Neo-security Stack

download Neo-security Stack

of 24

  • date post

    08-May-2015
  • Category

    Technology

  • view

    1.020
  • download

    0

Embed Size (px)

description

Technologies that are being used together to secure RESTful APIs: SAML (and eventually OpenID Connect), OAuth, SCIM, and the JSON Identity Protocol Suite (esp. JWT). Discussion how these technologies can be combined to provide enterprise grade security for APIs and put this need into the broader context.

Transcript of Neo-security Stack

  • 1.The Neo-security StackSecuring APIs using the new stack of RESTful technologiesBy Travis Spencer, CEO@travisspencer, @2botechCopyright 2013 Twobo Technologies AB. All rights reserved

2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright 2013 Twobo Technologies AB. All rights reserved 3. Crucial Security ConcernsCopyright 2013 Twobo Technologies AB. All rights reservedEnterpriseSecurityAPISecurityMobileSecurity 4. Identity is CentralCopyright 2013 Twobo Technologies AB. All rights reservedMDM MAMAuthZMobileSecurityAPISecurityEnterpriseSecurityIdentityVenn diagram by Gunnar Peterson 5. SAML /OpenIDConnectSCIMJSONIdentitySuiteOAuthThe Neo-security StackCopyright 2013 Twobo Technologies AB. All rights reservedFederation ProvisioningIdentity Authorization 6. SAML SAML: proventechnology foridentity federationand Web SSO Profiles, bindings,protocols, assertions& metadata V. 2.1 inthe worksCopyright 2013 Twobo Technologies AB. All rights reservedServiceProvider (SP)Identity Provider (IdP) 7. OpenID Connect New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user dataCopyright 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& junior 8. Overview of SCIM Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID ConnectCopyright 2013 Twobo Technologies AB. All rights reserved 9. OAuth OAuth 2 is the new protocol ofprotocols Composed in useful ways Like WS-Trust of old Addresses old requirements andsolves new ones Delegated access No password sharing Revocation of accessCopyright 2013 Twobo Technologies AB. All rights reserved 10. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS 11. Access Tokens Refresh TokensTypes of TokensCopyright 2013 Twobo Technologies AB. All rights reservedLike a SessionUsed to secure API callsLike a PasswordUsed to get new accesstokens 12. By Value By ReferenceClasses of TokensCopyright 2013 Twobo Technologies AB. All rights reserved123XYZ123XYZUser attributes are in thetokenUser attributes arereferenced by an identifier 13. Scopes Like permissions Scopes specify extent oftokens usefulness Listed on consent UI (if shown) Issued tokens may havenarrower scope than requested No standardized scopesCopyright 2013 Twobo Technologies AB. All rights reserved 14. OAuth Web Server FlowCopyright 2013 Twobo Technologies AB. All rights reserved 15. Usage of OAuthCopyright 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation 16. JSON Identity Protocol Suite Suite of JSON-based identity protocols Tokens (JWT) Encryption (JWE) Keys (JWK) Signatures (JWS) Algorithms (JWA) Bearer Token spec explains how to use w/ OAuth Being defined in IETFCopyright 2013 Twobo Technologies AB. All rights reserved 17. JWT Tokens Pronounced like the English word jot Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright 2013 Twobo Technologies AB. All rights reserved 18. Authentication & Federation How you authenticate to AS is undefined Use SAML or OpenID Connect for SSO to AS Relay OAuth token in SAML messagesCopyright 2013 Twobo Technologies AB. All rights reserved 19. Push Tokens & Pull DataCopyright 2013 Twobo Technologies AB. All rights reservedIdP & API Provider SaaS AppBrowserAccess token infederation messageGet DataData 20. SCIM + OAuth Use OAuth to secure SCIM API calls Use SCIM to create accounts needed to accessAPIs secured using OAuthCopyright 2013 Twobo Technologies AB. All rights reserved 21. SCIM + SAML/OIDC Carry SCIM attributes in SAML assertions(bindings for SCIM) Enables JIT provisioning Supplements SCIM API & schema Provisioning accounts using SCIM API to beupdated before/after logonCopyright 2013 Twobo Technologies AB. All rights reserved 22. User Managed Access Also extends OAuth 2 Allows users to centrally controldistribution of their identity data Used with Personal DataStores (PDS) to create identitydata lockersCopyright 2013 Twobo Technologies AB. All rights reserved 23. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright 2013 Twobo Technologies AB. All rights reserved