Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Drag picture to placeholder or click icon to addUnified Security

Mobile, Web and APIs

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

The Security Landscape

• Authentication, Authorization, SSO• Licensing• Quota Management• Protection• Role of Policy

Au/Az/SSO

Licensing

Quota Management Protection

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Authentication/Authorization/SSO

• Confusing array of standards:– OAuth– SAML– OpenID– SCIM

• A variety of App types– Desktop– Mobile– Web

• Enterprise SSO and its set of legacy systems

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Use Cases

• Enterprise support for public credentials– Tiered service

• Providing APIs for Web applications• Enabling a new API digital channels using

OAuth. Perhaps in conjunction with:– SAML– OpenID

• Extending/modernizing Enterprise SSO via:– OpenID Connect– SAML

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Combining SAML and OAuth

1. Try to get OAuth Token2. Redirect with SAML

Authentication Request3. Log the user in, create the

SAML assertion and redirect again

4. Verify SAML token and issue OAuth token

5. App makes call to API6. Gateway validates OAuth

token and performs fine grained authorization

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Licensing

• You may want to enable a business model based on different:– Operations or resources– Levels of service

• The licenses control:– OAuth Authorization

Scopes– Document visibility– Quota policies

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Licensing - Flow

Validate OAuth Token

Authorize API Call

Determine License

Licenses provides QoS policies

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Quota Management

• You probably want different licenses with different levels of service

• The levels of service are:– Throughput– Bandwidth consumed over time– Concurrency– Availability

• Apps could either be cut-off or events generated when quotas are exceeded. Events can be used for overage billing

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Protection

• Denial of Service• Injection Attacks• XSS• Viruses

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

The Role of Policy

Lower cost and risk:

• Separate functional and non-functional

• Decouple changing standards from your implementation

• Provide multiple options depending on the channel

• Mediate

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

The Role of Policy

• An API is exposed externally that has a security policy of:– OAuth with SAML2

• Internally, the security policy is:– WSS/SAML

• The system can use these declarative policies to automatically convert the OAuth token inbound to the WSS/SAML token that is required by downstream services

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

SOA Software’sAPI Platform

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

API Platform

• Measure the impact of your programsAnalytics

• Build your developer and partner ecosystem

Developer Engagement

• Secure and protect your systemsGateway Services

• Simplify and speed up development

Service Integration

• Build the right services & APIs the right way

Lifecycle Management

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

In the Cloud or On-Premise

Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

Thanks…

Alistair Farquharson, CTO, SOA Softwarewww.soa.com@afarqu@SOASoftwareInc