1. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Unified Security
Mobile, Web and APIs

2. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The Security Landscape
• Authentication, Authorization, SSO
• Licensing
• Quota Management
• Protection
• Role of Policy
Au/Az/SSO
Licensing
Quota
Management
Protection

3. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO
• Confusing array of standards:
– OAuth
– SAML
– OpenID
– SCIM
• A variety of App types
– Desktop
– Mobile
– Web
• Enterprise SSO and its set of legacy
systems

4. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Use Cases
• Enterprise support for public credentials
– Tiered service
• Providing APIs for Web applications
• Enabling a new API digital channels using
OAuth. Perhaps in conjunction with:
– SAML
– OpenID
• Extending/modernizing Enterprise SSO via:
– OpenID Connect
– SAML

5. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Combining SAML and OAuth
1. Try to get OAuth Token
2. Redirect with SAML
Authentication Request
3. Log the user in, create
the SAML assertion and
redirect again
4. Verify SAML token and
issue OAuth token
5. App makes call to API
6. Gateway validates OAuth
token and performs fine
grained authorization

6. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing
• You may want to enable a business model based on
different:
– Operations or resources
– Levels of service
• The licenses control:
– OAuth Authorization
Scopes
– Document visibility
– Quota policies

7. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing - Flow
Validate OAuth
Token
Authorize API
Call
Determine
License
Licenses provides
QoS policies

8. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management
• You probably want different
licenses with different levels of
service
• The levels of service are:
– Throughput
– Bandwidth consumed over time
– Concurrency
– Availability
• Apps could either be cut-off or
events generated when quotas
are exceeded. Events can be
used for overage billing

9. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Protection
• Denial of Service
• Injection Attacks
• XSS
• Viruses

10. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The Role of Policy
Lower cost and risk:
• Separate functional and non-
functional
• Decouple changing standards from
your implementation
• Provide multiple options depending
on the channel
• Mediate

11. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The Role of Policy
• An API is exposed externally that
has a security policy of:
– OAuth with SAML2
• Internally, the security policy is:
– WSS/SAML
• The system can use these
declarative policies to
automatically convert the OAuth
token inbound to the WSS/SAML
token that is required by
downstream services

12. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software’s
API Platform

13. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Platform
• Measure the impact of
your programsAnalytics
• Build your developer
and partner ecosystem
Developer
Engagement
• Secure and protect
your systemsGateway Services
• Simplify and speed up
development
Service
Integration
• Build the right services
& APIs the right way
Lifecycle
Management

14. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
In the Cloud or On-Premise

15. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Thanks…
Alistair Farquharson, CTO, SOA Software
www.soa.com
@afarqu
@SOASoftwareInc