Tuesday Jan 08, 2013

2012: No Time To REST For The Holidays

Author: Phil Hunt

This past year has been one of the biggest years of change I've seen in a while. It started off with the expected priority of delivering and using cloud based services at the top of everyone's mind. However, it soon became apparent that the usual way of delivering services (e.g. ones based on SOAP) was not what was going to make that happen. It is now apparent that cloud hosted services will be largely be based on REST and JSON. A monumental change in service architecture being driven by the market…

Emergence of REST-based Cloud

Today's REST services are incredibly lightweight with the coupling of HTTP and JSON rather then on XML and SOAP. The powerful combination REST and JSON are seen as light weight, and particularly easy-to-use for the expanding universe of mobile devices (iPads, and smart phones) to support. Still, if you think this REST is flash in the pan, check out the growth in REST has had over the past couple of years. See Craig Burton's post on the API Economy here: http://prezi.com/pys_d3ysqbmb/api-economy-update/

The impact on service architecture will be quite substantial. REST changes how services architectures are delivered in many ways. Instead of being process oriented as often seen in SOAP based services, REST services are all "resource" oriented (set independentid's password to 'x'). Unlike SOAP, REST uses simple object state representations (resources) accessible via URLs. So, for example, a "ChangePassword" service now becomes a simple "set password attribute on resource abc123". While this is simple, for the client application, the implications are significant. What of password policy, what of workflow and validation? Somewhere behind that simple "set password attribute" command a lot still has to happen.

Fat Apps are now Phat!

Another major trend is to supplement browser based applications with fat applications running on desktops and mobile phones (remember "fat apps" in the 80s and 90s?). It is with some irony that Web 3 is not about the browser at all, but rather it is about the interconnection of applications (e.g. Facebook, Flickr) that are identity centric. 

Web applications in the cloud are also acting as a kind of super-connected REST-based applications, providing aggregation and interconnection of services owned by users. Starting from social networks, new networks are forming such as loyalty networks (credit card, air, banking), travel networks, and even financial networks are now emerging linking personal data to provide value-added services. 

Web 3 Drives Forward A New Authorization Model: OAuth2

With the emergence of Web 3 applications, there has been a corresponding need for many applications to ask users for their user-ids and passwords so that they can access user controlled resources from other companies. As more inter-connectial social network services (e.g. Google Docs, Flickr, Facebook, Twitter) started to emerge, it became clear over the past few years that the "password anti-pattern" would have to be eliminated. As a result, a new web authorization/delegation protocol emerged called OAuth2 (now standardized a IETF RFC 6749). OAuth2 provides a way to cleanly separate user-authentication, from user-authorization, allowing client applications to use authorization tokens to access web resources on a user's behalf.

OAuth2 has gone through quite a colorful evolution within the IETF. But I have to say a mark of its importance, has been the extremely broad collaborative development from participants that are web service providers as well as middleware vendors. As the protocol matured through extensive implementation, I had the honor of co-authoring the security considerations and producing an OAuth2 Threat Model document that will serve to give both implementers and deployers of OAuth2 an incredible amount of detail on how to secure and configure this protocol in the many different authorization scenarios it can support.

Is SAML Dead or Just Starting?

Craig Burton made headlines last summer with his declaration that "SAML is dead" at the Cloud Identity Summit in July (http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/ ). Was he being controversial?  Sure. But his point of view comes from the fact that while SAML is grows slowly along with SOAP, REST by contrast is taking off for the moon! 

So, do I agree REST and OAuth eliminate the need for SAML? The answer is no. In fact the opposite. While OAuth2 issues authorization tokens, OAuth2 still depends on traditional federation, web SSO, and other classic methods of authentication to take place before OAuth2 can issue tokens. Not only is SAML needed to authenticate federated users, SAML is now also being used to authenticate the new client applications. I blogged on this very topic early on in 2011: http://www.independentid.com/2011/04/oauth-does-it-replace-federation.html

Provisioning to the Cloud

The final big development last year, was the emergence of SCIM for cloud provisioning. With all these new business cloud providers emerging, it became critical to find a way to easily provision 10s of thousands of users quickly. When you contract for services with a cloud service provider, SCIM's goal is to help you get your employees and customers provisioned.

Looking Forward - The Emergence of  the Identity Cloud and the Interop language

Whether Oracle, Cisco, Facebook, Google, Microsoft, SFDC, or Yahoo, one thing that all service providers seem to be developing is some notion of a cloud directory (aka Graph API). Cloud directories are somewhat different than classic enterprise LDAP Directory in that they are currently custom built to support key major corporate applications first, and then evolve to support mergers of other acquired services over time. Some of these directories are based on SQL databases, some based on NOSQL, some based on other custom built data stores.  While all support REST APIs, currently no two cloud directories support a standard access protocol at this time. Two possible candidates for RESTful standardization at this time are: SCIM and OpenID Connect.  The choice of SCIM seems like a natural one as it supports create, read, update operations much like LDAP. While OpenID Connect gives access to user-authentication and session management data, it seems its identity profile duplicates the features found in SCIM.  How this plays out depends on how much data applications will choose to store in cloud directories.  

Yet to be sorted out in 2013 is what will be the key protocols and standards around cloud directories. Will they be built on the old LDAP model? Or will they support the more expressive SCIM schema? In the universe of inter-connected RESTful services, the role of standardized, interoperable schema is vital. Who needs to inter-operate with whom? Does a service provider adapt to each client, or do clients adapt to service providers. Or, like air traffic control systems that all standardized on English, will cloud directories adopt one standard schema that every one maps to?

About the Writer:

Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at www.independentid.com and is active on Twitter (@independentid).

Sunday Aug 28, 2011

Layered Access Management Webcast - Q&A Followup

Thanks to everyone who joined us last week on our webcast with IOUG - “Layering Enterprise Security with Oracle Access Management”. Eric Leach, Director of Product Management for Oracle Access Management, did a great job explaining how Oracle Access Management products can layer on top of enterprise security and help organizations overcome the complexity of dealing with security threats in the cloud, mobile and application delivery ecosystems. Check out Eric's blog post detailing the top themes for the webcast. I have captured the responses to the questions that were asked during the webcast.

See us at Oracle OpenWorld 2011

Q: What product can I use to protect VIP patient data in healthcare establishments?

A: Oracle Adaptive Access Manager (OAAM) provides real time risk analytics that can be leveraged for access monitoring purposes. In certain kinds of environments such as in healthcare establishments or in HR systems it may be possible to access privileged information but it is also important to track who is accessing that information and when they accessed that and for what reason. OAAM has the ability to detect access requests, track and determine whether they are anomalous or not. Oracle today offers a solution for healthcare providers which can help to detect and prevent that kind of access directly. So if you have VIP data then you can prevent frivolous or unauthorized access of such information.

 Q: Where can I find the Aberdeen Report that Eric mentioned?

 A: You can download the Aberdeen Report citing the findings on Platform vs. Point Solution Approach Study    for Identity Management here.

Q:  If Oracle Access Manager (OAM) authenticates me as MARIA on Active Directory and my application requires a username MHALLOM (on RACF) what's the best way to accomplish that?

A:  You would use a combination of Oracle Access Manager and Oracle Enterprise Single Sign-On (ESSO) Suite. If OAM authenticates you against AD for the app and if your RACF app requires credentials you would then generally use a ESSO client to authenticate into that system. So if you have a mixture of web apps and mainframe apps you would typically use a combination of OAM and ESSO to achieve SSO across those different environments. AD can be used as a directory repository for ESSO as well. So you can go ahead and use that as a repository for the RACF application.

Q: In which language are custom authentication modules for Oracle Access Manager (OAM) developed? It was in C in oam10g if I’m not mistaken

Yes that’s correct. Custom Auth modules were developed in C in OAM 10g. OAM 11g works a Java server in WebLogic. So you will build java modules that plug in to the server.

Q. For high availability do you have seamless geographical failover solution in OAM such as disaster recovery since OAM documentation doesn't explain much on it nor provide options

A: There are a number of different documents that can offer some guidance. There is an Enterprise Deployment guide and there is a HA and DR guide that is being updated for the OAM 11g PS1 release. The
basic guideline is to generally reuse data replication methods that are leveraged in your enterprise. If you want to create more custom DR failover scenarios stay tuned to the Oracle Access Manager product page on OTN and we will be putting up more specific documentation on that.

Shall we contextualize Oracle Security Token Service (OSTS) to service layer (ex: business process) in de-coupled way using OAM?

A: You could set STS up as a service that can be used with or without OAM to leverage some of those business flows. You could be trying to use STS to enable an identity propagation event that is based on an authenticated user and you may want to attach a specific set of security requirements based on a downstream web service that the user is trying to access. In that case when you are trying to access the downstream web service there are a certain set of policies that the STS can encapsulate that allows you to do that based on the requirements of the service.

Q: Can I plug in an alternate authentication mechanism besides challenge questions to secure the self service password management flows?

A: The Oracle Access Management Suite through OAAM provides the One-Time Password solution. So you can extend a password reset flow to include an out of band challenge sent to a user’s mobile device sent over SMS. So you can layer services that way so that you can get those advanced capabilities.

Q: How can I be assured that access to SAAS apps is revoked upon an employee leaving the company?

A: When you are managing access to SaaS or 3rd party apps, you can have Oracle ESSO manage random and very complex passwords that the user doesn’t know about or doesn’t see. So when the user is terminated and de-provisioned, instead of having to go out and terminate access on the SaaS side, you can instead more or less ensure they can’t access the SaaS app as they don’t know the password and they cannot reset the password. So you can secure that flow a lot more efficiently than otherwise.

Q: How do the Oracle Identity Manager (OIM) challenge questions differ from Knowledge based Challenge questions (KBA)?

A; The primary value of Knowledge based Authentication that OAAM provides is increased usability. You can account for and tolerate abbreviations, typos and misspellings. That is called Answer Logic – fuzzy logic processing of answers as they are input. And on the questions side, the number and type of questions that get generated can be controlled by both systems. But in general, the OAAM component provides sophistication and control around when to show questions, how many to show, how to pull them out of a pool of questions, etc. So it can avoid some of the common vulnerabilities with password reset associated with brute force attacks. OAAM has capabilities for mitigating that.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014