Dataporten Andreas Åkre Solberg

Slides:

Advertisements

Similar presentations

FI-WARE Testbed Access Control temporary solution.

Advertisements

Oracle IDM at First National Bank

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Securing Insecure Prabath Siriwardena, WSO2 Twitter

WSO2 Identity Server Road Map

Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Google App Engine Google APIs OAuth Facebook Graph API

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.

© 2012 Autodesk Implementing Cloud-Based Productivity Solutions with the AutoCAD® ObjectARX® API Ravi Krishnaswamy Senior Software Architect.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

FriendFinder Location-aware social networking on mobile phones.

Building consumer apps with Azure AD B2C

Adxstudio Portals Training

Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.

Secure Mobile Development with NetIQ Access Manager

Today’s Applications Web API Browser Native app Web API Web API

1 Server Business Logic & OAuth Beta Overview October 4, 2010 Alan Hantke Product Development Server Business Logic Intuit Partner Platform Diane Weiss.

Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.

OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect

11 | Managing User Info Jeremy Foster Michael Palermo

Building Azure Mobile Apps

Application Authentication using Azure AD

New York regional information centers

The EGI AAI “CheckIn” Service

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

A lap around Azure Active Directory Business to Consumer (B2C)

Azure Active Directory - Business 2 Consumer

Introduction to Windows Azure AppFabric

Federation made simple

Embed Power BI in your Web application

eduTEAMS platform for collaboration Niels Van Dijk

Migrating SharePoint Add-ins from Azure ACS to Azure AD

SaaS Application Deep Dive

Assess Survey Invitations

Peer-to-peer networking

Windows Azure AppFabric

Social Networks Integration in Android

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Power your app with Live services

Azure AD Line Of Business Application Integration

Cloud Connect Seamlessly

ESA Single Sign On (SSO) and Federated Identity Management

11/14/ :30 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Authorization in Asp.Net Core

Office 365 Identity Management

X-Road as a Platform to Exchange MyData

VuFind APIs - A practical approach

Matthew Levy Azure AD B2B vs B2C Matthew Levy

SharePoint Online Authentication Patterns

Office 365 Development.

Single Sign-On (SSO) Authentication

Community AAI with Check-In

TechEd /22/2019 9:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Introduction into the Power BI REST API Jan Pieter Posthuma

Developing for Windows Azure

Technical Integration Guide

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Security for Science Gateways Initial Design Discussions

Computer Network Information Center, Chinese Academy of Sciences

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

eIDAS-enabled Student Mobility

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

A lap around Azure AD B2C custom policies

INTEGRATIONS WITH Enterprise HRIS

Presentation transcript:

Dataporten Andreas Åkre Solberg andreas.solberg@uninett.no – from SAML and Single Sign-On to an API Platform for data sharing TNC2017, Linz May 30th, 2017 Andreas Åkre Solberg andreas.solberg@uninett.no

Dataporten 100% Self service. No service provider fee, and no contract. Authentication and Authorization: OpenID Connect + OAuth Client gets a key (token) to access a set of APIs Userinfo endpoint Groups API Third party APIs

100% self service Dataporten Developer Dashboard. Selvbetjening av både registrering av applikasjoner og API-er.

Developer dashboard: Choosing auth providers

Auth Providers Feide (Norwegian Higher and lower education) Norwegian Government ID (ID-porten) eIDAS (soon) eduGAIN (piloting) Social network login (Facebook, LinkedIn, Twitter) Guest login (Feide OpenIdP)

OpenID Connect Identity layer on top of OAuth 2.0 Standardises userinfo endpoint Sends cryptographic signed token with user identity along with the Oauth token. JWT - JSON Web Token (various signed messages in OpenID Connect)

The combo OAuth 2.0 and OpenID Connect is very convenient for building an API Platform. It allows you to build API authorization into the authentication UI.

Mobile (Native apps) OpenID Connect / OAuth works better with Mobile (native apps) Supporting long-lived tokens. Secures mobile app communication with its own backend. Not supporting synchronized user sessions and Single Logout.

Choosing auth provider End-user experience Choosing auth provider Choose institutions, or social login, guests. Choose country for international intitutions. Logos, coordinates, and geo-positioning. Incremental search Only viewed the first time.

Choosing auth provider End-user experience Choosing auth provider Choose institutions, or social login, guests. Choose country for international intitutions. Logos, coordinates, and geo-positioning. Incremental search Only viewed the first time.

End-user experience Account chooser Remembers your account(s) Easy bypass choosing organization, but still has the option to select something else. Give user context with service provider, account, even in case of SSO. Shows a visual indication of accounts where you are already logged in.

End-user experience User consent OAuth authorization dialog Not limited to attribute transfer: also access third party resources / APIs.

Groups API

Group model Group API – VOOT Fetch the list of groups the current authenticated user is member of.

ad-hoc groups Dedicated frontend to create user controlled collaboration groups. Person API allows users to find other users by incremental search and add to group.

Third party APIs

Nytt grensesnitt mot tjenester.. Flere autentiseringskilder. Gruppe API-er Tilgang til tredjeparts gruppe API-er.

Self service for API Providers Anyone can register new APIs, and connect their own clients to the backends, or expose them for others to request access.

API Library Public third party APIs forms the API Library Clients may search and navigate in the API catalogue and request access to the ones needed.

OAuth 2.0 Access Token The OAuth access token that the client receives has a combination of global scopes, and scopes namespaced for third party APIs. userinfo, feide, email, gk_mediasite, gk_mediasite_admin

Client API Gatekeeper

Signed/encrypted tokens For some use cases, where data is required to go directly from client to API because of security or performance requirements, we make use of a JWT Token Issuer Service.

Dataporten source code All open source Available on github All components run as docker containers. All components run replicated (lb + fail-over) Uses cassandra for storage.

Preparations for next step multiple data centers running Dataporten across multiple data centers

OAuth / OpenID Connect libraries docs.dataporten.no We’ve collected some experience with OAuth / OpenID Connect libraries. As well as demoed a large set of open source software to Dataporten. Vi har gjort litt arbeid med demotjenester og eksempler, og forsøker å holde oppdatert en liste med lenker til biblioteker og eksempelkode på docs.dataporten.no. Vi skiller mellom Utvidet OAuth 2.0 plugins, og docs.dataporten.no

Open Source applikasjoner Dataporten + Docker DokuWiki MediaWiki Wordpress Drupal Mattermost GitLab Redmine WekanBoard OwnCloud Jupyter Notebook Flarum Etherpad Rocket.chat

Flarum Etherpad

Rocket.chat

Thanks. andreas.solberg@uninett.no