Enterprise  Auth  APIs
...WHEEL  GREASE  FOR  IAM 
 
 
 
BHAGYA  PRABHAKAR

 
 
 
 
 
 
E*TRADE  FINANCIAL
Enterprise  Auth  APIs
§ What?	
  
§ Standard	
  IAM	
  APIs	
  	
  for	
  the	
  enterprise	
  
§ Why?	
  
§ Separa6o...
Familiar?
Internet	
  
OAuth	
  	
  
Server	
  
Auth	
  
Agent	
  
API	
  
API	
  
API	
  
App	
  
Access	
  Tokens	
  
SA...
Desiderata  something  that  is  needed  or  wanted
§ Standardized	
  solu6on	
  across	
  applica6ons	
  
§ Consistent	...
Enterprise  Auth  API
Internet	
  
OAuth	
  	
  
Server	
  
Auth	
  
Agent	
  
API	
  
SAML	
  
Server	
  
SAML	
  	
  Ass...
Example  :  Get  AuthenIcated  User’s  Details
thisMustBeSimpler	
  ()	
  {	
  
	
  SecurityContext	
  securityContext=Sec...
With  an  Enterprise  Auth  API
	
  
Authen<ca<onInfo	
  {	
  
	
  isAuthen<cated();	
  
	
  getUserId(); 	
  	
  
	
  get...
A  Couple  More  Examples
	
   Federator	
  {	
  
	
   	
  	
  	
  	
  	
  	
  	
  	
  	
  federate(aLributes,	
  endpoint...
CreaIng  an  API
…THAT  DEVELOPERS  WANT  TO  USE
GeQng  Started
§ Derive	
  from	
  exis6ng	
  use-­‐cases	
  
§ Talk	
  to	
  applica6on	
  developers	
  
§ Beware	
  ...
Make  it  Modular  and  Portable
§ No	
  kitchen	
  sink	
  of	
  all	
  APIs	
  to	
  integrate	
  with	
  
§ Separate	...
Maintain...Maintain...Maintain
§ Support	
  the	
  developers	
  who	
  use	
  it	
  
§ Help	
  developers	
  proac6vely...
Return  on  Investments
§ De	
  facto	
  standard	
  auth	
  API	
  in	
  the	
  Enterprise	
  
§ Mix	
  and	
  match	
 ...
What’s  Important...
§ Façade	
  away	
  auth	
  frameworks	
  and	
  IAM	
  systems	
  
§ Enhance	
  and	
  constrain	
...
So?
§ Benefit	
  from	
  a	
  standardized	
  IAM	
  solu6on	
  across	
  
applica6ons	
  
Thanks!
To	
  Adam	
  Migus	
  and	
  E*TRADE	
  Financial	
  
	
  
E-­‐mail:	
  bhagyashree.prabhakar@etrade.com	
  
	
  ...
Upcoming SlideShare
Loading in …5
×

CIS14: Enterprise Identity APIs

404 views

Published on

Bhagyashree Prabhakar, E*Trade

How to create APIs that enable developers without IAM expertise to implement IAM consistently and correctly.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CIS14: Enterprise Identity APIs

  1. 1. Enterprise  Auth  APIs ...WHEEL  GREASE  FOR  IAM BHAGYA  PRABHAKAR E*TRADE  FINANCIAL
  2. 2. Enterprise  Auth  APIs § What?   § Standard  IAM  APIs    for  the  enterprise   § Why?   § Separa6on  of  concerns   § How?   § IAM  exper6se  and  good  so<ware  engineering      
  3. 3. Familiar? Internet   OAuth     Server   Auth   Agent   API   API   API   App   Access  Tokens   SAML   Server   SAML    Asser6ons   Mutual  Authen6ca6on   Client  Side  SSL   HTML  Basic   HTML  Basic   User   App  Sec   Developers   Kerberos   App  
  4. 4. Desiderata  something  that  is  needed  or  wanted § Standardized  solu6on  across  applica6ons   § Consistent  user  experience   § Loose  coupling  to  IAM  systems   § New  auth  methods,  minimal/no  app  changes   § Enforce  policy     § More  control  and  granularity    
  5. 5. Enterprise  Auth  API Internet   OAuth     Server   Auth   Agent   API   SAML   Server   SAML    Asser6ons   Mutual  Authen6ca6on   Over  SSL   HTML  Basic   HTML  Basic   User   App  Sec   Developers   API   API   App  Enterprise  Auth     API/SDK   Enterprise  Auth  API  Core  Impl   Kerberos   App  
  6. 6. Example  :  Get  AuthenIcated  User’s  Details thisMustBeSimpler  ()  {    SecurityContext  securityContext=SecurityContextHolder.getContext();    if  (securityContext  !=  null)  {      Authen6ca6on  authen6ca6on=securityContext.getAuthen6ca6on();    if  (authen<ca<on  !=  null)  {      if  (authen<ca<on.getPrincipal()  instanceof  EnterpriseUserDetails)  {        EnterpriseUserDetails  userDetails=(EnterpriseUserDetails)              authen6ca6on.getPrincipal();            String  sessionId=userDetails.getServerSessionId();        }      }    }   }  
  7. 7. With  an  Enterprise  Auth  API   Authen<ca<onInfo  {    isAuthen<cated();    getUserId();      getUserName();    getRoles();    getUserDetails();     }     nowThisIsMuchBeLer()  {        Authen6ca6onInfo  authnInfo  =  Authen<ca<onInfo.newInstance();        UserDetails  userDetails=authnInfo  .getUserDetails();      String  sessionId=userDetails.getServerSessionId();     }    
  8. 8. A  Couple  More  Examples   Federator  {                       federate(aLributes,  endpoint);     }     Authoriza<onInfo  {                       hasRole(role);                       getRoles();     }  
  9. 9. CreaIng  an  API …THAT  DEVELOPERS  WANT  TO  USE
  10. 10. GeQng  Started § Derive  from  exis6ng  use-­‐cases   § Talk  to  applica6on  developers   § Beware  of  an6  paXerns  -­‐  bullet  point  engineering,  abstrac6on   inversion   § Build  on  top  of  modular  Auth  framework   § Spring  Security,  Shiro,  my-­‐favorite-­‐framework   § Simplify  and  constrain   § Enterprise  specific  rules    
  11. 11. Make  it  Modular  and  Portable § No  kitchen  sink  of  all  APIs  to  integrate  with   § Separate  API  and  impl  modules   § Consumers  depend  on  API   § Swap  out  underlying  impl   § Integra6on  in  other  languages   § Dis6ll  into  a  web  service  layer   § Language  specific  SDK    
  12. 12. Maintain...Maintain...Maintain § Support  the  developers  who  use  it   § Help  developers  proac6vely   § Implement  fixes  and  extensions  quickly   § Keep  up  with  the  IAM  industry     § Make  it  SOLID   § Use  Seman6c  Versioning    
  13. 13. Return  on  Investments § De  facto  standard  auth  API  in  the  Enterprise   § Mix  and  match  several  IAM  systems   § No  vendor  lock  in   § Rapid  prototype  development   § Quick  applica6on  integra6on   § Improved  upon  our  applica6on  security  prac6ce   § Detec6on  and  remedia6on    
  14. 14. What’s  Important... § Façade  away  auth  frameworks  and  IAM  systems   § Enhance  and  constrain  3rd  party  components  with   organiza6on  rules   § Make  it  modular,  portable  and  easy  to  use   § Keep  up  with  the  IAM  industry  
  15. 15. So? § Benefit  from  a  standardized  IAM  solu6on  across   applica6ons  
  16. 16. Thanks! To  Adam  Migus  and  E*TRADE  Financial     E-­‐mail:  bhagyashree.prabhakar@etrade.com     Links   hXp://semver.org/   hXp://en.wikipedia.org/wiki/SOLID_(object-­‐oriented_design)   hXp://projects.spring.io/spring-­‐security/   hXp://shiro.apache.org/   hXp://en.wikipedia.org/wiki/Desiderata      

×