User Authentication Guidelines
Applications that require user authentication (SSO) must conform with the following policies. Any deviation must be approved by the Identity Team before proceeding.
New Application Requirements
Basic User Authentication
New applications that do not need to call existing Tyk/Hydra APIs should use OIDC. OIDC is the preferred protocol. Applications may use SAML Okta if there is a compelling reason.
Accessing Existing APIs
New applications that need to call existing Tyk/Hydra APIs should use Tyk/Hydra authentication. [User authentication will be migrated from Tyk/Hydra but that migration has not been scheduled.]
Migrating Existing Applications from the CAS IDP to Okta
Applications Using the CAS Protocol
Existing applications using the CAS protocol on the CAS IDP must switch to either OIDC or SAML on Okta (the CAS protocol is not available on Okta). OIDC is the preferred protocol.
Applications Using the SAML Protocol
Existing applications using SAML on the CAS IDP may migrate to SAML or OIDC on Okta.
Applications Using Tyk/Hydra Only to Authenticate Users
Existing applications using Tyk/Hydra only to authenticate users may continue to use Tyk/Hydra until user authentication migrates from Tyk/Hydra to Okta. [That migration has not been scheduled.]
Applications Using Tyk/Hydra to Authentication User and Call APIs
Existing applications using Tyk/Hydra to authenticate users and call APIs may continue to use Tyk/Hydra until all the APIs they use that require Tyk/Hydra tokens are either replaced, deprecated, or retired. [The work to deprecate those APIs has not been scheduled.]
Applications Using Tyk/Hydra Only to Call APIs
Existing applications using Tyk/Hydra to authenticate only to call APIs can continue to use Tyk/Hydra until all the APIs they use that require Tyk/Hydra tokens are either replaced, deprecated, or retired. [The effort to deprecate those APIs has not been scheduled.]
Tyk/Hydra Changes
- Tyk will be federated to Okta rather than CAS in the next few months. [The date has not been scheduled.]
- Later, Okta will replace Hydra as the provider for OAuth 2 services in Tyk.
- When the changes are complete, Tyk will not mediate all calls to Okta. Applications may call Okta authentication APIs directly.
There is no need to migrate user authentication and API authentication at the same time.