Identity as Code

Identity as Code

Users now have more complex identities than ever before; federated accounts, second-factor authentication, and multiple devices all these conditions need to be tested, but how? This talk will examine the minefield of identity and authentication in your pipeline and how your team can traverse this to ensure that you are testing all the conditions without resorting to manual steps.

D7c78f8757327b65a637aece98939f01?s=128

Andy March

June 18, 2019
Tweet

Transcript

  1. 2.

    10 years working in secure systems Hi! Senior Platform Specialist

    at Okta Software Developer (.NET / Java / JS) @andymarch
  2. 4.
  3. 5.
  4. 11.
  5. 13.
  6. 14.
  7. 16.

    Business Logic Monolith AuthN AuthZ AuthN AuthZ User Identity Database

    User Identity Business Logic Database Service Oriented User/Role Request/Permission
  8. 22.

    Dev Mostly unit tests Individual Environment Integration Integration tests Shared

    Environment QA Complex tests Single Environment Prod Real users Production config
  9. 25.
  10. 28.
  11. 30.

    provider "okta" { org_name = “babbage” base_url = “okta.com” api_token

    = “isthisarealtoken” } data "okta_group" ”devs" { name = ”Devs" } resource "okta_user_schema" "role_extension" { index = "analytical_engine_role" title = "Analytical Engine Role" type = "string" master = "PROFILE_MASTER" } Engine API Identity Provider Engine Client
  12. 31.

    resource okta_policy_signon devSignOn { name = "Developer policy" status =

    "ACTIVE" description = "Meet our compliance for developers." groups_included = ["${data.okta_group.devs.id}"] } resource okta_policy_rule_signon test { policyid = "${okta_policy_signon.devSignOn.id}" name = "MFA every hour" status = "ACTIVE" mfa_required = true mfa_prompt = "SESSION" mfa_lifetime = 60 } Engine API Identity Provider Engine Client
  13. 32.

    resource "okta_auth_server" “analytical_engine” { audiences = [“babbage.local”] description = “General

    purpose computing.” name = “Analytical Engine API” } resource “okta_auth_server_scope” “tabulate” { description = “tabulate logarithm” name = “tabulate:perform” auth_server_id = “${okta_auth_server.analytical_engine.id}” } Engine API Identity Provider AuthZ Server Engine Client
  14. 33.

    resource "okta_app_oauth" ”engine_client" { label = “Engine Client” type =

    "web” grant_types = [“authorization_code”] redirect_uris = [“${var.client_callback}”] response_types = ["code"] } resource "okta_app_oauth" ”engine_api" { label = “Engine API” type = ”service” grant_types = [“client_credentials”] } Engine API Identity Provider AuthZ Server Engine Client
  15. 36.

    resource “okta_user” “Ada” { login = “Ada” email = “ada.lovelace@babbage.local”

    first_name = “Ada” last_name = “Lovelace” custom_profile_attributes = { analytical_engine_role = "Lead Programmer" } depends_on = ["okta_user_schema.role_extension"] }
  16. 37.

    Engine API Identity Provider AuthZ Server Engine Client Engine.tf QA.auto.tfvars

    Identity.tf Terraform plan Terraform apply TestAccounts.tf
  17. 39.

    Don’t roll your own. Architect for identity. Test within a

    boundary, reach beyond when you must. Define as much environment as you can in code. Recap