More Related Content
Similar to The “I” in API is for Identity (Nordic APIS April 2014)
Similar to The “I” in API is for Identity (Nordic APIS April 2014) (20)
More from Nordic APIs (20)
The “I” in API is for Identity (Nordic APIS April 2014)
- 2. THE “I” IN API IS FOR
IDENTITY
David Gorton
Senior Program Manager
Copyright © 2014 Ping Identity Corp. All rights reserved.
2
- 3. Identity is the Key
• Identity unlocks access to resources
– Web Resources
– APIs
• Identities are Everywhere and Expanding
Copyright © 2014 Ping Identity Corp. All rights reserved.
3
- 4. Enterprise APIs Are The Same…but Different
Copyright © 2014 Ping Identity Corp. All rights reserved.
4
Public
APIS
B2B
APIS
ü Authen1ca1on
ü Authoriza1on
ü Audit
- 5. Re-Use Identities with Standards
• Increase
Adoption
• Reduce Risk
• Interoperability
• Flexibility
Copyright © 2014 Ping Identity Corp. All rights reserved.
5
- 6. Available API Identity Standards
• OAuth 2
(Authorization)
• SAML
(Authentication)
• OpenID Connect
(Both)
Copyright © 2014 Ping Identity Corp. All rights reserved.
6
- 7. OAuth 2 – Authorization
Written for API clients to
securely interact with APIs on
behalf of users
Copyright © 2014 Ping Identity Corp. All rights reserved.
7
- 8. OAuth 2 – Details
• “Authorization Server” runs the show
• Client Requests a Token with a Scope
– User Authenticates
– User Authorizes Client for a Scope
• Access token returned that represents a
scope for the authenticated user for use by
the client
Multiple flows (profiles) exist based on the trust
between the client, server, and user.
Copyright © 2014 Ping Identity Corp. All rights reserved.
8
- 9. OAuth In Action
Copyright © 2014 Ping Identity Corp. All rights reserved.
9
API
Client
OAuth
AuthZ
API
Resource
Request
Access
Token
with
Creden1als
Return
Access
Token
Request
Data
From
API
Validate
Access
Token
Return
API
Response
Return
Valida1on
Response
Request
Client
Scope
Authoriza1on
Grant
Client
Scope
Authoriza1on
- 10. SAML – Federation
Enable authentication &
federation across domains &
organizations
Copyright © 2014 Ping Identity Corp. All rights reserved.
10
- 11. SAML - Details
• Establish Trust Between Organizations
• Signed and Encrypted Tokens Transfer
Identity
Copyright © 2014 Ping Identity Corp. All rights reserved.
11
- 12. SAML + OAuth
• Authentication brokered by SAML
• SAML Token Exchanged for OAuth Access
Token
• Access Token used to access APIs
Copyright © 2014 Ping Identity Corp. All rights reserved.
12
- 13. SAML + OAuth In Action
Copyright © 2014 Ping Identity Corp. All rights reserved.
13
OAuth
Client
OAuth
AuthZ
&
Federa1on
API
Resource
Request
Access
Token
Redirect
to
OAuth
Server
with
SAML
Request
Data
From
API
Validate
Access
Token
Return
API
Response
Return
Valida1on
Response
Iden1ty
Provider
Redirect
to
Iden1ty
Provider
Request
to
Start
AuthN
Flow
Request
Access
Token
with
SAML
Return
Access
Token
- 14. OpenID Connect – The New Kid on the Block
Copyright © 2014 Ping Identity Corp. All rights reserved.
14
Connect
- 15. OpenID Connect
• OIDC Token contains
– Identity Token
– OAuth Access Token
• Trust Model for Federation
• Lower Maintenance
Copyright © 2014 Ping Identity Corp. All rights reserved.
15
- 16. OIDC In Action
Copyright © 2014 Ping Identity Corp. All rights reserved.
16
Mobile
OIDC
Server
API
Resource
Request
OIDC
Token
Return
OIDC
Token
Request
Data
From
API
Validate
OIDC
Token
Return
API
Response
Return
Valida1on
Response
Iden1ty
Provider
Redirect
to
Iden1ty
Provider
Request
to
Start
AuthN
Flow
Validate
OIDC
Token
Return
Valida1on
Response
- 17. Architecting API Identity
• Start with API & Client
Copyright © 2014 Ping Identity Corp. All rights reserved.
17
• Add OAuth 2.0
• Add SAML
• Or Use OpenID
Connect
- 18. What is the best option?
SAML
+
OAuth
2
+
Broad
Adop1on
of
SAML
-‐
More
complex
-‐
Requires
browser
interac1on
+
Uses
OAuth
Access
Tokens
Copyright © 2014 Ping Identity Corp. All rights reserved.
18
OpenID
Connect
-‐
Limited
Enterprise
Adop1on
+
One
Standard
+
Works
with
all
clients
+
Uses
OAuth
Access
Tokens