The “I” in API is for Identity (Nordic APIS April 2014)

1,693 views

Published on

Published in: Software, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,693
On SlideShare
0
From Embeds
0
Number of Embeds
379
Actions
Shares
0
Downloads
24
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

The “I” in API is for Identity (Nordic APIS April 2014)

  1. 1. pingidentity.com
  2. 2. THE “I” IN API IS FOR IDENTITY David Gorton Senior Program Manager Copyright © 2014 Ping Identity Corp. All rights reserved. 2
  3. 3. Identity is the Key • Identity unlocks access to resources – Web Resources – APIs • Identities are Everywhere and Expanding Copyright © 2014 Ping Identity Corp. All rights reserved. 3
  4. 4. Enterprise APIs Are The Same…but Different Copyright © 2014 Ping Identity Corp. All rights reserved. 4 Public  APIS   B2B  APIS   ü  Authen1ca1on   ü  Authoriza1on   ü  Audit  
  5. 5. Re-Use Identities with Standards • Increase Adoption • Reduce Risk • Interoperability • Flexibility Copyright © 2014 Ping Identity Corp. All rights reserved. 5
  6. 6. Available API Identity Standards • OAuth 2 (Authorization) • SAML (Authentication) • OpenID Connect (Both) Copyright © 2014 Ping Identity Corp. All rights reserved. 6
  7. 7. OAuth 2 – Authorization Written for API clients to securely interact with APIs on behalf of users Copyright © 2014 Ping Identity Corp. All rights reserved. 7
  8. 8. OAuth 2 – Details • “Authorization Server” runs the show • Client Requests a Token with a Scope –  User Authenticates –  User Authorizes Client for a Scope • Access token returned that represents a scope for the authenticated user for use by the client Multiple flows (profiles) exist based on the trust between the client, server, and user. Copyright © 2014 Ping Identity Corp. All rights reserved. 8
  9. 9. OAuth In Action Copyright © 2014 Ping Identity Corp. All rights reserved. 9 API  Client   OAuth  AuthZ   API  Resource   Request  Access   Token  with  Creden1als   Return  Access   Token   Request  Data   From  API   Validate  Access   Token   Return  API   Response   Return  Valida1on   Response   Request  Client   Scope  Authoriza1on   Grant  Client   Scope  Authoriza1on  
  10. 10. SAML – Federation Enable authentication & federation across domains & organizations Copyright © 2014 Ping Identity Corp. All rights reserved. 10
  11. 11. SAML - Details • Establish Trust Between Organizations • Signed and Encrypted Tokens Transfer Identity Copyright © 2014 Ping Identity Corp. All rights reserved. 11
  12. 12. SAML + OAuth • Authentication brokered by SAML • SAML Token Exchanged for OAuth Access Token • Access Token used to access APIs Copyright © 2014 Ping Identity Corp. All rights reserved. 12
  13. 13. SAML + OAuth In Action Copyright © 2014 Ping Identity Corp. All rights reserved. 13 OAuth  Client   OAuth  AuthZ   &  Federa1on   API  Resource   Request  Access   Token   Redirect  to  OAuth   Server  with  SAML   Request  Data   From  API   Validate  Access   Token   Return  API   Response   Return  Valida1on   Response   Iden1ty  Provider   Redirect  to   Iden1ty  Provider   Request  to   Start  AuthN  Flow   Request  Access   Token  with  SAML   Return  Access   Token  
  14. 14. OpenID Connect – The New Kid on the Block Copyright © 2014 Ping Identity Corp. All rights reserved. 14 Connect  
  15. 15. OpenID Connect • OIDC Token contains – Identity Token – OAuth Access Token • Trust Model for Federation • Lower Maintenance Copyright © 2014 Ping Identity Corp. All rights reserved. 15
  16. 16. OIDC In Action Copyright © 2014 Ping Identity Corp. All rights reserved. 16 Mobile   OIDC  Server   API  Resource   Request  OIDC   Token   Return   OIDC  Token   Request  Data   From  API   Validate  OIDC   Token   Return  API   Response   Return  Valida1on   Response   Iden1ty  Provider   Redirect  to   Iden1ty  Provider   Request  to   Start  AuthN  Flow   Validate  OIDC   Token   Return   Valida1on  Response  
  17. 17. Architecting API Identity • Start with API & Client Copyright © 2014 Ping Identity Corp. All rights reserved. 17 • Add OAuth 2.0 • Add SAML • Or Use OpenID Connect
  18. 18. What is the best option? SAML  +  OAuth  2   +  Broad  Adop1on  of  SAML   -­‐  More  complex   -­‐  Requires  browser  interac1on   +  Uses  OAuth  Access  Tokens   Copyright © 2014 Ping Identity Corp. All rights reserved. 18 OpenID  Connect   -­‐  Limited  Enterprise  Adop1on   +  One  Standard   +  Works  with  all  clients   +  Uses  OAuth  Access  Tokens  
  19. 19. Ping Identity Solution Copyright © 2014 Ping Identity Corp. All rights reserved. 19 ü  OAuth  2   ü  SAML   ü  OpenId  Connect   ü  Authoriza1on   ü  Audi1ng  
  20. 20. ? Copyright © 2014 Ping Identity Corp. All rights reserved. 20

×