Enterprise OAuth 2.0 - Enterprise and Social Media Application Landscape
Security Basics - Providers
- User, Identity
- Where are the user credentials stored?
- Authentication
- Who does this? IDP
- How does it happen?
- Authorization
- Application does this
- Uses information from IDP
Security Basics - Homegrown
- Identify
- Stored in application database
- Authentication
- Done by application
- Authorization
- Done by application
- Not recommended
Security Basics - LDAP
- Identity
- Stored in LDAP database
- Microsoft Active Directory
- Authentication
- Done by LDAP(AD)
- Authorization
- Done by Application
- LDAP and Application in same data center
Security Basics - SAML(Security Assertion Markup Language)
- Communicating across data centers(use HTTP Redirect)
- Identity
- Stored in LDAP database
- Microsoft Active Directory
- Authentication
- SAML Identity Provider does the authentication
- ADFS
- Authorization
- Application controls it
- Can use LDAP groups
- SAML Metadata File
- Trust between
- SAML Identity Provider
- SAML Service Provider
- SAML Response
- Contains SAML Token
- Token contains claims
- Federated User
- Single Sign On
- Redirect importance
Security Basics - SSO
- Avoid entering the user credentials (use SSO)
- The network user is already a part of AD
- Single Sign On(SSO)
- Enterprise SSO
Problem Use cases
- Microservices
-
Cloud Apps
- How does REST calls across network boundaries get secured?
-
Machine to Machine
- Scheduled Tasks, Daemons sometimes need to call REST APIs. How are they secured?
- No user involved
Social Media Platform
- Social Media Sites
- GitHub
- Yahoo
- A user usually has Multiple Identities
- Many Identify Providers
- What if a third party application wants to access or publish to these sites on behalf of its user?
- User/password would be a bad idea.