Modern authentication and authorization for your applications

Disclaimer: The opinions expressed in this article are solely those of the author and do not reflect the views or opinions of any organization or entity. The content provided is for informational purposes only and should not be construed as professional advice. The author maintains a technologically agnostic point of view and strives to present balanced and objective information. Readers are encouraged to conduct their own research and analysis before making any decisions based on the information provided.

Part of my job involves assisting customers with the modernization of their application's authentication and/or authorization processes. I handle various types of applications, including web, native, custom developments, SaaS applications, APIs, and more. Sometimes, these concepts can be confusing, so it's crucial to have a basic understanding before making any decisions.

To move forward, it's essential to be familiar with terms like SAML, WS-Fed, OAuth2, OIDC, identity providers, claims providers, token enrichment, signing, encryption, identifiers, subject, audience, RegEx, transformations, flows, and more. You don't need to be an expert, but you should grasp the fundamentals. Rest assured, you will learn a lot during the process.

The most common scenarios I work on are:

1. Old legacy apps accessed by internal and/or external users.
2. SaaS applications (typically SAML-based).
3. OAuth/OIDC apps.
4. Workforce and/or consumer-oriented apps (B2C).
5. All of the above but federated.

Some of the main concerns include:

1. Ensuring the security of identities and the sign-in process (2FA, compromised identities, etc.).
2. Decommissioning old infrastructure (typically federation services).
3. Modernizing authentication or authorization schemes to leverage extra features and capabilities.
4. Modernizing due to lack of vendor support.
5. Enhancing security when accessing sensitive information or resources.
6. Strengthening security during specific actions.
7. Complying with industry regulations.

Contrary to what you might think, the process can be repetitive regardless of the scenario. Whether dealing with thousands or hundreds of apps or identities, planning, testing, and commitment from all parties involved remain crucial.

Here are some lessons learned:

1. If an application is already federated, it's highly probable that it can be easily modernized.
2. Very old apps will require more time and potentially coding.
3. Prioritize implementing 2FA.
4. Educating end-users is a must.
5. Sponsors are essential.
6. Incorporate identity and access governance from the beginning. Think big. It will save you time and headaches.
7. Document all potential use cases.
8. Test extensively.
9. Avoid developing your own identity provider. Many companies with theoretically unlimited resources have failed in this area. Don't do it.
10. Most problems when working with apps are caused by certificates, claims, and syntax errors.

Consider the following questions:

1. Do you have an inventory of users, devices (when applicable), and apps?
2. Are you aware of the information accessed by users and apps?
3. Do you collaborate with other organizations? Do you have guest users? How do you manage these identities and access? Are there inactive guest users?
4. Are you aware if you are a victim of data exfiltration?
5. Can you easily generate a report on unused human/non-human identities, apps, etc.?
6. Do you know the permissions used by the mentioned objects?
7. Do you have processes in place for the lifecycle of certificates/keys?

I could continue writing this article indefinitely, but I will conclude here. Perhaps in the future, I will write a second part.

As always, feel free to reach out to me if you have any questions. Better yet, post them here so everyone can benefit.

Thank you for reading.