Solving Identity Management in Modern Applications
Demystifying OAuth 2, OpenID Connect, and SAML 2
2nd ed.
The Apress logo.
This Apress imprint is published by the registered company APress Media, LLC, part of Springer Nature.
The registered company address is: 1 New York Plaza, New York, NY 10004, U.S.A.
Every day you play with the light of the universe.
—Pablo Neruda, Chilean poet, politician, and diplomat, from Twenty Love Poems and a Song of Despair (1925)
There is a significant and growing cybersecurity workforce gap. A Global Information Security Workforce Study1 predicts a cybersecurity workforce gap of 1.8 million individuals by 2022. At a time when the number of online services and devices that need security is growing rapidly, this is nothing short of alarming. In order to fill this gap, it is imperative to encourage more people to learn about this field and provide adequate resources for them to efficiently come up to speed. Identity management is an important component of security which is critical to protect the rapidly expanding array of innovative online services, smart devices, bots, automated agents, and the like that are being created.
The authors of this book are fortunate to have been a part of this field for some time. Between the two of us, we have created and deployed a variety of different types of applications, single sign-on, identity federation, provisioning systems for various access control models, directory services, and various forms of strong authentication. We have had the pleasure of working closely with many customers to understand their unique requirements and help them design and deploy identity and access management systems in both cloud and enterprise environments. We’ve learned many lessons from these projects, some of them the hard way through the school of hard knocks!
We wrote this book to share what we’ve learned from our experiences. We hope to provide others a head start based on the lessons we’ve learned. Our intent is to provide an introduction for those who are new to identity management and inspire them to continue learning more about this topic. We provide an overview of three identity management protocols, namely, OIDC, OAuth 2, and SAML 2, that will be useful for application developers who need to add authentication and authorization to their applications and APIs. We’ve covered the problem each protocol is designed to solve, how to initiate basic requests, and how to troubleshoot issues. A sample program accompanies the book and illustrates some of the concepts. We’ve also provided information on typical identity management requirements to help you identify what to include in your project plan, things that can go wrong that should be planned for, common mistakes, and how to approach compliance. These chapters will be valuable for developers as well as architects, technical project managers, and members of security teams involved with application development projects.
In terms of scope, the book is designed to provide an introduction to identity management. We cover how the three identity protocols can be used to solve common use cases for authentication and authorization that you will encounter in creating an application. We don’t have space to cover every protocol, corner case, or every nuance of the protocols. We also can’t cover every detail in the specifications for the protocols. Our intent is to give you an overview that will help you get started and provide sufficient background to help you more fully understand more in-depth materials.
We are extremely grateful to numerous colleagues who’ve generously contributed to this book through reviewing original drafts and providing corrections and feedback on what we missed, what might be misunderstood, and what is most valuable for people to know. This project would not have been possible without their assistance and expertise, as noted in the acknowledgments. That said, any errors are completely our own. Any errata we discover after the book is published will be noted in the Apress GitHub repo for the book, accessible via https://github.com/Apress/Solving-Identity-Management-in-Modern-Applications.
We hope this book and the sample code are useful to you and wish you luck and security for your application projects!
The best way to find yourself is to lose yourself in the service of others.
—Mahatma Gandhi
This book would not have been possible without the generous help of many friends and coworkers who have graciously shared their expertise and knowledge to review and improve the original draft. It has been a pleasure working with each of them over the years, and we are fortunate and much indebted for the knowledge, wisdom, and insights they have shared with us as well as, on occasion, the laughs.
We owe a huge debt of gratitude to Artiom Ciumac for his review of, and many helpful comments and suggestions on, the entire second edition of this book. His comments, based on a depth of experience from helping many customers with identity and access management challenges over the years, led to the addition of many clarifications, use cases, and explanations that will be beneficial to readers.
We are also very grateful for Sumana Malkapuram’s review and suggestions for improving portions of the second edition of this book. Sumana’s insightful feedback contributed to many clarifications and additions drawing on her significant experience working with customers to solve identity and access management scenarios.
Our massive appreciation and heartfelt thanks to Carlos Mostek for careful reviews of the first and second editions of this book and contributing many corrections, insightful additions, and helpful advice from his trove of development and IAM wisdom as well as his experience helping many customers solve their IAM challenges over the years.
Immense, heartfelt thanks also to Peter Stromquist for thoroughly reviewing the original draft version of this book and adding many corrections, suggesting additional ideas we’d left out, and adding wisdom from his valuable store of development and IAM expertise developed while designing solutions for many, many customers.
Huge, sincere gratitude to Amaan Cheval for careful reviews of the original draft for this book and contributing many corrections, clarifications, and suggestions for additional content from his keen knowledge of IAM topics, customer challenges, and broad development experience.
Enormous and ardent thank you to Nicolas Philippe for thorough reviews of the original draft of this book from his extensive identity, security, and development experience; suggesting clarifications and additional topics requiring explanation; and adding wisdom from his years of experience with IAM as well as application development.
Titanic, sincere thanks also to Nicolás Sabena for excellent, careful reviews and contributing much valuable guidance to the original draft of this book on troubleshooting from his extensive expertise in IAM and development, as well as his keen ability to solve even the most puzzling customer issues.
Huge, grateful thanks to Jared Hanson for generously answering many questions and for reviewing and contributing corrections to many chapters of the original edition of this book from his deep knowledge of identity protocols.
Massive gratitude and thanks as well to Vittorio Bertocci for graciously sharing his extensive IAM knowledge in many forums, from which we and others have learned a great deal, and for reviewing portions of the original edition of this book with an eagle eye, providing valuable critique on errors in content, logic, and flow as well as suggestions for improvements and kind advice about writing.
Immense gratitude is due to Erin Richards for careful reviews, corrections, and additions to the original edition of this book on compliance matters, adding wisdom and practical advice from her long experience in this field as well as content on privacy and security frameworks.
Huge appreciation also to Adam Nunn for thorough reviews, corrections, and suggestions for the compliance chapter of the original edition based on his wisdom and experience in technical audits and compliance.
Sincere gratitude to Bill Soley for commiseration during the project as well as review and contributing suggestions and advice to the original draft from his immense knowledge of security matters.
Much appreciation also to Subra Kumaraswamy for reviewing a portion of the original draft of this book and contributing suggestions from his experience in both IAM and security.
Immeasurable and heartfelt gratitude to Laura Hill for insightful editorial reviews, finding the logic disconnects in early drafts, and making numerous suggestions for how to cut out extraneous fluff and clarify explanations in the original draft. Many thanks as well for patiently listening and providing encouragement as this project took shape!
Colossal thanks to Terence Rabuzzi for his razor-sharp editorial reviews of the original draft and advice on everything from graphics to structure and approaches for evaluating the logic of many sections.
Tremendous thanks to the creative eye, graphic talents, and technical knowledge of Liliya Pustovoyt for creating diagrams to illustrate several of the concepts discussed in the book.
We are also extremely grateful for the work of Vittorio Bertocci and the graphic design team at Auth0 for creating a library of identicons, a visual library for use in illustrating identity management concepts, which we have incorporated into many diagrams in this book.
We also owe a huge debt of gratitude to Rita Fernando, Susan McDermott, Laura Berendson, Liz Arcury, Jessica Vakili, and the rest of the Apress team for their patient advice, answering numerous questions, clear guidance, help with promotion, as well as editing on the text and graphics for this project.
A final massive and heartfelt thank you is due to our dear friends and family for their patience and support during this very long project. The kind words and voices of encouragement throughout meant a lot during the long hours of research, writing, development, and editing.
We are incredibly grateful to all who helped make this project possible by reviewing early drafts and contributing suggestions, advice, corrections, and additions. The text has been immeasurably improved by our reviewers’ careful attention and many insightful comments. We could not have done this without them. That said, a line by Albert Camus is appropriate here: “The only real progress lies in learning to be wrong all alone.” Any errors in the final text are solely ours. Any errata we discover after the book is published will be noted in the Apress GitHub repo for the book, accessible via https://github.com/Apress/Solving-Identity-Management-in-Modern-Applications.
A photo of Yvonne Wilson.
In working with business teams at Sun, designing and deploying identity systems for customers at Oracle, and while founding a developer success team at Auth0, Yvonne had the opportunity of working with many customers, from small startups to large enterprises. Her experience spans the implementation of SSO, identity federation, directory services, adaptive knowledge-based authentication, and identity provisioning as well as multilevel authentication systems with certificate-based authentication and enterprise security architectures. She founded training programs for professional services and support staff on identity and access management (IDAM), including OIDC, SAML 2, WS-Fed, and OAuth 2. From this depth of experience, Yvonne realized the growing need for a basic overview of identity management concepts that is understandable to business application owners as well as architects and developers.
A photo of Abhishek Hingnikar.
is a Senior Solutions Architect at Okta / Auth0 Product Unit. He has 12 years of Software Engineering experience, including over 5 years of IAM with open standards like OAuth2, OpenID Connect, and SAML2. During his career he fulfilled various roles like developer, team lead, software architect, and solutions architect. Currently, the main focus is to consult customers in order to integrate with SaaS IDP in the most secure and optimal way possible to get maximum benefit out of the used services.
is a Staff Solutions Architect Auth0 (Okta’s Product Unit). Sumana is CISSP certified with 15 years of experience in building innovative services within Cloud Security and IAM.
A photo depicts Carlos Mostek juggling fire.
A photo of Jared Hanson.