cis14: enterprise identity apis
DESCRIPTION
Bhagyashree Prabhakar, E*Trade How to create APIs that enable developers without IAM expertise to implement IAM consistently and correctly.TRANSCRIPT
Enterprise Auth APIs .. .WHEEL GREASE FOR IAM BHAGYA PRABHAKAR
E*TRADE FINANCIAL
Enterprise Auth APIs
§ What? § Standard IAM APIs for the enterprise
§ Why? § Separa6on of concerns § How? § IAM exper6se and good so<ware engineering
Familiar?
Internet
OAuth Server
Auth Agent
API API
API
App
Access Tok
ens
SAML Server
SAML Asser6ons
Mutual Authen6ca6on
Client Side SSL
HTML Basic
HTML Basic
User App Sec
Developers
Kerberos
App
Desiderata something that is needed or wanted
§ Standardized solu6on across applica6ons § Consistent user experience
§ Loose coupling to IAM systems § New auth methods, minimal/no app changes
§ Enforce policy § More control and granularity
Enterprise Auth API
Internet
OAuth Server
Auth Agent
API
SAML Server
SAML Asser6ons
Mutual Authen6ca6on
Over SSL
HTML Basic
HTML Basic
User
App Sec
Developers
API API
App Enterprise Auth API/SDK
Enterprise Au
th API Core Im
pl
Kerberos
App
Example : Get AuthenIcated User’s Details
thisMustBeSimpler () { SecurityContext securityContext=SecurityContextHolder.getContext(); if (securityContext != null) { Authen6ca6on authen6ca6on=securityContext.getAuthen6ca6on();
if (authen<ca<on != null) { if (authen<ca<on.getPrincipal() instanceof EnterpriseUserDetails) { EnterpriseUserDetails userDetails=(EnterpriseUserDetails) authen6ca6on.getPrincipal();
String sessionId=userDetails.getServerSessionId(); } } }
}
With an Enterprise Auth API
Authen<ca<onInfo {
isAuthen<cated(); getUserId(); getUserName(); getRoles(); getUserDetails();
}
nowThisIsMuchBeLer() {
Authen6ca6onInfo authnInfo = Authen<ca<onInfo.newInstance(); UserDetails userDetails=authnInfo .getUserDetails();
String sessionId=userDetails.getServerSessionId();
}
A Couple More Examples
Federator { federate(aLributes, endpoint);
}
Authoriza<onInfo { hasRole(role); getRoles(); }
CreaIng an API …THAT DEVELOPERS WANT TO USE
GeQng Started
§ Derive from exis6ng use-‐cases § Talk to applica6on developers § Beware of an6 paXerns -‐ bullet point engineering, abstrac6on inversion
§ Build on top of modular Auth framework § Spring Security, Shiro, my-‐favorite-‐framework
§ Simplify and constrain § Enterprise specific rules
Make it Modular and Portable
§ No kitchen sink of all APIs to integrate with § Separate API and impl modules § Consumers depend on API § Swap out underlying impl
§ Integra6on in other languages § Dis6ll into a web service layer § Language specific SDK
Maintain...Maintain...Maintain
§ Support the developers who use it § Help developers proac6vely § Implement fixes and extensions quickly
§ Keep up with the IAM industry § Make it SOLID § Use Seman6c Versioning
Return on Investments
§ De facto standard auth API in the Enterprise § Mix and match several IAM systems § No vendor lock in § Rapid prototype development § Quick applica6on integra6on § Improved upon our applica6on security prac6ce § Detec6on and remedia6on
What’s Important...
§ Façade away auth frameworks and IAM systems § Enhance and constrain 3rd party components with organiza6on rules
§ Make it modular, portable and easy to use § Keep up with the IAM industry
So?
§ Benefit from a standardized IAM solu6on across applica6ons
Thanks! To Adam Migus and E*TRADE Financial E-‐mail: [email protected]
Links hXp://semver.org/ hXp://en.wikipedia.org/wiki/SOLID_(object-‐oriented_design) hXp://projects.spring.io/spring-‐security/ hXp://shiro.apache.org/ hXp://en.wikipedia.org/wiki/Desiderata