2. 2
Organizers
Jitendra Bafna
Senior Solution Architect
Capgemini
About the organizer:
➢ Working as Senior Solution Architect at Capgemini.
➢ Surat and Nashik MuleSoft Meetup Leader and MuleSoft
Ambassador.
➢ 12.5+ Years of Experience in Integrations and API
Technologies.
➢ Certified MuleSoft Integration Architect and platform
Architect.
3. 3
Organizers
Nitish Jain
Consultant
IBM
About the organizer :
➢ Working as Consultant at IBM.
➢ Surat MuleSoft Meetup Leader.
➢ 2.5+ Years of Experience in Integrations and API Technologies.
➢ Certified MuleSoft Developer and Platform Architect.
4. 4
Speakers
Jitendra Bafna
Senior Solution Architect
Capgemini
About the speaker:
➢ Working as Senior Solution Architect at Capgemini.
➢ MuleSoft Ambassador
➢ Surat and Nashik MuleSoft Meetup Leader.
➢ 12.5+ Years of Experience in Integrations and API Technologies.
➢ Certified MuleSoft Integration Architect and platform Architect.
7. 7
API Security is an essentials elements of the applications, especially in regards to APIs where
you have hundreds or thousands of calls on daily basis.
Everyday new threats and vulnerabilities are created and in such case it is very important to
secure the APIs.
MuleSoft provided the API manager which can minimize the risks from attacks like DDoS, DoS or
any security vulnerabilities.
API manager provides option for creating the API proxy for the backend API running on Anypoint
platform and thereby secures requests coming into the platform again the API.
What is API Security?
8. 8
Different Types of API Attacks
API Threats
Denial Of
Service
Distributed
Denial Of
Service
Parameter
Tampering
CORS/XSS
Injection
Attacks
Sensitive
Data
Exposure
9. 9
⮚ Digital Signatures.
⮚ Cryptography like PGP, JCE and XML.
⮚ JWT OAuth or Token Based Authentication
⮚ API Manager Policies like Rate Limiting, XML Threat Protection, JWT Validation etc.
⮚ Anypoint Security and Web Application Firewall in case of Runtime Fabric.
⮚ Identity Management and Client Management
Ways to achieve API Security
API
Security
OAuth
Rate Limiting
Digital
Signatures
Cryptography
Policies like
XML Threat
Protection,
Rate Limiting,
CORS etc.
Anypoint
Security
Anypoint API Policies
(Security)
JWT Validation Policies
Basic Authentication –
Simple and LDAP
XML/JSON Threat Protection
Policies
IP Whitelisting/Blacklisting Tokenization/Detokenization
10. 10
OAuth Providers
Grant Types
OAuth Providers & Grant Types
OKTA PING OPEN AM Keycloak AWS
Cognito
Azure IdP Auth0 Google Box GitHub
Authorization
Code
Client
Credentials
Refresh
Token
Password Implicit
Code
14. SAML 2.0 Identity Management
SAML is stand for Security Assertion Mark-up Language and it is mainly designed to authenticate
the users and provide identity data for access control and communication method for user
identity. SAML is XML-based open standards for transferring data between two parties, Identity
Provider (IP) and Service Provider (SP).
● Identity Provider is basically performs the authentication and transfer user identity to the
Service Provider.
● Service Provider one who trusts the Identity Provider and authorized the user to access
requested resources.
14
16. 16
OpenID Connect extends OAuth 2.0. The OAuth 2.0 protocol provides API security via scoped
access tokens, and OpenID Connect provides user authentication and single sign-on (SSO)
functionality.
As the Anypoint Platform organization administrator, you can configure identity management in
Anypoint Platform to set up users for single sign-on (SSO). Configure identity management using
one of the following single sign-on standards:
● OpenID Connect: End user identity verification by an authorization server including SSO.
● SAML 2.0: Web-based authorization including cross-domain SSO.
OpenID Connect Identity Management
17. 17
SAML (SAML 1.0 and 2.0) and OpenID Connect (OIDC) are identity protocols, designed to
authenticate users, and provide identity data for access control and as a communication method
for a user’s identity.
Mainly used for Enterprise and Government applications, SAML 2.0 is a mature technology
dating from 2005 and supports a wide range of identity functionality. SAML uses XML for its
identity data format and simple HTTP or SOAP for data transport mechanisms.
A relatively new protocol, continuously evolving, OIDC was designed with web and mobile
applications in mind. Designed to be easy to adopt and use, OIDC is an extension of OAuth2,
with data structures in JSON format (JWT), and simple HTTPS flows for transport.
SAML V/S OpenID Connect
18. 18
Dynamic Client Registration allows you to register third party applications dynamically. This
feature is based on the OpenID Connect Dynamic Client Registration specification. The OKTA
Dynamic Client Registration API provides operations to register and manage client applications
for use with Okta's OAuth 2.0 and OpenID Connect endpoints.
Client Management – Dynamic Client
Registration
19. Demonstration
1. Identity Management With OpenID Connect
2. Client Management With OpenID Connect –
Dynamic Client Registration
3. Identity Management With SAML
20. Get ready to WIN a Special Gift from MuleSoft Community
Quiz Time
21. 21
A. Client Credentials
B. Refresh Token
C. Basic Auth
D. Authorization Code
1. Which is not correct OAuth2
Grant Types?
22. 22
A. Dynamic Denial of Service
B. Distributed Denial of Service
C. Double Denial of Service
D. Disk Denial of Service
2. What is Full Form of DDOS
23. 23
A. Security Application Markup Language
B. Security Assertion Markup Language
C. Service Assertion Markup Language
D. Service Application Markup Language
3. What is Full Form of SAML?