Users now have more complex identities than ever before; federated accounts, second-factor authentication, and multiple devices all these conditions need to be tested, but how? This talk will examine the minefield of identity and authentication in your pipeline and how your team can traverse this to ensure that you are testing all the conditions without resorting to manual steps.

1. Identity as Code

2. 10 years working in secure systems
Hi!
Platform Specialist at Okta
Software Developer (.NET / Java / JS)
@andymarch

3. User testing
is messy

4. Name: Batman
Rank: Private
Name: Superman
Rank: Major
Name: Thor
Rank: Colonel

5. Name: Batman
Rank: Private
Name: Superman
Rank: Major
Name: Thor
Rank: Colonel
ReportstoReportsto

6. Name: Batman
Rank: Private
Name: Batman
Rank: Major
Name: Batman
Rank: Colonel
ReportstoReportsto

7. Name: Batman
Rank: Colonel/Major/Private
Reports to

9. Don’t roll
your own
identity

11. Divide your
architecture,
divide your
responsibility

12. Business Logic
Monolith
AuthN
AuthZ
AuthN
AuthZ
User Identity
Database
User Identity
Business Logic
Database
Service Oriented

13. Don’t test
what you
don’t control

14. Capture
Mock / Replay
Validate

15. Sign-in Page Mock(AuthN)
Login (user, password)
MFA_Required
MFA_Response(secret)
Accepted

16. …except
when you
must

17. Define
Use / Reuse
Initialize
Cleanup

18. Dev
Mostly unit tests
Individual Environment
Integration
Integration tests
Shared Environment
QA
Complex tests
Single Environment
Prod
Real users
Production config

19. Snowflake
Environments

20. Infrastructure as Code

22. ApiDeploy.tf
Dev.auto.tfvars
DBDeploy.tf
Terraform plan
Terraform destroy
Terraform apply

23. Engine APIEngine Client

24. provider "okta" {
org_name = “babbage”
base_url = “okta.com”
api_token = “isthisarealtoken”
}
resource "okta_user_schema" "role_extension" {
index = "analytical_engine_role"
title = "Analytical Engine Role"
type = "string"
master = "PROFILE_MASTER"
}
Engine API
Identity Provider
Engine Client

25. resource "okta_auth_server" “analytical_engine” {
audiences = [“babbage.local”]
description = “General purpose computing.”
name = “Analytical Engine API”
}
resource “okta_auth_server_scope” “tabulate” {
description = “tabulate logarithm”
name = “tabulate:perform”
auth_server_id =
“${okta_auth_server.analytical_engine.id}”
}
Engine API
Identity Provider
AuthZ Server
Engine Client

26. resource "okta_app_oauth" ”engine_client" {
label = “Engine Client”
type = "web”
grant_types = [“authorization_code”]
redirect_uris = [“${var.client_callback}”]
response_types = ["code"]
}
resource "okta_app_oauth" ”engine_api" {
label = “Engine API”
type = ”service”
grant_types = [“client_credentials”]
}
Engine API
Identity Provider
AuthZ Server
Engine Client

27. Engine API
Identity Provider
AuthZ Server
Engine Client
EngineDeploy.tf
Prod.auto.tfvars
IdDeploy.tf
Terraform plan
Terraform apply

28. Engine API
Identity Provider
AuthZ Server
Engine Client
EngineDeploy.tf
QA.auto.tfvars
IdDeploy.tf
Terraform plan
Terraform apply

29. Engine API
Identity Provider
AuthZ Server
Engine Client
EngineDeploy.tf
QA.auto.tfvars
IdDeploy.tf
Terraform plan
Terraform apply
TestAccounts.tf

30. resource “okta_user” “Ada” {
login = “Ada”
email = “ada.lovelace@babbage.local”
first_name = “Ada”
last_name = “Lovelace”
custom_profile_attributes = {
analytical_engine_role = "Lead Programmer"
}
depends_on = ["okta_user_schema.role_extension"]
}

31. Engine API
Identity Provider
AuthZ Server
Engine Client
EngineDeploy.tf
QA.auto.tfvars
IdDeploy.tf
Terraform destroy
TestAccounts.tf

32. Don’t roll your own.
Architect for identity.
Test within a boundary, reach beyond when
you must.
Define as much environment as you can in
code.
Recap

33. Developer.okta.com
andy.march@okta.com
@andymarch