How to Extend your Identity Management Systems to use OAuth



Similar documents
5/12/2011. Promoting Your Web Site and Search Engine Optimization. Roger Lipera. Interactive Media Center.

Thesis Format Guidelines. Department of Curriculum and Instruction Purdue University

Practicing Law with a Virtual Law Office

CONTENTS. 03 BRAND IDENTITY 04 Logo 06 Wordmark 07 Graphic Element 08 Logo Usage 13 Logo Elements

franchise applications

Creative GUIDELINES

Responsive Design

Cincinnati State Admissions UX Design

Identity Guidelines. by SMARTBEAR

University at Albany Graphic Identity Manual

SA-1 SMOKE ALARM installation & user guide

Custom Software & Web Design

Content Strategy. Content Management

KNOWLEDGE TRANSFER, CONTINUITY, AND DOCUMENTATION

The Future of Ticketing: Solutions for Museums of All Sizes

Branding Guidelines CONEXPO Latin America, Inc (Rev-1)

English. Italiano. Français

Bold Future 2007 Building our Company with the needs of future generations in mind Activity Report 2007

DevOps: Extending Agile Development Disciplines to Deployment IBM Corporation

ANNUAL REPORT 2012 ARION BANK ANNUAL REPORT

The views expressed in this publication are those of the authors and do not necessarily represent those of Lumina Foundation, the Bill and Melinda

Appy Kids: The Best Apps for Pre-Schoolers

A Step by Step Guide to Creating an App. by Carter Thomas, Bluecloud LLC

SAVE UP TO $750 ON REGISTRATION

8 Ways Marketing Automation Can Expand Your Search Marketing Practice. 8 Ways Marketing Automation Can Expand Your Search Marketing Practice 1

The views expressed in this publication are those of the authors and do not necessarily represent those of Lumina Foundation, the Bill and Melinda

Introduction to HTML/XHTML Handout Companion to the Interactive Media Center s Online Tutorial

Desktop Publishing (DTP)

I WORK FOR UX PORTFOLIO GUIDANCE

UNIVERSITY OF AGDER JUNE 2012 COLLABORATIVE CODING OF QUALITATIVE DATA WHITE PAPER LA2020. Peter Axel Nielsen

Disclosure Obligations of Issuers of Municipal Securities

Bill Pay Marketing Program Campaign Guide

Single Sign On. SSO & ID Management for Web and Mobile Applications

DMA MARKETING BRIEF B2C DIRECT MARKETING PROFESSIONALS EVERY WEEK MEDIA KIT

CAA NEWS 15,000 VISUAL ART PROFESSIONALS REACH EVERY WEEK MEDIA KIT

No Frills Magento Layout. Alan Storm

Morningstar Newsletter Builder

Creator Coding Guidelines Toolbox

Structured Product Labeling (SPL) Implementation Guide with Validation Procedures

SOFT DRINKS. Demo General Report. Report Monthly Oct 30, Nov 28, 2013

ม มมองสามด านท ต องหาจ ดสมด ล. Powerpoint Templates

Modern Web Apps with HTML5 Web Components, Polymer, and Java EE MVC 1.0. Kito Mann Virtua, Inc.

EVENT PLANNING MYTHBUSTER. Building Pre-event Engagement: How to Make an Invite

Concept. Texting Service

BDD DPC 2014 Tutorial

How to Implement Enterprise SAML SSO

Web Applications Access Control Single Sign On

ACADEMIC ACCELERATOR PROGRAM STUDENT HANDBOOK

Behave! - Behavior Driven Development IPC 2013 SE. Tobias Schlitt (@tobysen) June 5th 2013

Running head: USING ACCEPTABILITY AS A MEASURE FOR ONLINE EDUCATION 1. Using Acceptability as a Measure for Evaluating Online Education

nexus Hybrid Access Gateway

Alice Squires, David Olwell, Tim Ferris, Nicole Hutchison, Art Pyster, Stephanie Enck

A Standards-based Mobile Application IdM Architecture

marketing Best practice guide

API-Security Gateway Dirk Krafzig

The Role of Identity Enabled Web Services in Cloud Computing

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Introduction to SAML

NXP - Distributor s guidelines. November 2013 / Version 3.0

Safewhere*Identify 3.4. Release Notes

managing SSO with shared credentials

IT Exam Training online / Bootcamp

Flexible Identity Federation

Growing Triples on Trees: an XML-RDF Hybrid Model for Annotated Documents

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

The Top 5 Federated Single Sign-On Scenarios

Getting Started with Clearlogin A Guide for Administrators V1.01

The increasing popularity of mobile devices is rapidly changing how and where we

Pre-Registration Consumer DSL/FiOS. Storyboard / /31/09

Building Secure Applications. James Tedrick

A single source of actionable information for making your most important reward decisions: The Senior Reward Toolkit.

Hospitality. Promoting Design, Technology and Innovation Made in Italy - Made in Lazio Worldwide. The Hotel Show Dubai (UAE), of May 2012

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Copyright Pivotal Software Inc, of 10

Jessica McCreary

IBM Managed Security Services Virtual-Security Operations Center portal

NCSU SSO. Case Study

Integrated HR business software for enterprises. (E) (W) softwaredynamics.co.ke P. O. BOX , NRB KENYA,

HOL9449 Access Management: Secure web, mobile and cloud access

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

USING FEDERATED AUTHENTICATION WITH M-FILES

Leverage Active Directory with Kerberos to Eliminate HTTP Password

PingFederate. SSO Integration Overview

Entrust IdentityGuard Comprehensive

Building an E-Commerce Website with Bootstrap

Authentication: Password Madness

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

OPENIAM ACCESS MANAGER. Web Access Management made Easy

How To Use Netscaler As An Afs Proxy

CA Single Sign-On Migration Guide

Groups. Set-up & Maintenance

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

IntroducAon to Apache Hadoop Headline Goes Here Tom Wheeler OSCON 2013 Speaker Name or Subhead Goes Here DO NOT USE PUBLICLY PRIOR TO 10/23/12

Adding Stronger Authentication to your Portal and Cloud Apps

mlfs portal log in Description of how to log into the portal. login Forgot your password?

SSO Methods Supported by Winshuttle Applications

Basic Website Maintenance Tutorial*

PRODUCTS AT A GLANCE. bupa.co.uk

Transcription:

How to Extend your Identity Management Systems to use OAuth THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY

How to extend your Identity Management Systems to use OAuth OAuth Overview The basic model of authentication and authorization over the internet is based on the traditional client-server model. In this model, at a minimum, there are two entities involved: the client and the application running on the server. A client with valid credentials is granted access to a particular resource controlled by the application. The client credentials may be in the form of a username/password that the application validates before granting access to the resource. SUMMARY: In this white paper, you will learn: The evolution of SSO How OAuth standard is commonly used today. How OAuth is used to enable third party application integration. How an API gateway enables your IdM to be an OAuth service. This basic model of authentication has evolved overtime as a result of the need for the client to provide its credentials (e.g. username/password) only once in order to be granted access to resources that are controlled by multiple applications in a distributed environment. This model is often referred to as Single Sign-On (SSO). In this model, the client logs in only once by providing its credentials to a single application. Upon validation by the application, the client receives a ticket (cookie) that enables it to seamlessly access resources of other applications. An example of SSO is a user logging into Amazon.com only once and accessing resources on multiple third party applications without having to login to each individual application. The increased popularity of social media apps, mobile apps and cloud services has lead to another authentication and authorization model. The new model is based on the OAuth standard. In this model, at least three entities are involved: the user, the client application and the service provider. This is referred to as the three-legged OAuth model. The user is the owner of the resource and it grants client application access to its resources that are controlled by the service provider. OAuth standard enables the user to grant client application/service access to its resources without ever sharing its username/password with the client application. A simple example of OAuth Traditionally, social media applications have been the main drivers behind OAuth deployment. In the past, web applications such as news media sites would maintain their own user profile data by providing the option to each of its users to create custom profile on the site for better user experience. This approach had many shortcomings for both users and media sites: Users had to provide email or username and password for each site during the initial creation of a profile Users would often forget their passwords during the login process since they had created multiple profiles at different sites. Media sites were now responsible for securing their users emails and passwords from hackers. Users would often create fake profiles that would provide inaccurate tracking data to media sites.

Over time, social media sites such as Facebook, Twitter, LinkedIn, and Google have become the defacto repositories of a user s social identity or profile. The availability of existing social identities with rich profile data provided an opportunity for news media sites to access user data outside their domain of control. OAuth is the standard that enables websites to access user profile data outside their domain of control without requiring users to pass their username, password to the site. Figure illustrates a simple example that leverages OAuth. To create a better user experience for their visitors, websites (client application) provide the ability for users (resource owner) to post comments on articles with their facebook account. This ability allows Facebook profile attributes such as: name, photo and location to be displayed when they post a comment. RESOURCE OWNERS USERS FIGURE CLIENT APPLICATION NEWS ARTICLE LOREM IPSUM DOLOR SIT AMET, CONSECTETUR ADIPISICING ELIT, SED DO EIUSMOD TEMPOR INCIDIDUNT UT LABORE ET DOLORE MAGNA ALIQUA. UT ENIM AD MINIM VENIAM, QUIS NOSTRUD EXERCITATION ULLAMCO LABORIS NISI UT ALIQUIP EX EA COMMODO CONSEQUAT. DUIS AUTE IRURE DOLOR IN REPREHENDERIT IN VOLUPTATE VELIT ESSE CILLUM DOLORE EU FUGIAT NULLA PARIATUR. EXCEPTEUR SINT OCCAECAT CUPIDATAT NON PROIDENT, SUNT IN CULPA QUI OFFICIA DESERUNT MOLLIT ANIM ID EST LABORUM. COMMENTS In order for this function to work, the user must give permission to the news media site to fetch his/her facebook profile information from facebook (service provider) without ever revealing his/her email and password to the news media site. IDMS AUTHORIZATION SERVER RESOURCE SERVER FACEBOOK This popular example of OAuth creates a better user experience for website visitors of news and media websites and it reduces risk for the website owner. By using the visitors facebook account, the website doesn t have to worry about storing account information of their website visitors/subscribers. SERVICE PROVIDER Figure shows a common use case where a user (resource owner) is attempting to post a comment on a new media site (client application) with his/her Facebook account. Before the comment can be posted, the news media site fetches the user s facebook profile attributes (user owned resources) from facebook (service provider). This is made possible by the OAuth standard. Enterprise Identity Management System with OAuth An enterprise s identity management system is a critical component of its IT infrastructure. It is the primary service that is responsible for authenticating and authorizing an enterprise s users and applications as it contains a rich repository of users identities and their profile data. For example, identity management for user-to-application interaction is a well known domain that has been successfully addressed in the industry through standards such as LDAP. An LDAP enabled identity management system (IdM) is tightly-coupled with its enterprise applications. As enterprises continue to evolve, there is a constant demand to integrate with not only applications within its domain but applications outside its domain. Applications outside the enterprise domain are often referred to as partner applications or third party applications.

An enterprise may outsource some of its business services that are not core to its corporate strategy. For example, a telecom service provider may outsource customer billing to a third party. When a telecom customer needs to obtain his/her telecom bill, the request will be serviced by the third party billing application. In order to fulfill this request, the billing application is granted access to the customer s records, that is stored in a resource server controlled by the telecom service provider. Access control mechanisms must be put in place to enable the telecom service provider to grant the billing application access to its call record in order to complete the billing process. The OAuth standard provides such mechanism for the customer to delegate access to the billing application and for the telecom service provider to leverage its existing IdM to validate the partner application s access request before giving access to customer s call record data. The IdM is OAuth enabled, and is often referred to as the OAuth server. Figure illustrates the deployment architecture for this type of scenario. Although, an OAuth server enhances an enterprise s access control capabilities by authenticating and authorizing third party applications access to its resources, there are several challenges that arise: FIGURE CUSTOMER CUSTOMER PORTAL IDM SERVER OAUTH SEVER LDAP TELECOM SERVICE PROVIDER BILLING COMPANY BILLING APPLICATION Customer attempts to connect to the billing application without username/password credentials. RESOURCE SERVER OAUTH ADAPTER Customer is redirected to the Telecom Service Provider s portal and asked to enter his/her username/password credentials. Customer portal validates customer s credentials with the IdM. Upon successful validation, IdM generates OAuth credentials for the customer. Customer is now redirected back to the billing application with OAuth credentials. Billing application obtains an OAuth token on behalf of the customer. Billing application uses OAuth token to retrieve customer records from the resource server. The resource server validates the OAuth token with IdM server and then sends the customer records back to the billing application. Existing enterprise IdM needs to be modified to be OAuth enabled or it needs to be replaced by a new OAuth enabled IdM. The resource server needs to be modified to be OAuth enabled. It needs to OAuth integration with the enterprise IdM. Managing and troubleshooting enterprise LDAP policies is a complex task. Adding OAuth management policies that need to be tightly-coupled with LDAP policies within an IdM further complicates the task. Over time, scalability becomes an issue as new resource servers are deployed. They must be integrated and tested for OAuth, which requires time and resources. Performance becomes an issue when SSL traffic is sent to an IdM containing OAuth requests.

Figure illustrates an architecture deployment with a dedicated API gateway that performs the tasks of an OAuth server. FIGURE TELECOM SERVICE PROVIDER CUSTOMER PORTAL When an API gateway is added to the architecture deployment as an OAuth server, it addresses many of the challenges we discussed in the previous scenario: No modifications are required to the enterprise IdM. No modifications are required to the resource server. Diagnosing an access control issue becomes easier since OAuth policies are now loosely coupled with IdM LDAP policies. A dedicated API gateway deployed as an OAuth server is a single point of enforcement that provides enterprise applications and users access control to their profile data. Scalability is no longer an issue as new resource servers can be deployed without any integration to an enterprise IdM. Centralized monitoring and enforcement is easier with an API gateway. It provides full visibility to which application is accessing what service. Performance is no longer an issue since the API gateway accelerates SSL traffic that communicates with cloud providers. CUSTOMER IDM SERVER Using an API gateway as part of your OAuth architecture becomes a minimally invasive IT operation. If your company is enabling more and more third party applications, an API gateway should be a key fabric of your enterprise s identity management strategy. As you can see in figure and figure, completing the OAuth process is a lot less work for an organization with an API gateway. The dedicated gateway does most of the heavy lifting. It will save your organization time and resources as well as provide a more secure infrastructure. LDAP BILLING COMPANY BILLING APPLICATION Customer attempts to connect to the billing application without username/password credentials. RESOURCE SERVER Customer is redirected to the Telecom Service Provider s API Gateway (OAuth Server) and asked to enter his/her username/password credentials. API Gateway validates customer s credentials with the IdM. Upon successful validation, IdM generates OAuth credentials for the customer. Customer is now redirected back to the billing application with OAuth credentials. Billing application obtains an OAuth token on behalf of the customer. Billing application sends a request via the API Gateway, with customer s OAuth token, to retrieve customer records from the resource server. After successful gateway validation of OAuth token, API Gateway passes customer record retrieval to the billing application.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information