Curity and the Neo-Security Architecture
On this page
To protect their growing API ecosystems, enterprises need a secure IT infrastructure to protect APIs. The neo-security architecture is a security architecture framework architected to manage identities and give the right access to users.
The three pillars of the Neo-Security Architecture are:
- Identity Management System
- API Management System
- Entitlement Management System
They result from the main principles of the Neo-Security Architecture, which are Separation of Concern and Standardization.
The Curity Identity Server is classified as an Identity Management System and follows the principles of the Neo-Security Architecture. The product offers three modular services: Authentication Service, Token Service, and User Management Service.
The Curity Identity Server implements a long list of standards. These include a variety of OAuth2.0 standards, several OpenID Connect specifications, standardized protocols as well as de facto standards for authentication, and the standard for Cross-domain Identity Management (SCIM) for managing users and devices.
By choosing to implement de facto standards over proprietary solutions, the Curity Identity Server can be integrated with numerous applications and systems that comply with those standards. For example, an API Management System may use access tokens issued by the Curity Identity Server as part of an OAuth2.0 or OpenID Connect flow for restricting access to an API. The claims in such an access token can be forwarded to the Entitlement System for fine-grained authorization. Admin users can view and revoke tokens for a user via the User Management Service, and users can use the same service for managing their accounts.
Although the Curity Identity Server emphasizes standard processes, it offers a high degree of flexibility. The Authentication Service can authenticate different types of users: employers, customers, partners, or any other kind that you may have. Through scripting capabilities and plugins, authentication methods and processes can be extended and adapted. For example, the authentication may differ based on the user's location or the selected authentication method. The Curity Identity Server ships with powerful tools that allow you to adapt the authentication and related processes to fit your needs and comply with business policies and legal requirements.
Any resulting identity assertion is provided as a Security Token. The entity issuing the token is called a Security Token Service (STS) or Token Service. The Token Service of the Curity Identity Server can issue Access Tokens, Refresh Tokens, and ID Tokens. The resulting Security Tokens should contain enough claims so that the recipient can determine the scope of access for the particular request.
The Curity Identity Server allows you to configure which scopes and claims are known to the system. It also enables you to configure what claims should be inserted into a token of a certain type, or which scopes or claims a certain client is allowed to request. There are various ways to retrieve or calculate claims and modify the values before issuing the tokens. As a result, the Curity Identity Server has a high degree of interoperability, ensuring that the token it issues is compatible with various applications.
The User Management Service is required to complete the life cycle of user accounts beyond authentication and authorization. A User Management Service is an abstraction of one or more Identity Repositories. The Curity Identity Server supports several data sources for identity data, such as a JDBC database or LDAP directory. It implements System for Cross-domain Identity Management (SCIM) to Create, Retrieve, Update, and Delete (CRUD) user data. In this way, the Curity Identity Server also provides a normative set of user and group attributes — necessary for widespread interoperability.
With the help of the User Management Service, applications and systems can retrieve user information before or after authentication, perform on- or off-boarding activities, or update the user data. The data provided by the User Management Service may, for example, serve as input for authorization decisions performed by the Entitlement System. Or, a cloud service may require user data for new users so that an administrator can furnish a user with a license or permissions. Another example is a self-service portal for users to manage their accounts and devices.
In addition to user account data, the User Management Service provides information about a user's token (not the token themselves) via the delegations-endpoint. This means that an administrator can manage and revoke tokens issued for a specific user.
The Neo-Security Architecture is a modular security architecture. Different parts of the Neo-Security Architecture can be implemented to fit the maturity level of your organization and system. The Curity Identity Server fits in even at low-level security. You may make use of all the complexity at once, or you may just use the basic features, integrate it with your existing infrastructure, and adapt as the requirements change. The Curity Identity Server offers flexibility at various levels and comes with great interoperability that allows you to add and integrate the Identity Management System with other parts of the Neo-Security Architecture as it develops.