Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[WSO2Con USA 2018] Identity APIs is the New Black

112 views

Published on

This slide deck discusses how identity APIs have evolved over time and real-world scenarios where tough identity challenges have been successfully tackled by using them.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

[WSO2Con USA 2018] Identity APIs is the New Black

  1. 1. Senior Technical Lead, WSO2 Identity APIs is the New Black Dulanja Liyanage
  2. 2. IAM Evolution
  3. 3. Siloed IAM - Application Bounded LDAP HR Application Payroll Application License Application AD RDB Kermit Corp John John Li JohnL
  4. 4. Siloed IAM - Centralized but Proprietary Payroll Application Identity Provider HR Application License Application Kermit Corp FinOrg CRM Application Kermit Proprietary Kermit Proprietary Kermit Proprietary
  5. 5. ● Same physical user digitally represented in different siloes with different credentials ● No single sign-on across silos ● Higher probability of identity mismanagement ● Identity integrations across department/enterprise borders are difficult or impossible Problems of Siloed IAM
  6. 6. Centralized IAM - Standard APIs Payroll Application Identity Provider HR Application License Application Kermit Corp FinOrg CRM Application SAML SSO / SCIM / XACML OpenID Connect / SCIM / XACML WS-Fed / SCIM / XACML OpenID Connect / SCIM / XACML
  7. 7. Happily ever after?
  8. 8. Customer (is the king!) IAM ● Social login and BYOI ● Seamless experience across devices (Omnichannel) ● Privacy (Consent management) ● Ownership of user information ● Party-to-party delegation
  9. 9. Self Care Portal Identity Provider Retail Application Cloud OIDC OpenID Connect / SCIM / XACML Customer CRM SCIM Kermit Corp CIAM at a Glance
  10. 10. Business Success Seamless Experience Customer Satisfaction Identity Integrations Identity APIs
  11. 11. Next Big Challenge -> Identity of Things ● Dynamic device registration ● Device to device authentication ● Delegation of device access
  12. 12. Modern Identity APIs
  13. 13. User Provisioning with SCIM Self Care Portal Identity Provider Foo Org Zee Org Identity Provider Bar Org Identity Provider SCIM SCIM SCIM Inbound Outbound Inbound
  14. 14. SCIM 2.0 Payloads User Creation Group Creation curl --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"}," userName":"kim","password":"kimwso2","emails":[{"primary":true,"va lue":"kim.jackson@gmail.com","type":"home"},{"value":"kim_j@wso2.c om","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users curl --user admin:admin --data '{"displayName":"manager"}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups
  15. 15. Delegated Authorization with OAuth 2.0 Authorization Code Grant Suitable for web applications SAML Bearer Grant Suitable for apps already using SAML SSO for authentication JWT Grant Suitable for apps already using a JWT mechanism for authentication Client Credentials Grant Suitable to retrieve data not specific to end users - e.g. Weather/Stocks - and for machine-to-machine communications
  16. 16. Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 Authz Code Grant Flow OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq Access Token Access Token Access Token Resource Request Prerequisite Client application registered with the Authz Server manually or via Dynamic Client Registration Resource Owner
  17. 17. Authentication with OIDC ● OpenID Connect was created on top of OAuth 2.0 to provide an identity layer ● Introduces a new scope named “openid” ● Introduces a new token named ID Token, containing user claims ● Introduces a new endpoint named ‘userinfo’, to fetch additional user claims
  18. 18. OIDC Flow Application (OAuth Client) OAuth Authorization Server Resource Owner 2 3 4 1 5 6 9 OAuth Resource Server Introspect Authenticate + Consent Authz Code 302 Access Token Rq Access Token ID Token User Info Request 7 Access Token Access Token 8 Access Token Resource Request scope=openid
  19. 19. Party-to-party Delegation with UMA ● Developed on top of OAuth 2.0 ● Introduces an entity named ‘Requesting Party’, and two access tokens named ‘Protection API token’ (PAT) and ‘Requesting Party Token’ (RPT) ● Lots of use cases in CIAM and IoT: ○ E.g. A patient granting access to Doctor and Insurer to their health records ○ E.g. Homeowner granting rotate access of the CCTV camera to the housemaid
  20. 20. UMA in Action OAuth Resource Server Application (OAuth Client) Resource Owner Requesting Party Protection API Authorization API OAuth Authorization Server Register Resource Access Protected Resource Request Authorization Authorize to register resources Define policies Introspection API Validate RPT Result: RPT Result: PAT
  21. 21. Fine-grained Authorization with XACML ● De facto standard for attribute based access control ● Decouples authorization logic from the application code by introducing XML based policies ● Consists of 4 key components: ○ Policy Administration Point ○ Policy Decision Point ○ Policy Information Point ○ Policy Enforcement Point
  22. 22. Policy Store Policy Administration Point Policy Decision Point Identity Provider HR Application Policy Enforcement Point End-user Policy Information Point XACML in Action Entitlement Administrator CRUD Policies Do operation XACML Request
  23. 23. User Consent Management Change Consent Self Care Portal Consent Mgt API Identity Provider ConsentStorages End-user
  24. 24. User Data Exposure Export PII Self Care Portal PII Exposure API Identity Provider PIIStorages End-user Claims Security questions Consent receipts
  25. 25. THANK YOU wso2.com

×