• No results found

Onegini Token server / Web API Platform

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Onegini Token server / Web API Platform"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

The Onegini Token server is a complete solution for managing your customer’s authorizations. It

provides a comprehensive security token server that integrates with enterprise identity and access

management systems based on the latest Web and API security standards such as OAuth 2.0.

With the Token Server, companies and users can interact by securely sharing data between

different applications, and allow users to approve applications to act on their behalf without sharing

passwords.

OAuth 2.0 and API’s

OAuth is becoming the standard for access management with RESTful APIs. OAuth has the advantage of being: lightweight, Universal access for web, mobile app or any other third party application Unfortunately, OAuth can also be complex to set up, given the number of actors, token formats, transports, management, logging and security mechanisms required. Especially handling all the user interactions requires a flexible architecture since the number of devices is growing rapidly.

Onegini bridges the security gap between

companies and the Internet. For more

information visit our website: www.onegini.com

Onegini

Token server /

Web API Platform

Companies and users

interact securely by

sharing data between

different applications

USERNAME ••••••• USERNAME••••••• USERNAME ••••••• USERNAME •••••••

(2)

Onegini

Key components

OAuth is mandatory in consumer IAM

OAuth allows individual resource owners to delegate resource access rights to third-parties in a discretionary fashion with a limited scope based on a user dialogue. In that respect, OAuth is unprecedented and fundamentally important. The original flavor of OAuth comprises a 3-party exchange requiring the presence of the individual resource owner which does confine OAuth to the consumer IAM space. OAuth defeats the password anti-pattern, creating a consistent, flexible identity and policy architecture for web applications, web services, devices, and desktop clients attempting to communicate with Cloud APIs.

It’s al about tokens

OAuth does care about two things: • How to use a token to access resources? • How to obtain such tokens?

There is a variety of token types (self-contained vs. identifier tokens, refresh vs. access tokens), means of presenting tokens (HTTP Authorization request headers, URL query parameters, form-encoded body parameters) and obtaining them (various combinations of protocol exchanges – called flows). This is where the specification and framework complexity actually comes from. Onegini will handle this for you.

Secure your API’s and meet

Compliance

Protecing API’s againt attacks is crucial these days. The Onegini Token Server provides comprehensive API security and pre-built identity management integration. Onegini protects the API’s by managing tokens and preventing token abuse. Onegini also provides auditing and monitoring capabilities to support enterpises in being complaint.

Why is Onegini different?

The Onegini Token Server is unique because it’s a complete solutions with a clear focus: protecting your enterprise API’s using OAuth. It can be easily integrated within your IT infrastructure. The software is easy to install and there is no coding anymore. It’s a stateless scaleable engine, including administration and operational consoles.

The Onegini Token Server is a complete solution for managing authorizations of resource access

compliant to the OAuth 2.0 standard. It can easily be plugged in to your current infrastructure

and can cooperate with existing authentication services. The key components are:

Component

Description

Core OAUTH 2.0 spec compliant The core engine of the Onegini OAuth Server is authorization server responsible for token management

Monitoring and auditing To keep track of all events and to enable operators to analyze behavior. Management console For administrators, a complete dashboard is available.

Management and user Interface API End-user and management api’s enables to integrate Onegini functionality into you own systems.

The Onegini

Authorisation Server

enables enterprises

to deploy applications

anywhere, using

the same security

infrastructure

(3)

How does the

Ongini

Token Server work?

The core of Onegini

The core of Onegini is managing and protecting tokens. Long-lived Tokens and identity information will be stored encrypted in the database. It contains access and refresh tokens including properties such as one time tokens, expiration date, number of times to be used, scope linking etc. Onegini architecture is an event-based engine and all events will be stored in multiple databases. Onegini’s search database enables real-time analyse of token abuse. Onegini supports the latest OAuth 2.0 spec including the required threat model. Both the spec and Threat model will be monitored and applied throughout the lifecycle of the Onegini Token server.

Prevent token abuse

Preventing token abuse is a complex process most organizations do not implement. Using Onegini, your company will benefit immediately from our unique technology created to prevent token abuse. Onegini logs all action events into our operations data store. The events logged are analyzed in real-time allowing our risk-based engine to trigger new actions, such as revoke tokens.

Get the user Consent

OAuth assumes the individual resource owner to be present and attentive – unless the token endpoint can decide whether to supply an OAuth token in a token endpoint request from own, local context. In order to get consent from the resoure owner, a consent page will be displayed to the end user when a client requests an access grant and the user did not provide consent to any of the requested scopes for this particular client. As the application is stateless this page has the responsibility to forward all request parameters used in the authorization request. This set of request parameters is available via variables in the template. Customizable templates for the consent page and other user interactions are available.

Dynamic Client registration

Native applications running on mobile devices often pose a security thread since there is a lack of a trusted computing base. The Onegini Token server provides a mechanism to uniquely identify devices running native applications. This dynamic client registration process allows a client to register itself with the authorization server. Onegini will dynamically provision a client identifier and a client secret to be used by the client. Because the Onegini Token server can uniquely identify the different devices that are interacting with the server it can properly detect abuse and take appropriate action.

OAUTH END-POINTS:

AUTHORIZATION TOKEN VALIDATION

TOKENS

EVENTS

EVENT

STORE

ADMINISTRATION

&

MONITORING

END-USER & MANAGEMENT API

TOKEN

MANAGEMENT

TOKEN ABUSE

DETECTION

SIEM SOLUTION

A SIEM-tool correlates incidents and events from different resources and raises an alarm if an unexpected behavior occurs. Onegini can easily be integrated with existing SIEM solutions in order to track and trace the complete session. Onegini core is event based and will log events in a database. Via our API, these the events can be extracted. In order to correlate events of a certain request in the entire chain, a transaction id is used. Onegini has a plug-ins for products such as WebSeal, Apache or others.

(4)

Administration

The Onegini Token Server is easy to use for administrators. An administration dashboard will guide you through all tasks. Configuration, event logs, statistics, and user management. A number of different roles are supported so operators or help desk employees will have limited access. The configuration dashboard is a user interface where administrators can configure items such as applications, clients and scopes.

Monitoring the api’s

An advanced operational monitoring dashboard will empower IT operations to monitor behavior and to get more insight about system health. Filters can be used to quickly analyze specific clients or events to prevent abuse. Authorized system users can block clients immediately.

Security

Onegini is a security solution to manage authorizations of resource access complaint to the OAuth 2.0 standard. Onegini supports the latest standards and implements many of the security considerations proposed in the OAuth Threat Model. Some of the security considerations are: credential storage protection, bind tokens to a particular resource server, bind token to client, validation of pre-registered redirect_uri and binding of authorisation code to a specific client.

In addition the following security measures are support:

• Explicitly defined Scopes for Audience and Tokens • Configuration of Token time expiration and usage limitation

• Security event auditing to allow to identify patterns and potential threats • Validating HTTP parameters, REST query/POST parameters

• Protection against cross site scripting (XSS), SQL Injection

High performance

The Onegini Token Server is a high scalable and high performance authorization engine. All end-points are able to meet enterprise performance. The performance will scale linear for every server added. For performance improvement Onegini supports caching of access grants and access tokens. It will also cache configuration items when needed to optimize performance.

Management and end-user api

Onegini has an extensive management and end-user api which can be used by your own applications / clients. Onegini supports the following interfaces:

• Token management end-user (list, revoke) • Device Management (list, revoke)

• Consent management (list, revoke, notification types) • Client management (list, add, delete, update) • Scope management (list, add, delete, update)

Onegini

integration in

your IT Infrastructure

Security is all about integration. Onegini seamlessly integrates with current IT infrastructures.

Onegini can be placed in the DMZ or the local infrastructure, as long as the proper security

measures related to deployed infrastructure are implemented.

YOUR ORGANISATION

AUTHENTICATION RESOURCES

(5)

Onegini

Feature highlights

OAuth protocol flows

Authorization code, implicit grant, client credentials, resource owner password

credentials

Integration with authentication engines

A Modular architecture enables to plug-in authentication services such as Onegini, IBM, Oracle or any other.

Authentication level per scope

Various levels of STEP up authentication can be assigned per scopes. This enables granular configuration based on the specific authentication requirements of the resources you are protecting.

Databases

Oracle, MySQL and DB2

Encryption

Config files, tokens and identity information are all encrypted.

API Interface

Onegini offers interfaces for end-user, management and dynamic client registration.

Dynamic device registration

The process allows a client to register itself with the authorization server. The authorization server will dynamically provision a client identifier and a client secret to be used by the client.

Advanced scope definitions

Scopes can be configured with a usage limit. This enables limiting the number of times an access token for a particular scope can be used.

Integration with Security gateways

Layer7, SecurIT Trustbuider, Vordel and others

Multi-language

Support for end-user interactions, all languages supported

Integration IAM

The Token server can be integrated with most popular identity and access

management (IAM) and SSO solutions sucha as Onegini, Oracle, CA, Novell and IBM

Pluggable architecture for notifications

Enables to send notifications to end-users via preferred channel. (e.g. SMS or email). User can define preferred method

Token abuse detection and reporting

Prevents token te be used by unauthorized devices

Advanced logging

Onegini stores all events including administration taskes and data changes.

Client authentication using JWT

JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication.

Support for the JSON Web

Onegini Supports the JWT token type with support for it’s required and

Token (JWT ) token type

recommended encryption and hashing algorithms.

SIEM integration

SIEM integration is facilitated by means of configurable HTTP headers that

communicate throughout the entire session. These headers are used to correlate events and be consumed by the on-premise SIEM solution.

Configurable consent page

The consentpage is configureable html file that supports configuration of specific redirections, company logo to be used etc.

Consent Notification templates

Consent notification can be send using either email or SMS. For both options configuration files are available.

Scope verification service

The Onegini Token Server provides a service to perform a scope check. This call is used to verify whether the end user is entitled to request a certain scope.

Notification service

When a user provides his consent on a authorization request for a resource, a

notification is send to the user.

LDAP integration

The management console can integrate with an LDAP to secure access to the

management console.

Standards

http://tools.ietf.org/html/rfc6749

Threat Model and Security Considerations http://tools.ietf.org/html/rfc6819 OAuth 2.0 and higher

References

Download now ( PDF - 5 Page - 777.16 KB )

Related documents

A simple, reproducible and cost- effective procedure to analyse gut phageome: from phage isolation to bioinformatic approach

But when we weighted each contig by the number of reads mapping it (Fig.  1c ), we observed that the vast majority of reads maps the contigs classified as phages in all but the

RAPID PROTOTYPING AS AN AID IN MEDICINE

In this paper I would like to sintetize the main benefits of rapid prototyping used in the field of medicine and medical engineering, based on the close approach beetwen

Taxation and Self-Employment

Taking as given an individual’s occupation, industry and country, I ask how the tax rate on the expected (reported) income from employment and from self-employment affect the

ANCIEN THE LONG-TERM CARE SYSTEM FOR THE ELDERLY IN LITHUANIA IZABELA MARCINKOWSKA ENEPRI RESEARCH REPORT NO. 82

LTC is defined as the entirety of care and social services by which the care and social needs of a person are met and continuous comprehensive help and supervision by specialists

The Effect of Circ Strategy and Achievement Motivation Toward Students/\u27 Reading Comprehension

CIRC strategy gives better contribution to WKH VWXGHQWV¶ reading comprehension than the conventional strategy; and (4) there is a significant difference in reading

Ship Design Procedure Booklet

This is perhaps the most complicated stage of design. The winning design proposal is reviewed in details; alterations are made as necessary in order to optimise the design.

PENSION PROTECTION ACT OF 2006

Section 824 of the PPA amends IRC § 408A(d) and adds IRC § 408A(e) to allow members in eligible retirement plans (including qualified defined benefit and defined contribution

State Legislated Actions on Tobacco Issues: 2007

Tobacco Control Program Funding Appropriated $2,500,000 for tobacco control and prevention programs from the state’s annual MSA payment in FY2008. The Nebraska Tobacco Settlement