Onegini Token server / Web API Platform

Transcription

1 Onegini Token server / Web API Platform Companies and users interact securely by sharing data between different applications The Onegini Token server is a complete solution for managing your customer s authorizations. It provides a comprehensive security token server that integrates with enterprise identity and access management systems based on the latest Web and API security standards such as OAuth 2.0. With the Token Server, companies and users can interact by securely sharing data between different applications, and allow users to approve applications to act on their behalf without sharing passwords. OAuth 2.0 and API s OAuth is becoming the standard for access management with RESTful APIs. OAuth has the advantage of being: lightweight, Universal access for web, mobile app or any other third party application Unfortunately, OAuth can also be complex to set up, given the number of actors, token formats, transports, management, logging and security mechanisms required. Especially handling all the user interactions requires a flexible architecture since the number of devices is growing rapidly. Onegini bridges the security gap between companies and the Internet. For more information visit our website:

2 Onegini Key components The Onegini Token Server is a complete solution for managing authorizations of resource access compliant to the OAuth 2.0 standard. It can easily be plugged in to your current infrastructure and can cooperate with existing authentication services. The key components are: Component Core OAUTH 2.0 spec compliant authorization server Monitoring and auditing Management console Management and user Interface API Description The core engine of the Onegini OAuth Server is responsible for token management To keep track of all events and to enable operators to analyze behavior. For administrators, a complete dashboard is available. End-user and management api s enables to integrate Onegini functionality into you own systems. OAuth is mandatory in consumer IAM OAuth allows individual resource owners to delegate resource access rights to third-parties in a discretionary fashion with a limited scope based on a user dialogue. In that respect, OAuth is unprecedented and fundamentally important. The original flavor of OAuth comprises a 3-party exchange requiring the presence of the individual resource owner which does confine OAuth to the consumer IAM space. OAuth defeats the password anti-pattern, creating a consistent, flexible identity and policy architecture for web applications, web services, devices, and desktop clients attempting to communicate with Cloud APIs. It s al about tokens OAuth does care about two things: How to use a token to access resources? How to obtain such tokens? There is a variety of token types (self-contained vs. identifier tokens, refresh vs. access tokens), means of presenting tokens (HTTP Authorization request headers, URL query parameters, form-encoded body parameters) and obtaining them (various combinations of protocol exchanges called flows). This is where the specification and framework complexity actually comes from. Onegini will handle this for you. The Onegini Authorisation Server enables enterprises to deploy applications anywhere, using the same security infrastructure Secure your API s and meet Compliance Protecing API s againt attacks is crucial these days. The Onegini Token Server provides comprehensive API security and prebuilt identity management integration. Onegini protects the API s by managing tokens and preventing token abuse. Onegini also provides auditing and monitoring capabilities to support enterpises in being complaint. Why is Onegini different? The Onegini Token Server is unique because it s a complete solutions with a clear focus: protecting your enterprise API s using OAuth. It can be easily integrated within your IT infrastructure. The software is easy to install and there is no coding anymore. It s a stateless scaleable engine, including administration and operational consoles.

3 How does the Ongini Token Server work? The core of Onegini The core of Onegini is managing and protecting tokens. Long-lived Tokens and identity information will be stored encrypted in the database. It contains access and refresh tokens including properties such as one time tokens, expiration date, number of times to be used, scope linking etc. Onegini architecture is an event-based engine and all events will be stored in multiple databases. Onegini s search database enables real-time analyse of token abuse. Onegini supports the latest OAuth 2.0 spec including the required threat model. Both the spec and Threat model will be monitored and applied throughout the lifecycle of the Onegini Token server. END-USER & MANAGEMENT API OAUTH END-POINTS: AUTHORIZATION TOKEN VALIDATION TOKEN MANAGEMENT TOKEN ABUSE DETECTION ADMINISTRATION & MONITORING EVENTS TOKENS EVENT STORE Prevent token abuse Preventing token abuse is a complex process most organizations do not implement. Using Onegini, your company will benefit immediately from our unique technology created to prevent token abuse. Onegini logs all action events into our operations data store. The events logged are analyzed in real-time allowing our risk-based engine to trigger new actions, such as revoke tokens. Get the user Consent OAuth assumes the individual resource owner to be present and attentive unless the token endpoint can decide whether to supply an OAuth token in a token endpoint request from own, local context. In order to get consent from the resoure owner, a consent page will be displayed to the end user when a client requests an access grant and the user did not provide consent to any of the requested scopes for this particular client. As the application is stateless this page has the responsibility to forward all request parameters used in the authorization request. This set of request parameters is available via variables in the template. Customizable templates for the consent page and other user interactions are available. Dynamic Client registration Native applications running on mobile devices often pose a security thread since there is a lack of a trusted computing base. The Onegini Token server provides a mechanism to uniquely identify devices running native applications. This dynamic client registration process allows a client to register itself with the authorization server. Onegini will dynamically provision a client identifier and a client secret to be used by the client. Because the Onegini Token server can uniquely identify the different devices that are interacting with the server it can properly detect abuse and take appropriate action. SIEM SOLUTION A SIEM-tool correlates incidents and events from different resources and raises an alarm if an unexpected behavior occurs. Onegini can easily be integrated with existing SIEM solutions in order to track and trace the complete session. Onegini core is event based and will log events in a database. Via our API, these the events can be extracted. In order to correlate events of a certain request in the entire chain, a transaction id is used. Onegini has a plug-ins for products such as WebSeal, Apache or others.

4 Onegini integration in your IT Infrastructure Security is all about integration. Onegini seamlessly integrates with current IT infrastructures. Onegini can be placed in the DMZ or the local infrastructure, as long as the proper security measures related to deployed infrastructure are implemented. Administration The Onegini Token Server is easy to use for administrators. An administration dashboard will guide you through all tasks. Configuration, event logs, statistics, and user management. A number of different roles are supported so operators or help desk employees will have limited access. The configuration dashboard is a user interface where administrators can configure items such as applications, clients and scopes. Monitoring the api s An advanced operational monitoring dashboard will empower IT operations to monitor behavior and to get more insight about system health. Filters can be used to quickly analyze specific clients or events to prevent abuse. Authorized system users can block clients immediately. Security Onegini is a security solution to manage authorizations of resource access complaint to the OAuth 2.0 standard. Onegini supports the latest standards and implements many of the security considerations proposed in the OAuth Threat Model. Some of the security considerations are: credential storage protection, bind tokens to a particular resource server, bind token to client, validation of preregistered redirect_uri and binding of authorisation code to a specific client. In addition the following security measures are support: Explicitly defined Scopes for Audience and Tokens Configuration of Token time expiration and usage limitation Security event auditing to allow to identify patterns and potential threats Validating HTTP parameters, REST query/post parameters Protection against cross site scripting (XSS), SQL Injection High performance The Onegini Token Server is a high scalable and high performance authorization engine. All end-points are able to meet enterprise performance. The performance will scale linear for every server added. For performance improvement Onegini supports caching of access grants and access tokens. It will also cache configuration items when needed to optimize performance. YOUR ORGANISATION RESOURCES AUTHENTICATION Management and end-user api Onegini has an extensive management and end-user api which can be used by your own applications / clients. Onegini supports the following interfaces: Token management end-user (list, revoke) Device Management (list, revoke) Consent management (list, revoke, notification types) Client management (list, add, delete, update) Scope management (list, add, delete, update)

5 Onegini Feature highlights OAuth protocol flows Authorization code, implicit grant, client credentials, resource owner password credentials Integration with authentication engines A Modular architecture enables to plug-in authentication services such as Onegini, IBM, Oracle or any other. Authentication level per scope Databases Encryption API Interface Dynamic device registration Advanced scope definitions Integration with Security gateways Multi-language Integration IAM Various levels of STEP up authentication can be assigned per scopes. This enables granular configuration based on the specific authentication requirements of the resources you are protecting. Oracle, MySQL and DB2 Config files, tokens and identity information are all encrypted. Onegini offers interfaces for end-user, management and dynamic client registration. The process allows a client to register itself with the authorization server. The authorization server will dynamically provision a client identifier and a client secret to be used by the client. Scopes can be configured with a usage limit. This enables limiting the number of times an access token for a particular scope can be used. Layer7, SecurIT Trustbuider, Vordel and others Support for end-user interactions, all languages supported The Token server can be integrated with most popular identity and access management (IAM) and SSO solutions sucha as Onegini, Oracle, CA, Novell and IBM Pluggable architecture for notifications Enables to send notifications to end-users via preferred channel. (e.g. SMS or ). User can define preferred method Token abuse detection and reporting Advanced logging Prevents token te be used by unauthorized devices Onegini stores all events including administration taskes and data changes. Client authentication using JWT JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. Support for the JSON Web Token (JWT ) token type SIEM integration Configurable consent page Consent Notification templates Scope verification service Notification service LDAP integration Standards Onegini Supports the JWT token type with support for it s required and recommended encryption and hashing algorithms. SIEM integration is facilitated by means of configurable HTTP headers that communicate throughout the entire session. These headers are used to correlate events and be consumed by the on-premise SIEM solution. The consentpage is configureable html file that supports configuration of specific redirections, company logo to be used etc. Consent notification can be send using either or SMS. For both options configuration files are available. The Onegini Token Server provides a service to perform a scope check. This call is used to verify whether the end user is entitled to request a certain scope. When a user provides his consent on a authorization request for a resource, a notification is send to the user. The management console can integrate with an LDAP to secure access to the management console. Threat Model and Security Considerations OAuth 2.0 and higher