The Role of Identity Enabled Web Services in Cloud Computing

Similar documents
Flexible Identity Federation

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

The Challenges of Web single sign-on

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

A Standards-based Mobile Application IdM Architecture

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

This Working Paper provides an introduction to the web services security standards.

How to Extend Identity Security to Your APIs

NCSU SSO. Case Study

The Primer: Nuts and Bolts of Federated Identity Management

Federated Identity and Single Sign-On using CA API Gateway

Enable Your Applications for CAC and PIV Smart Cards

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Agenda. How to configure

OPENIAM ACCESS MANAGER. Web Access Management made Easy

SAML 101. Executive Overview WHITE PAPER

HOL9449 Access Management: Secure web, mobile and cloud access

SAML and OAUTH comparison

Single Sign On. SSO & ID Management for Web and Mobile Applications

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

API-Security Gateway Dirk Krafzig

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Glinda Cummings World Wide Tivoli Security Product Manager

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Cloud Security: Is It Safe To Go In Yet?

Enabling SSO for native applications

SAML 101 WHITE PAPER

Extend and Enhance AD FS

NIST s Guide to Secure Web Services

Enterprise Access Control Patterns For REST and Web APIs

Azure Active Directory

Identity. Provide. ...to Office 365 & Beyond

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

PingFederate. SSO Integration Overview

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

TrustedX - PKI Authentication. Whitepaper

CA CloudMinder. Getting Started with SSO 1.5

Adobe EchoSign API Guide

Getting Started with AD/LDAP SSO

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Google Identity Services for work

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

The Primer: Nuts and Bolts of Federated Identity Management

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Securing Web Services From Encryption to a Web Service Security Infrastructure

SAP HANA Cloud Portal Overview and Scenarios

Secure Identity in Cloud Computing

An Oracle White Paper Dec Oracle Access Management OAuth Service

Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765]

IBM Tivoli Federated Identity Manager

Federated Identity and Trust Management

The increasing popularity of mobile devices is rapidly changing how and where we

Corporate Bill Analyzer

How to Extend your Identity Management Systems to use OAuth

Building Secure Applications. James Tedrick

Using SAML for Single Sign-On in the SOA Software Platform

An Overview of Samsung KNOX Active Directory and Group Policy Features

Software Requirement Specification Web Services Security

OpenID Connect 1.0 for Enterprise

An Oracle White Paper Dec Oracle Access Management Security Token Service

Federated Identity Management Solutions

Oracle Cloud Bjarte Drivenes Enterprise Architect. Copyright 2014 Oracle and/or its affiliates. All rights reserved.

NetworkingPS Federated Identity Solution Solutions Overview

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Practical Development with a Platform as a Service (PaaS) Beyond the Basics

Pick Your Identity Bridge

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Portal for ArcGIS: An Introduction

Connecting Users with Identity as a Service

SAML-Based SSO Solution

Federated Identity in the Enterprise

Mobile Security. Policies, Standards, Frameworks, Guidelines

Biometric Single Sign-on using SAML Architecture & Design Strategies

Enhancing Web Application Security

Adding Stronger Authentication to your Portal and Cloud Apps

CA Single Sign-On Migration Guide

Okta/Dropbox Active Directory Integration Guide

Simple Cloud Identity Management (SCIM)

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Transcription:

The Role of Identity Enabled Web Services in Cloud Computing April 20, 2009 Patrick Harding CTO

Agenda Web Services and the Cloud Identity Enabled Web Services Some Use Cases and Case Studies Questions Copyright (c) 2009 Ping Identity Corporation 2

Web Services and The Cloud Copyright (c) 2009 Ping Identity Corporation 3

Applications Rely on Identity to Meet Fundamental Business Requirements As Distributed Computing Evolves, Users are Pushed Further and Further Away from Applications How Do You Securely Control Access in an Increasingly Distributed World While Supporting Emerging Technologies like Web Services? SaaS BPO Partner Apps Cloud Apps Copyright (c) 2009 Ping Identity Corporation 4

Web Services Security Soup oauth 3 rd Party Mashups WS-Security SaaS WS-SecurityPolicy SaaS Mobile Gadgets/ Widgets SAML REST Username/Password Customers WS-Trust Web Portal Web Service Customer Service Reps X.509 SOAP PKI Kerberos WS-SecureConversation Business Partners SSL XMLSignature Copyright (c) 2009 Ping Identity Corporation 5

Web Services and the Cloud Cloud Computing & SaaS are changing the requirements for addressing how to secure web services Cloud applications & SaaS will need to securely access on-premise data Google Enterprise Developer Platform SaaS Integration On premise applications will need to access SaaS API s Salesforce.com API s are heavily used - 2 Billion API calls a month Copyright (c) 2009 Ping Identity Corporation 6

Security & Integration Copyright (c) 2009 Ping Identity Corporation 7

Identity Enabled Web Services Copyright (c) 2009 Ping Identity Corporation 8

Securing Web Services Today Web Services Principles Standards-based, Loosely Coupled, Scalable Applications Most Current Security Approaches Violate Web Service Principles Customized, Tightly Coupled, Not Scalable, No Delegation e.g. Mutually Authenticated TLS, User Identity in SOAP Body Each Web Services app must know in advance where identity information is located in SOAP body; TLS session is point-to-point Copyright (c) 2009 Ping Identity Corporation 9

WS-Security Enables a New Standards-based Trust Model Encrypted, Signed, Standard WS-Security SOAP Message WS-Security SOAP Header Includes Standard WS-Trust Security Token with Identity Information WS-Trust Security Token in WS-Security Header Key Question: How To Create Security Tokens? Copyright (c) 2009 Ping Identity Corporation 10

WS-Trust Basics WS-Trust is an OASIS standard and an extension of WS-Security WS-Trust enables security token exchange A WS-Trust STS Issues and Validates Security Tokens Kerberos, UserName/Password, X.509, SAML,. Copyright (c) 2009 Ping Identity Corporation 11

Identity Enabled Web Services STS STS WS-Security SAML Token Profile Enables Delegation STS Implements Federated Identity Concepts Attribute Contracts Session Integration Attribute Retrieval Subject, Attribute and Role Mapping 12 Copyright (c) 2009 Ping Identity Corporation

Centralized Security Token Processing Without STS With STS STS Every Web Service Client and Provider Processes Security Tokens STS Handles All Security Token Processing Gets Identity-Related Security and Crypto Code Out of Applications Centralized Administration, Auditing Requestor and Recipient Based Policy and Behavior Enables Web Services SSO with both Web Clients and Rich Clients Supports Client-Side, Provider-Side or Both 13 Copyright (c) 2009 Ping Identity Corporation

What about oauth? Open standard to secure REST based web service API s between SaaS/Web 2.0 applications Driven by SaaS/Web 2.0 community oauth handles delegated web service authentication Secure API authentication Secure access to web service data API s Generally with explicit user consent Copyright (c) 2009 Ping Identity Corporation 14

Two Legged oauth 1. Consumer Key and Secret oauth Service Provider API 3. Call API with oauth Signature oauth Consumer (Enterprise) (Google EDP) STS 2. Request Resource Browser Copyright (c) 2009 Ping Identity Corporation 15

Three Legged oauth 1. Consumer Key and Secret 3. Get Unauthorized Request Token Oauth Service Provider API 7. Exchange Authorized Token for AccessToken OAuth Consumer 8. Call API with oauth Signature & Access Token 6. User Redirect back with Authorized Request Token 5. User Authenticates & Handles User Consent 4. User Redirect with Unauthorized Request Token Browser 2. Request Resource 10. Display Resource Copyright (c) 2009 Ping Identity Corporation 16

Use Cases & Case Studies Copyright (c) 2009 Ping Identity Corporation 17

Web Services Use Cases Portal Initiated Web Services Browser based app requires user specific data from internal or external web services Security for Web Service Providers and SaaS API s Web service providers require authenticated user to authorize access to user specific data Rich Desktop Clients Desktop client applications SSO to web service providers inside or outside of security domain Copyright (c) 2009 Ping Identity Corporation 18

Federal Government Enclave 1 3. SOAP API Web Service Provider A Enclave 2 4. STS Active Directory Browser 1. Web Portal 5. 2. SOAP API Web Service Provider B Enclave 3 STS 6. STS Active Directory Active Directory 19

Large Electronics Retailer oauth WS-* 3 rd Party Shopping Applications REST API Partner 2. SOAP API Retailer 3. STS Customer DB 1. Browser 20

Recommendations Leverage SSL for Confidentiality Use SAML Tokens to Identity Enable SOAP Web Services Leverage a WS-Trust STS to Centralize SAML Token & Federation Processing Consider oauth to secure your REST API s and check out the new PingFederate 6.0 up the back Copyright (c) 2009 Ping Identity Corporation 21

Copyright (c) 2009 Ping Identity Corporation 22 Questions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information