Download as PDF, PPTX
Uploaded byVMware Tanzu
Security as a Service - Tian Wang
The document provides an overview of security services available on the Cloud Foundry platform including UAA (Universal Authentication and Authorization) and Credhub. UAA provides identity and access management capabilities including single sign-on (SSO), OAuth 2.0/OpenID Connect protocols, and user authentication and authorization. Credhub provides secure credential management through generation, storage, and rotation of credentials. The document discusses how Spring applications can leverage these services through UAA's identity broker and Spring CredHub client to integrate SSO and manage credentials in a Cloud Foundry deployment. Demo sections show examples of UAA for SSO and Credhub for credential management.
More Related Content
![[API World ] - Managing Asynchronous APIs](https://cdn.slidesharecdn.com/ss_thumbnails/lasantha-managingasyncapis-211109143621-thumbnail.jpg?width=640&height=640&fit=bounds)
![[WSO2Con EU 2017] Ballerina Connectors for Seamless Integration](https://cdn.slidesharecdn.com/ss_thumbnails/9i6qbt1rzovx3gpnf6gs-signature-25a03a0dd11bea2cb4b5d302614dc9fa369274823e87b86d7bcc419612b27068-poli-171106131830-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Security as a Service - Tian Wang
Security as a Service - Tian Wang
- 1. Version 1.0 October 10,2018 Security as a Service How Your Spring Apps Can Benefit From Cloud Foundry
- 2. Cover w/ Image Agenda ■What does the Cloud Foundry platform provide for my apps? ■ What is OAuth and OIDC? ■ How can I use it? ■ What is Credhub? ■ How can I use it?
- 3. Cloud Foundry 💚Spring How does the platform benefit my apps?
- 4. A platform forrunning your apps... BOSH AWS Azure GCP On-Prem VM VM VMVM VM VM VM IaaS PaaS Appscf push Routing CAPI UAA ...Diego App ● Buildpacks ● Routing ● Scaling ● Monitoring ● Backup and Restore ● Services Marketplace● Services Marketplace
- 5. ● Security Servicesfor App ○ UAA (SSO) Identity as a Service ○ Credhub Credential Management A platform with security services for your apps... BOSH AWS Azure GCP On-Prem VM VM VMVM VM VM VM IaaS PaaS Appscf push Routing CAPI UAA ...Diego App
- 6. Security services tohelp you build your apps... cf push AppsApp PaaSCredhubUAA ● Identity Proxy ● User AuthN/AuthZ ● Service-to-Service Authn/AuthZ ● Credential Generation ● Credential Storage ● Credential Rotation
- 7. Cloud Native Protocols Whatis OAuth? I’ll do you one better: Why is OAuth?
- 8.
- 9. Authorization Server Client Resource Server Resource Server OAuth 2.0(Authorization) - Access Token OpenID Connect (Authentication) - ID Token Resource Owner
- 10. What’s a TokenLook Like? JSON Web Token (JWT)Bearer Token
- 11. What’s a TokenLook Like? Authentication Method (“External”) External User Attributes External Groups
- 12. What’s a TokenLook Like? Scopes for Role Based Access Control User allowed to have scope (UAA group) Client allowed to have scope (client config) User consented client can use scope (to prevent malicious apps)
- 13.
- 14.
- 15. Authorization Server Client Resource Servers as892jd as892jd Authorization CodeGrant Flow (UI Flow) Super Secure Back Channel Tokens as892jd
- 16. Authorization Server Client Resource Servers Implicit GrantFlow (UI Flow) Front end only (Single Page App) / short lifetime
- 17. Authorization Server Client Resource Servers Password GrantFlow (Non-Browser Flow) Trusted Native Apps - CLIs or Mobile
- 18. Authorization Server Client Resource Servers Client CredentialGrant Flow (Non-User Flow) Apps on behalf of itself Clients can be configured with scopes as authorities for RBAC RBAC
- 19. Authorization Server Client or Resource Server Resource Servers Token Exchange SAMLor JWT from external identity providers External Identity Provider
- 20. Authorization Server Resource Server Resource Servers Token Passing Not EvenA Grant Flow - But Be Careful
- 21. UAA and PCFSSO Identity as a Service
- 22. Official Identity Providerof Cloud Foundry, BOSH, OpsManager, PAS, PKS, and more Production proven at scales of over 2 million tokens per day UAA Cloud Foundry and PCF LDAP Lightweight Directory Access Protocol OpenID Connect UAA SAML Powered by UAA BOSH OpsMan PKS
- 23. Identity Service Broker, IdentitySample Apps, and Spring SSO Connector Beyond UAA and into the customer experience Starting with Spring Boot for Java & SteelToe for .NET SSO Pivotal SSO Service Customer Applications Enterprise/ Internal Applications Mobile Applications LDAP Lightweight Directory Access Protocol OpenID Connect OpenID Connect UAA SAML SSO Operator Dashboard - Identity Providers SSO Integration Guides SSO Identity Service Broker Spring SSO Connector Frameworks like Spring Boot / SteelToe (Not Owned by Team) Identity Sample Apps Operator App Developer We become both a bridge and a buffer between the old world and the new world SSO Developer Dashboard - Apps and Resources Powered by UAA
- 24.
- 25. Credhub RRR Matey -Rotate, Repave, Repair
- 26.
- 27. How does itwork?
- 28.
- 29.
- 30.
- 31. Credential Usage Spring CredHubprovides client-side support for storing, retrieving, and deleting credentials from a CredHub server running in a Cloud Foundry platform. The CredHubTemplate is used to interact with CredHub, typically used through its CredHubOperations interface.
- 32.
- 33. Transforming How TheWorld Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.