and to broker trust relationships. <...
OAuth <ul><li>An  open protocol  to allow  secure API authentication  in a  simple  and  standard  method from desktop and...
WS-Trust Continued <ul><li>   </li></ul>
Enterprise Use Cases <ul><li>  </li></ul><ul><li>  </li></ul><ul><ul><li>Legacy Systems - API access  </li></ul></ul><ul><...
OAuth Continued <ul><li>  </li></ul>
The OAuth &quot;dance&quot; <ul><li>Step 1: Login to site A </li></ul><ul><li>Step 2: Specify site B </li></ul><ul><li>Ste...
 
 
 
 
 
 
 
 
Establishing trust for consumer SaaS <ul><li>OAuth is becoming the de-facto solution when end users want to delegate acces...
Personal Health Records Portability <ul><ul><li>MS HealthVault & Google Health provide secure storage </li></ul></ul><ul><...
Address Book Portability <ul><ul><li>Signup for a Social Networks, and get asked for the password of your E-mail account. ...
Application Extensions <ul><ul><li>Photo touchup tools, photo labs </li></ul></ul><ul><ul><li>Calendar/Contact sync tools ...
Enterprise SaaS @ Saleforce.com  
What is Salesforce.com?
Who builds applications on Salesforce? <ul><li>Three Types of Applications: </li></ul><ul><ul><li>Salesforce.com Applicati...
The Salesforce.com API <ul><ul><li>SOAP API with WSDL / Schema </li></ul></ul><ul><ul><li>Low verb count - Primarily CRUD ...
Multi-Tenancy Makes Cloud Computing Possible <ul><ul><li>Faster Vendor Innovation </li></ul></ul><ul><ul><li>Economies of ...
Salesforce.com Design Principles <ul><li>1) Secure </li></ul><ul><ul><li>Confidentiality, Integrity </li></ul></ul><ul><ul...
Enterprise SaaS Use Cases
Enterprise SaaS Use Cases
Enterprise SaaS Use Cases
WS-Trust
OAuth
Salesforce.com Design Principles <ul><li>1) Secure </li></ul><ul><ul><li>Confidentiality, Integrity </li></ul></ul><ul><ul...
Q&A <ul><li>Ashish Jain - ajain@pingidentity.com </li></ul><ul><li>Peter Dapkus - pdapkus@salesforce.com </li></ul><ul><li...
Appendix
Summary continued <ul><li>If you a service provider, support OAuth and you will make things simpler for your data consumer...
Upcoming SlideShare
Loading in...5
×

Identity Enabling Web Services

3,794

Published on

DIDW 08 presentation

Published in: Technology, Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,794
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
41
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Identity Enabling Web Services

    1. 1. Identity enabling Web Services Ashish Jain, Director of Technology, Ping Identity Peter Dapkus, Product Manager, Salesforce.com   Eric Sachs, Product Manager, Google Security September 10, 2008
    2. 2. Agenda <ul><ul><li>Introduction </li></ul></ul><ul><ul><li>WS-Trust Overview </li></ul></ul><ul><ul><li>OAuth Overview </li></ul></ul><ul><ul><li>Enterprise to Enterprise </li></ul></ul><ul><ul><li>OAuth Dance </li></ul></ul><ul><ul><li>Consumer to SaaS </li></ul></ul><ul><ul><li>Enterprise to SaaS </li></ul></ul><ul><ul><li>Summary </li></ul></ul><ul><ul><li>Q&A </li></ul></ul>
    3. 3. Introduction <ul><li>  </li></ul><ul><ul><li>Server to Server Mashup </li></ul></ul><ul><ul><li>Enterprise SOA </li></ul></ul><ul><ul><li>SSO + Data </li></ul></ul><ul><ul><li>Desktop Client </li></ul></ul>
    4. 4. WS-Trust <ul><li>  To provide a framework for requesting and issuing security tokens, and to broker trust relationships. </li></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><ul><li>OASIS Standard </li></ul></ul><ul><ul><li>Solutions by Microsoft, IBM, Sun, Ping Identity... </li></ul></ul><ul><ul><li>Related Specs - WS-Policy, WS-SecureConversation, WS-Addressing, WS-Mex, WS-SecurityPolicy... </li></ul></ul><ul><ul><li>Used heavily in Information Cards </li></ul></ul><ul><ul><li>Current Status </li></ul></ul>
    5. 5. OAuth <ul><li>An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.   </li></ul><ul><li>  </li></ul><ul><ul><li>Open Standard. Developed by Community. (http://OAuth.net). </li></ul></ul><ul><ul><li>Support by Google, MySpace, Yahoo, AOL, Twitter, Pownce... </li></ul></ul><ul><ul><li>Lightweight. Does one thing. Very well. </li></ul></ul><ul><ul><li>Somewhat related specs: OpenID  </li></ul></ul><ul><ul><li>Current Status: V1.0 in use by Google & MySpace as well as many other sites.  Some extensions proposed, but no significant modifications to the core protocol. </li></ul></ul>
    6. 6. WS-Trust Continued <ul><li>  </li></ul>
    7. 7. Enterprise Use Cases <ul><li>  </li></ul><ul><li>  </li></ul><ul><ul><li>Legacy Systems - API access </li></ul></ul><ul><ul><li>Proprietary (especially in mergers) </li></ul></ul><ul><ul><li>Federal /DoD - Extending PKI </li></ul></ul><ul><ul><li>XML security gateway </li></ul></ul>
    8. 8. OAuth Continued <ul><li>  </li></ul>
    9. 9. The OAuth &quot;dance&quot; <ul><li>Step 1: Login to site A </li></ul><ul><li>Step 2: Specify site B </li></ul><ul><li>Step 3: Agree to legal doc from site A </li></ul><ul><li>  </li></ul><ul><li>Step 4: Login to site B </li></ul><ul><li>Step 5: Agree to legal doc from site B </li></ul><ul><li>Step 6: Data exchanged in either direction </li></ul>
    10. 18. Establishing trust for consumer SaaS <ul><li>OAuth is becoming the de-facto solution when end users want to delegate access to their data to another website </li></ul><ul><li>Example: Personal Health Record portability </li></ul><ul><li>Example: Address Book (social data) portability </li></ul><ul><li>Example: Application extensions (photo labs) </li></ul><ul><li>  </li></ul><ul><li>End users want their OWN copy of the data enterprises & portals have about them (address books, health records, financial records, power usage records, even telephone records). </li></ul><ul><li>  </li></ul><ul><li>If you don't give it to them, they will pass laws (HIPAA).  Even if you provide private portals on your site, Web 2.0 startups will screen scrape your site. </li></ul>
    11. 19. Personal Health Records Portability <ul><ul><li>MS HealthVault & Google Health provide secure storage </li></ul></ul><ul><ul><li>Data providers such as hospitals, labs, pharmacies get the user's authorization to transfer data to MS or Google </li></ul></ul><ul><ul><li>3rd party services read the data from MS or Google to provide tools such as clinical trial matching, diabetes management tools, personalized medical news, etc. </li></ul></ul><ul><ul><li>In the future, hospitals might read data from MS or Google to get updates on their patients from other medical providers </li></ul></ul>
    12. 20. Address Book Portability <ul><ul><li>Signup for a Social Networks, and get asked for the password of your E-mail account. </li></ul></ul><ul><ul><li>OAuth provides a more secure option </li></ul></ul><ul><ul><li>Also allows two-way data flow, such as contact sync </li></ul></ul><ul><ul><li>Provides an incentive to E-mail providers to develop standard API format for address books </li></ul></ul>
    13. 21. Application Extensions <ul><ul><li>Photo touchup tools, photo labs </li></ul></ul><ul><ul><li>Calendar/Contact sync tools </li></ul></ul><ul><ul><li>Health management tools </li></ul></ul><ul><ul><li>Blog publishing tools </li></ul></ul><ul><li>  </li></ul><ul><li>Advanced OAuth tricks </li></ul><ul><ul><li>http://sites.google.com/site/oauthgoog/ </li></ul></ul><ul><ul><li>OAuth+Gadgets </li></ul></ul><ul><ul><li>OAuth+OpenID </li></ul></ul><ul><ul><li>OAuth+Google Apps Engine </li></ul></ul><ul><ul><li>OAuth in social apps </li></ul></ul>
    14. 22. Enterprise SaaS @ Saleforce.com  
    15. 23. What is Salesforce.com?
    16. 24. Who builds applications on Salesforce? <ul><li>Three Types of Applications: </li></ul><ul><ul><li>Salesforce.com Applications </li></ul></ul><ul><ul><li>ISV Applications </li></ul></ul><ul><ul><li>Custom Applications </li></ul></ul>
    17. 25. The Salesforce.com API <ul><ul><li>SOAP API with WSDL / Schema </li></ul></ul><ul><ul><li>Low verb count - Primarily CRUD </li></ul></ul><ul><ul><ul><li>Developers can get started in 15-20 minutes </li></ul></ul></ul><ul><li>  </li></ul><ul><ul><li>100,000s of active integrations, all major platforms </li></ul></ul><ul><ul><li>2 Billion API Calls a Month </li></ul></ul><ul><ul><li>3 major releases a year, no broken integrations </li></ul></ul>
    18. 26. Multi-Tenancy Makes Cloud Computing Possible <ul><ul><li>Faster Vendor Innovation </li></ul></ul><ul><ul><li>Economies of Scale </li></ul></ul><ul><ul><li>Maximum Scalability </li></ul></ul><ul><ul><li>Automatic Upgrades </li></ul></ul>
    19. 27. Salesforce.com Design Principles <ul><li>1) Secure </li></ul><ul><ul><li>Confidentiality, Integrity </li></ul></ul><ul><ul><li>Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs </li></ul></ul><ul><ul><li>Appropriate for public internet </li></ul></ul><ul><li>  </li></ul><ul><li>2) Simple </li></ul><ul><ul><li>designed around a few well-defined uses cases </li></ul></ul><ul><ul><li>smarts in the service, not client or the wire protocol </li></ul></ul><ul><ul><li>Minimal surface area </li></ul></ul><ul><li>  </li></ul><ul><li>3) Re-usable </li></ul><ul><ul><li>Built on technologies already in stack </li></ul></ul><ul><ul><li>Birds killed > stones </li></ul></ul><ul><li>  </li></ul><ul><li>4) Supportable </li></ul><ul><ul><li>Based on interoperable standards </li></ul></ul><ul><ul><li>available on all major platforms </li></ul></ul><ul><ul><li>Reliable </li></ul></ul>
    20. 28. Enterprise SaaS Use Cases
    21. 29. Enterprise SaaS Use Cases
    22. 30. Enterprise SaaS Use Cases
    23. 31. WS-Trust
    24. 32. OAuth
    25. 33. Salesforce.com Design Principles <ul><li>1) Secure </li></ul><ul><ul><li>Confidentiality, Integrity </li></ul></ul><ul><ul><li>Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs </li></ul></ul><ul><ul><li>Appropriate for public internet </li></ul></ul><ul><li>  </li></ul><ul><li>2) Simple </li></ul><ul><ul><li>designed around a few well-defined uses cases </li></ul></ul><ul><ul><li>smarts in the service, not client or the wire protocol </li></ul></ul><ul><ul><li>Minimal surface area </li></ul></ul><ul><li>  </li></ul><ul><li>3) Re-usable </li></ul><ul><ul><li>Built on technologies already in stack </li></ul></ul><ul><ul><li>Birds killed > stones </li></ul></ul><ul><li>  </li></ul><ul><li>4) Supportable </li></ul><ul><ul><li>Based on interoperable standards </li></ul></ul><ul><ul><li>available on all major platforms </li></ul></ul><ul><ul><li>Reliable </li></ul></ul>
    26. 34. Q&A <ul><li>Ashish Jain - ajain@pingidentity.com </li></ul><ul><li>Peter Dapkus - pdapkus@salesforce.com </li></ul><ul><li>Eric Sachs    - esachs@google.com </li></ul>
    27. 35. Appendix
    28. 36. Summary continued <ul><li>If you a service provider, support OAuth and you will make things simpler for your data consumers. </li></ul><ul><li>Within an enterprise or government scenario, this may be harder to do </li></ul><ul><li>For a web service, this should be your starting point </li></ul><ul><li>If you are a data consumer, and your service provider does not support OAuth, then try using WS-Trust </li></ul><ul><li>If your service provider does not support WS-Trust, then you will need to build your own proprietary bridge </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×