APIs are a key component in any digital transformation journey. They enable organizations to create new business models and connect with partners and customers, while providing seamless digital experiences by linking systems and services together. In today’s API economy, all modern architecture concepts deeply rely on APIs. In a typical API management platform, the key manager component or authorization server mainly focuses on access delegation or securely managing access tokens. However, comprehensive API security goes beyond simple authorization capabilities. Open Web Application Security Project’s (OWASP) recent API Security Top 10 explains how vast the API security threat landscape is. This is why we need IAM solutions in API platforms to fill this security gap. An IAM solution strengthens security and provides additional capabilities to enhance digital transformation efforts. DURING THE WEBINAR, WE WILL COVER: The importance of the API management strategy and API security Add value to your APIM platform with IAM capabilities such as: Cross protocol SSO and social login (identity federation) | Strong and adaptive authentication | Privacy and regulatory compliance}} Watch the on-demand webinar: https://wso2.com/library/webinars/adding-value-to-apim-with-iam/

1. What More Can IAM Do For Your API
Management Platform?
Thursday, November 19, 2020

2. Hello!
Thanuja Jayasinghe
Ishara Karunarathna Ishara Naotunna
Technical Lead - IAM
isharak@wso2.com
thanuja@wso2.com
Director of Engineering - IAM Product Marketing Manager - IAM
isharan@wso2.com

3. About ‘API Security and Beyond’ Webinar Series
3

4. 4
Addresses full API lifecycle
management operations. Open,
extensible, customizable.
200K+ APIs for 20K+ Orgs
Hybrid integration platform for
quick, iterative integration of any
application, data, or system.
6 Trillion Transactions/yr
Federates and manages identities
across both cloud service and
enterprise environments.
250M+ identities managed
WSO2 API MANAGER WSO2 IDENTITY SERVERWSO2 ENTERPRISE INTEGRATOR
WSO2 Integration Platform

5. 5
WSO2 Identity Server is a strong performer
among the 13 CIAM providers that matter
most according to Forrester Research, Inc..
● Highest scores possible in customer
authentication, self service, business
integration, reporting and dashboarding, and
privacy & consent management in the
Product Offering category
● Highest scores for commercial model in
strategy and authentication plans
WSO2 Identity Server has been recognized as a strong performer

6. API Security in 2020

7. 7
Over
8.4B
records exposed during the
first quarter of 2020
Whopping
273%
increase compared to Q1
2019
Approximately
70%
due to unauthorized access to
systems or services
Due to COVID-19 pandemic, millions of employees around the world
switched to remote working and many business were forced to move
digital in short period of time. So attackers thrives during this, as
companies skipped some of the long held security practices, in the rush to
adopt the new normal.
2020

8. Typical APIM Platform
8
Shipping Service
Inventory Service
Monitoring & Logging
Order Service
Authentication & Authorization
Key manager
Client apps
API Gateway

9. Essential IAM Capabilities Required for APIM Platform
9

10. Extended Access Delegation
Grant types from OAuth 2.0 core(RFC 6749) specification:
● Authorization Code
● Implicit (Legacy)
● Resource Owner Password Credentials (Legacy)
● Client Credentials
● Refresh Token
10

11. Many extension are available to support interoperability between systems,
● OAuth Assertions Framework - RFC 7521
⦿ SAML2 Bearer Assertion - RFC 7522
⦿ JWT Bearer Assertion - RFC 7523
● Token Exchange Grant Type - RFC 8693
● Device Code Grant Type - RFC 8628
● Kerberos Grant Type
Extended Access Delegation
11

12. End-User Identity Management
Digital identities can be everywhere, managing them is a primary concern,
● Different User Stores
⦿ Different Vendors
⦿ Different User Types
● Identity Management,
⦿ User provision
⦿ Self service portals
⦿ Account/Password Recovery
12

13. Strong and Adaptive Authentication
Authentication must be a focal point when protecting your APIs,
● Multi-factor authentication (MFA)
⦿ Knowledge factors
⦿ Possession factors
⦿ Inherence factors
● Adaptive authentication
13
* * *
Authenticated

14. Cross Protocol Single Sign On / Sign Out
Single sign-on (SSO) is the mechanism that ensures customers have a consistent
login experience with common credentials across different digital entities.
14
Application User IAM
SAML
OIDC
Application 1
Application 2
Sign-In

15. Identity Federation and Social Login
15
Attract developer community Acquisitions and mergers Hassle free logins

16. Enforce Authorization
OAuth 2.0 uses scopes to limit the application or client access to the user’s
resource. And it is best for defining resource level authorization. But when we need
more fine-grained authorization, we can use,
● XACML
● Open Policy Agent (OPA)
Upcoming,
● Rich Authorization Requests (draft)
● Incremental Authorization (draft)
16

17. Privacy Management
When developing a public-facing API management platform, privacy and
compliance capabilities are foundational and the platform should focus on
protecting the individual.
17
Regulations
Customer Expectation
Data Breach Risk
GDPR
CCPA
Consent
Privacy Concerns
87M Facebook
users affected
1B Yahoo users
affected

18. ● Extended Access Delegation
● End-User Identity Management
● Strong and Adaptive Authentication
● Cross Protocol Single Sign-On / Sign Out
● Identity Federation and Social Login
● Enforce Authorization
● Privacy Management
Let’s Recap
18

19. Question Time!
19

20. wso2.com
Thanks!