Identity enabling Web Services Ashish Jain, Director of Technology, Ping Identity Peter Dapkus, Product Manager, Salesforce.com Eric Sachs, Product Manager, Google Security September 10, 2008

Agenda Introduction WS-Trust Overview OAuth Overview Enterprise to Enterprise OAuth Dance Consumer to SaaS Enterprise to SaaS Summary Q&A

Introduction

WS-Trust Overview

OAuth Overview

Enterprise to Enterprise

OAuth Dance

Consumer to SaaS

Enterprise to SaaS

Summary

Q&A

Introduction Server to Server Mashup Enterprise SOA SSO + Data Desktop Client

Server to Server Mashup

Enterprise SOA

SSO + Data

Desktop Client

WS-Trust To provide a framework for requesting and issuing security tokens, and to broker trust relationships. OASIS Standard Solutions by Microsoft, IBM, Sun, Ping Identity... Related Specs - WS-Policy, WS-SecureConversation, WS-Addressing, WS-Mex, WS-SecurityPolicy... Used heavily in Information Cards Current Status

To provide a framework for requesting and issuing security tokens, and to broker trust relationships.

OASIS Standard

Solutions by Microsoft, IBM, Sun, Ping Identity...

Related Specs - WS-Policy, WS-SecureConversation, WS-Addressing, WS-Mex, WS-SecurityPolicy...

Used heavily in Information Cards

Current Status

OAuth An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications. Open Standard. Developed by Community. (http://OAuth.net). Support by Google, MySpace, Yahoo, AOL, Twitter, Pownce... Lightweight. Does one thing. Very well. Somewhat related specs: OpenID Current Status: V1.0 in use by Google & MySpace as well as many other sites. Some extensions proposed, but no significant modifications to the core protocol.

An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.

Open Standard. Developed by Community. (http://OAuth.net).

Support by Google, MySpace, Yahoo, AOL, Twitter, Pownce...

Lightweight. Does one thing. Very well.

Somewhat related specs: OpenID

Current Status: V1.0 in use by Google & MySpace as well as many other sites. Some extensions proposed, but no significant modifications to the core protocol.

WS-Trust Continued

Enterprise Use Cases Legacy Systems - API access Proprietary (especially in mergers) Federal /DoD - Extending PKI XML security gateway

Legacy Systems - API access

Proprietary (especially in mergers)

Federal /DoD - Extending PKI

XML security gateway

OAuth Continued

The OAuth "dance" Step 1: Login to site A Step 2: Specify site B Step 3: Agree to legal doc from site A Step 4: Login to site B Step 5: Agree to legal doc from site B Step 6: Data exchanged in either direction

Step 1: Login to site A

Step 2: Specify site B

Step 3: Agree to legal doc from site A

Step 4: Login to site B

Step 5: Agree to legal doc from site B

Step 6: Data exchanged in either direction

Establishing trust for consumer SaaS OAuth is becoming the de-facto solution when end users want to delegate access to their data to another website Example: Personal Health Record portability Example: Address Book (social data) portability Example: Application extensions (photo labs) End users want their OWN copy of the data enterprises & portals have about them (address books, health records, financial records, power usage records, even telephone records). If you don't give it to them, they will pass laws (HIPAA). Even if you provide private portals on your site, Web 2.0 startups will screen scrape your site.

OAuth is becoming the de-facto solution when end users want to delegate access to their data to another website

Example: Personal Health Record portability

Example: Address Book (social data) portability

Example: Application extensions (photo labs)

End users want their OWN copy of the data enterprises & portals have about them (address books, health records, financial records, power usage records, even telephone records).

If you don't give it to them, they will pass laws (HIPAA). Even if you provide private portals on your site, Web 2.0 startups will screen scrape your site.

Personal Health Records Portability MS HealthVault & Google Health provide secure storage Data providers such as hospitals, labs, pharmacies get the user's authorization to transfer data to MS or Google 3rd party services read the data from MS or Google to provide tools such as clinical trial matching, diabetes management tools, personalized medical news, etc. In the future, hospitals might read data from MS or Google to get updates on their patients from other medical providers

MS HealthVault & Google Health provide secure storage

Data providers such as hospitals, labs, pharmacies get the user's authorization to transfer data to MS or Google

3rd party services read the data from MS or Google to provide tools such as clinical trial matching, diabetes management tools, personalized medical news, etc.

In the future, hospitals might read data from MS or Google to get updates on their patients from other medical providers

Address Book Portability Signup for a Social Networks, and get asked for the password of your E-mail account. OAuth provides a more secure option Also allows two-way data flow, such as contact sync Provides an incentive to E-mail providers to develop standard API format for address books

Signup for a Social Networks, and get asked for the password of your E-mail account.

OAuth provides a more secure option

Also allows two-way data flow, such as contact sync

Provides an incentive to E-mail providers to develop standard API format for address books

Application Extensions Photo touchup tools, photo labs Calendar/Contact sync tools Health management tools Blog publishing tools Advanced OAuth tricks http://sites.google.com/site/oauthgoog/ OAuth+Gadgets OAuth+OpenID OAuth+Google Apps Engine OAuth in social apps

Photo touchup tools, photo labs

Calendar/Contact sync tools

Health management tools

Blog publishing tools

Advanced OAuth tricks

http://sites.google.com/site/oauthgoog/

OAuth+Gadgets

OAuth+OpenID

OAuth+Google Apps Engine

OAuth in social apps

Enterprise SaaS @ Saleforce.com

What is Salesforce.com?

Who builds applications on Salesforce? Three Types of Applications: Salesforce.com Applications ISV Applications Custom Applications

Three Types of Applications:

Salesforce.com Applications

ISV Applications

Custom Applications

The Salesforce.com API SOAP API with WSDL / Schema Low verb count - Primarily CRUD Developers can get started in 15-20 minutes 100,000s of active integrations, all major platforms 2 Billion API Calls a Month 3 major releases a year, no broken integrations

SOAP API with WSDL / Schema

Low verb count - Primarily CRUD

Developers can get started in 15-20 minutes

100,000s of active integrations, all major platforms

2 Billion API Calls a Month

3 major releases a year, no broken integrations

Multi-Tenancy Makes Cloud Computing Possible Faster Vendor Innovation Economies of Scale Maximum Scalability Automatic Upgrades

Faster Vendor Innovation

Economies of Scale

Maximum Scalability

Automatic Upgrades

Salesforce.com Design Principles 1) Secure Confidentiality, Integrity Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs Appropriate for public internet 2) Simple designed around a few well-defined uses cases smarts in the service, not client or the wire protocol Minimal surface area 3) Re-usable Built on technologies already in stack Birds killed > stones 4) Supportable Based on interoperable standards available on all major platforms Reliable

1) Secure

Confidentiality, Integrity

Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs

Appropriate for public internet

2) Simple

designed around a few well-defined uses cases

smarts in the service, not client or the wire protocol

Minimal surface area

3) Re-usable

Built on technologies already in stack

Birds killed > stones

4) Supportable

Based on interoperable standards

available on all major platforms

Reliable

Enterprise SaaS Use Cases

Enterprise SaaS Use Cases

Enterprise SaaS Use Cases

WS-Trust

OAuth

Salesforce.com Design Principles 1) Secure Confidentiality, Integrity Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs Appropriate for public internet 2) Simple designed around a few well-defined uses cases smarts in the service, not client or the wire protocol Minimal surface area 3) Re-usable Built on technologies already in stack Birds killed > stones 4) Supportable Based on interoperable standards available on all major platforms Reliable

1) Secure

Confidentiality, Integrity

Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs

Appropriate for public internet

2) Simple

designed around a few well-defined uses cases

smarts in the service, not client or the wire protocol

Minimal surface area

3) Re-usable

Built on technologies already in stack

Birds killed > stones

4) Supportable

Based on interoperable standards

available on all major platforms

Reliable

Q&A Ashish Jain - ajain@pingidentity.com Peter Dapkus - pdapkus@salesforce.com Eric Sachs - esachs@google.com

Ashish Jain - ajain@pingidentity.com

Peter Dapkus - pdapkus@salesforce.com

Eric Sachs - esachs@google.com

Appendix

Summary continued If you a service provider, support OAuth and you will make things simpler for your data consumers. Within an enterprise or government scenario, this may be harder to do For a web service, this should be your starting point If you are a data consumer, and your service provider does not support OAuth, then try using WS-Trust If your service provider does not support WS-Trust, then you will need to build your own proprietary bridge

If you a service provider, support OAuth and you will make things simpler for your data consumers.

Within an enterprise or government scenario, this may be harder to do

For a web service, this should be your starting point

If you are a data consumer, and your service provider does not support OAuth, then try using WS-Trust

If your service provider does not support WS-Trust, then you will need to build your own proprietary bridge