Identity Enabling Web Services

Identity enabling Web Services

Ashish Jain, Director of Technology, Ping Identity Peter Dapkus, Product Manager, Salesforce.com  Eric Sachs, Product Manager, Google Security

September 10, 2008

Agenda

• Introduction • WS-Trust Overview• OAuth Overview• Enterprise to Enterprise • OAuth Dance • Consumer to SaaS• Enterprise to SaaS• Summary• Q&A

Introduction

  • Server to Server Mashup• Enterprise SOA• SSO + Data• Desktop Client

WS-Trust To provide a framework for requesting and issuing security tokens, and to broker trust relationships.  • OASIS Standard• Solutions by Microsoft, IBM, Sun, Ping Identity...• Related Specs - WS-Policy, WS-SecureConversation, WS-

Addressing, WS-Mex, WS-SecurityPolicy...• Used heavily in Information Cards • Current Status

OAuthAn open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.   • Open Standard. Developed by Community. (http://OAuth.net). • Support by Google, MySpace, Yahoo, AOL, Twitter, Pownce...• Lightweight. Does one thing. Very well.• Somewhat related specs: OpenID • Current Status: V1.0 in use by Google & MySpace as well as many

other sites.  Some extensions proposed, but no significant modifications to the core protocol.

WS-Trust Continued

Enterprise Use Cases

  • Legacy Systems - API access • Proprietary (especially in mergers)• Federal /DoD - Extending PKI• XML security gateway

OAuth Continued

The OAuth "dance"

Step 1: Login to site AStep 2: Specify site BStep 3: Agree to legal doc from site A Step 4: Login to site BStep 5: Agree to legal doc from site BStep 6: Data exchanged in either direction

Establishing trust for consumer SaaSOAuth is becoming the de-facto solution when end users want to delegate access to their data to another websiteExample: Personal Health Record portabilityExample: Address Book (social data) portabilityExample: Application extensions (photo labs) End users want their OWN copy of the data enterprises & portals have about them (address books, health records, financial records, power usage records, even telephone records). If you don't give it to them, they will pass laws (HIPAA).  Even if you provide private portals on your site, Web 2.0 startups will screen scrape your site.

Personal Health Records Portability

• MS HealthVault & Google Health provide secure storage• Data providers such as hospitals, labs, pharmacies get the

user's authorization to transfer data to MS or Google• 3rd party services read the data from MS or Google to

provide tools such as clinical trial matching, diabetes management tools, personalized medical news, etc.

• In the future, hospitals might read data from MS or Google to get updates on their patients from other medical providers

Address Book Portability

• Signup for a Social Networks, and get asked for the password of your E-mail account.

• OAuth provides a more secure option• Also allows two-way data flow, such as contact sync• Provides an incentive to E-mail providers to develop

standard API format for address books

Application Extensions

• Photo touchup tools, photo labs• Calendar/Contact sync tools• Health management tools• Blog publishing tools

 Advanced OAuth tricks• http://sites.google.com/site/oauthgoog/• OAuth+Gadgets• OAuth+OpenID• OAuth+Google Apps Engine• OAuth in social apps

Enterprise SaaS @ Saleforce.com

What is Salesforce.com?

Who builds applications on Salesforce?

Three Types of Applications:• Salesforce.com Applications• ISV Applications• Custom Applications

The Salesforce.com API

• SOAP API with WSDL / Schema• Low verb count - Primarily CRUD

o Developers can get started in 15-20 minutes • 100,000s of active integrations, all major platforms• 2 Billion API Calls a Month• 3 major releases a year, no broken integrations

Multi-Tenancy Makes Cloud Computing Possible

• Faster Vendor Innovation• Economies of Scale• Maximum Scalability• Automatic Upgrades

Salesforce.com Design Principles1) Secure• Confidentiality, Integrity• Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs• Appropriate for public internet

2) Simple• designed around a few well-defined uses cases• smarts in the service, not client or the wire protocol• Minimal surface area

3) Re-usable• Built on technologies already in stack• Birds killed > stones

4) Supportable• Based on interoperable standards• available on all major platforms• Reliable

Enterprise SaaS Use Cases

Enterprise SaaS Use Cases

Enterprise SaaS Use Cases

WS-Trust

OAuth

Salesforce.com Design Principles1) Secure• Confidentiality, Integrity• Proven technologies, rigorously crypto-analyzed - e.g. SSL, client certs• Appropriate for public internet

2) Simple• designed around a few well-defined uses cases• smarts in the service, not client or the wire protocol• Minimal surface area

3) Re-usable• Built on technologies already in stack• Birds killed > stones

4) Supportable• Based on interoperable standards• available on all major platforms• Reliable

Q&A

Ashish Jain - ajain@pingidentity.comPeter Dapkus - pdapkus@salesforce.comEric Sachs    - esachs@google.com

Appendix

Summary continued

If you a service provider, support OAuth and you will make things simpler for your data consumers.Within an enterprise or government scenario, this may be harder to doFor a web service, this should be your starting pointIf you are a data consumer, and your service provider does not support OAuth, then try using WS-TrustIf your service provider does not support WS-Trust, then you will need to build your own proprietary bridge