Welcome!

Agile Computing Authors: Liz McMillan, Pat Romanski, Elizabeth White, Dana Gardner, Andy Thurai

Blog Feed Post

Blocking identity leakage: Why an organization should become an IdP

This week, my colleague Ed King presented a webinar with Eve Maler (@xmlgrrl) from Forrester about why organizations should become identity providers. This is an important topic. Organizations are leaking identity. The path of least resistance is for an employee to use a SalesForce.com login, another SaaS service login, or even a Google Apps or Facebook login to log into a third-party site. The third-party site could be a B2B procurement hub, or a corporate travel service. In that case, the SaaS service becomes crucial as the IdP (Identity Provider) which enables the user to log into the service. This is undoubtably good for the SaaS service, which is why so many are becoming IdP by supporting standards such as OAuth 2.0 and SAML. But what about the organization itself? Would it not be better for the organization to to stop the identity leakage and become an IdP itself?

In the webinar, Ed and Ruth talked about why organizations should become IdPs. But the next question is how. The Vordel API Server makes this easy.

OAuth 2.0 and SAML are two key standards used to become an IdP. They enable a token to be issued, based on a user's login. Let's look at OAuth 2.0 first:

OAuth 2.0

The Vordel API Server comes with a prebuilt OAuth 2.0 sample. In this sample, you can see a sample app asking the user to authorize a connection to a third-party service. In the example below, I've setup an organization to use the Vordel API server to act as an IdP by authenticating the user against a corporate Active Directory, and then to prompt the server to allow a third-party site to access their information.This results in user being issued an OAuth 2.0 Access Token, and the third-party site receiving an OAuth 2.0 bearer token.

Here is how I'm authenticating the user against a corporate Active Directory then redirecting them to the OAuth 2.0 services:



You can see an example of the bearer token below in the Vordel API Server traffic monitor:


And here's the policy on the API Server which validates the OAuth 2.0 bearer token:


SAML 

Now let's look at the SAML use case. SAML is often used, in this content, to issue a signed SAML Authentication assertion for the IdP to assert that the user has been authenticated. The policy below, in the Vordel API Server, allows an organization to act as an IdP by authenticating a user against a corporate Active Directory and then issuing (and signing) a SAML Assertion:


Here is how the Active Directory connection is configured (note the long list of other identity connectors in the Vordel API Server):


Finally, here is the signed SAML Assertion which is issued by our IdP policy.


At this point, you may be thinking "What should I use for my IdP, SAML or OAuth 2.0?". Well, it usually isn't a case of either/or. A third-party provider may dictate the answer by only supporting one or the other. But in the example above, you can clearly see that an OAuth bearer token is a lot smaller than a signed SAML Assertion, and size may be a big consideration for mobile use cases. In any case, you can support both with the Vordel API Server, getting the best of both worlds.

So, to make the first step for your organization to become an IdP, download your copy of the Vordel API Server here.

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

IoT & Smart Cities Stories
DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the 22nd International CloudEXPO | DXWorldEXPO "Early Bird Registration" is now open. Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of ...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and sh...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.