Security is a complex part of software development. And usually implementing it in our applications we met with these simple but tricky challenges: build secure and user-friendly registration and authentication flow, protect data, prevent unauthorized access. All of this cost a lot of development effort.
But why we need to start developing it each time from scratch? You can assign this task to identity and access management solutions.
Join this talk, to find out, how to less than in hour get production ready authentication flow, login and registration forms, Single-Sign-On and separate storage for user data. Learn about the box solutions we have nowadays. Real cases of usage, cons and pros of this approach.
2. • 8+ years in software development
• Companies:
Credit Europe Bank NL
EPAM
• Technologies:
Java, SQL, Spring, JPA, JMS, JS
L E V M A LT S E V
2
LEAD DEVELOPER, EPAM
3. AGENDA
W H Y W E A R E H E R E ?
A R C H I T E C T U R E O V E R V I E W
D E M O
B O X S O L U T I O N S
S U M M A R Y
Q A & L I N K S
3
5. Identity management, also known as identity and access
management (IAM) is a discipline that "enables the right
individuals to access the right resources at the right times and for
the right reasons"
5
7. Business goals
• Security: Authentication & authorization mechanism,
TFA, Federation
• Cloud & microservices friendly
• Profile data reporting
• Easy integration of new clients, SSO, Social login
• General Data Protection Regulation adapted
• Fast time-to-market
7
12. Single Sign On
12
SSO is an umbrella term for any time a user can login to multiple applications while only authenticating once.
• One credentials per multiply services
• Shared user identity across different
resources
• Centralized set of access privileges
13. Federated identity. Protocols
13
Federated identity is the means of linking a
person's electronic identity and attributes,
stored across multiple distinct identity
management systems.
Protocols:
SAML 2.0
Xml
More mature
More complex
Open ID Connect / OAuth 2
Json
Simple
Bearer token
14. JSON Web Tokens JWT
14
A JSON Web Token (JWT) is a JSON object that is defined in RFC 7519 as a safe way to represent a set of information
between two parties. The token is composed of a header, a payload, and a signature.
17. Key Features
• Hosted on vendor side
• Support
• Administration console
• UI builder for Auth related elements on your web pages/apps
• Reporting functionality
• Consent management
• REST API
• Various SDK
• Social networks integration
19. Tasty things
• Significantly reduce of development effort
• Security outsourcing
• Unify security approach
• OOTB features
19
20. Before you dive in this
• Costs
• Hard to integrate with legacy systems
• Customizable, but some extras are not possible at all
• Sometimes works not as expected
• Hard to move from one solution to another
20