The “I” in API is for Identity (Nordic APIS April 2014)
-
Upload
nordic-apis -
Category
Software
-
view
947 -
download
2
Transcript of The “I” in API is for Identity (Nordic APIS April 2014)
![Page 1: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/1.jpg)
pingidentity.com
![Page 2: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/2.jpg)
THE “I” IN API IS FOR IDENTITY
David Gorton
Senior Program Manager
Copyright © 2014 Ping Identity Corp. All rights reserved.
2
![Page 3: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/3.jpg)
Identity is the Key
• Identity unlocks access to resources – Web Resources – APIs
• Identities are Everywhere and Expanding
Copyright © 2014 Ping Identity Corp. All rights reserved.
3
![Page 4: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/4.jpg)
Enterprise APIs Are The Same…but Different
Copyright © 2014 Ping Identity Corp. All rights reserved.
4
Public APIS B2B APIS
ü Authen1ca1on ü Authoriza1on ü Audit
![Page 5: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/5.jpg)
Re-Use Identities with Standards
• Increase Adoption
• Reduce Risk • Interoperability • Flexibility
Copyright © 2014 Ping Identity Corp. All rights reserved.
5
![Page 6: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/6.jpg)
Available API Identity Standards
• OAuth 2 (Authorization)
• SAML (Authentication)
• OpenID Connect (Both)
Copyright © 2014 Ping Identity Corp. All rights reserved.
6
![Page 7: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/7.jpg)
OAuth 2 – Authorization
Written for API clients to securely interact with APIs on behalf of users
Copyright © 2014 Ping Identity Corp. All rights reserved.
7
![Page 8: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/8.jpg)
OAuth 2 – Details
• “Authorization Server” runs the show • Client Requests a Token with a Scope
– User Authenticates – User Authorizes Client for a Scope
• Access token returned that represents a scope for the authenticated user for use by the client
Multiple flows (profiles) exist based on the trust between the client, server, and user.
Copyright © 2014 Ping Identity Corp. All rights reserved.
8
![Page 9: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/9.jpg)
OAuth In Action
Copyright © 2014 Ping Identity Corp. All rights reserved.
9
API Client OAuth AuthZ API Resource
Request Access Token with Creden1als
Return Access Token
Request Data From API
Validate Access Token
Return API Response
Return Valida1on Response
Request Client Scope Authoriza1on
Grant Client Scope Authoriza1on
![Page 10: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/10.jpg)
SAML – Federation
Enable authentication & federation across domains & organizations
Copyright © 2014 Ping Identity Corp. All rights reserved. 10
![Page 11: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/11.jpg)
SAML - Details
• Establish Trust Between Organizations • Signed and Encrypted Tokens Transfer
Identity
Copyright © 2014 Ping Identity Corp. All rights reserved. 11
![Page 12: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/12.jpg)
SAML + OAuth
• Authentication brokered by SAML • SAML Token Exchanged for OAuth Access
Token • Access Token used to access APIs
Copyright © 2014 Ping Identity Corp. All rights reserved. 12
![Page 13: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/13.jpg)
SAML + OAuth In Action
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
OAuth Client OAuth AuthZ & Federa1on API Resource
Request Access Token
Redirect to OAuth Server with SAML
Request Data From API
Validate Access Token
Return API Response
Return Valida1on Response
Iden1ty Provider
Redirect to Iden1ty Provider
Request to Start AuthN Flow
Request Access Token with SAML
Return Access Token
![Page 14: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/14.jpg)
OpenID Connect – The New Kid on the Block
Copyright © 2014 Ping Identity Corp. All rights reserved. 14
Connect
![Page 15: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/15.jpg)
OpenID Connect
• OIDC Token contains – Identity Token – OAuth Access Token
• Trust Model for Federation • Lower Maintenance
Copyright © 2014 Ping Identity Corp. All rights reserved. 15
![Page 16: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/16.jpg)
OIDC In Action
Copyright © 2014 Ping Identity Corp. All rights reserved. 16
Mobile OIDC Server API Resource
Request OIDC Token
Return OIDC Token
Request Data From API
Validate OIDC Token
Return API Response
Return Valida1on Response
Iden1ty Provider
Redirect to Iden1ty Provider
Request to Start AuthN Flow
Validate OIDC Token
Return Valida1on Response
![Page 17: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/17.jpg)
Architecting API Identity
• Start with API & Client
Copyright © 2014 Ping Identity Corp. All rights reserved. 17
• Add OAuth 2.0 • Add SAML
• Or Use OpenID Connect
![Page 18: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/18.jpg)
What is the best option?
SAML + OAuth 2 + Broad Adop1on of SAML
-‐ More complex
-‐ Requires browser interac1on
+ Uses OAuth Access Tokens
Copyright © 2014 Ping Identity Corp. All rights reserved. 18
OpenID Connect -‐ Limited Enterprise Adop1on
+ One Standard
+ Works with all clients
+ Uses OAuth Access Tokens
![Page 19: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/19.jpg)
Ping Identity Solution
Copyright © 2014 Ping Identity Corp. All rights reserved. 19
ü OAuth 2 ü SAML ü OpenId Connect
ü Authoriza1on ü Audi1ng
![Page 20: The “I” in API is for Identity (Nordic APIS April 2014)](https://reader034.fdocuments.in/reader034/viewer/2022052321/554bac12b4c905ae618b5420/html5/thumbnails/20.jpg)
? Copyright © 2014 Ping Identity Corp. All rights reserved.
20