CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications
-
Upload
cloudidsummit -
Category
Technology
-
view
158 -
download
0
description
Transcript of CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications
![Page 1: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/1.jpg)
Using IDaaS to Enable IAM for Applications JULY 22, 2014
![Page 2: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/2.jpg)
2
Introduction – Ken Riggio
• VP, Software Development - Ticketing • B2B Identity and Access Management • B2C Identity and Access Management • Consolidated System of Inventory and Catalog Management • Integration
• Music Enthusiast \m/ • Dungeon Master! • Computer Nerd • NOT an Identity Management Expert
![Page 3: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/3.jpg)
3
Introduction – Live Nation Entertainment
• Business Segments • Concerts
• Venue Owner (House of Blues, Verizon Amphitheater, …) • Venue Operator • Promoters • Festival Operator
• Artist Nation • Artist Management
• Sponsorships & Advertising • Ticketing ($1.4 Billion in Revenue, 21.7% of total)
![Page 4: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/4.jpg)
4
Introduction – Ticketing
• Clients (thousands of clients, tens of thousands of users) • Arenas, Stadiums, Amphitheaters, Music Clubs, Concert Promoters,
Professional Sport Franchises and Leagues, College Sports Teams, Performing Arts Venues, Museums, Theaters
• Sales Channels (hundreds of millions of users) • Web Sites – Ticketmaster, Livenation, TicketWeb, TicketsNow, Get Me In!,
TicketExchange, … (71%)
• Mobile Apps (14%) • Ticket Outlets – Venue Box Offices, Walmart, Retail Kiosks, … (10%)
• Telephone (5%)
![Page 5: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/5.jpg)
5
Business Objectives – Re-Architecture
• The Old • 17+ different systems that do the same thing… • Old technology (i.e. Assembly Programs running on VAX emulator) • Monolithic Applications • Long Delivery Cycles
• The New • Consolidated and Unified Experience • Primarily Java & JavaScript (Node.js) • SOA 2.0 and EDA • Continuous Integration and Continuous Delivery
![Page 6: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/6.jpg)
6
Business Objectives – Core Principles
• Increase Business Agility • More features, faster. • React quickly to new business opportunities. • Adopt new technologies as the become available. • Technology should enable, not constrain.
• Reduce Operational Expenses • Focus head count on building the future, not supporting
the past.
![Page 7: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/7.jpg)
7
Requirements – Identity and Access Management
• B2B • Multiple Tenants (Clients)
• Authentication • Authorization
• Access to various applications
• Web Applications • Mobile Applications
• Scanners (Devices) • Roles
• Entitlements
• User Management (Delegated Administration)
![Page 8: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/8.jpg)
8
Requirements – Identity and Access Management
• B2C • Multiple Tenants (Channels with Different User Bases)
• Authentication • Authorization
• Access to Premium Services
• Fraud Flags and Restrictions • Bot Mitigation
• User Self Service
![Page 9: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/9.jpg)
9
Challenges – Identity and Access Management
• B2B • Data Firewall
• Clients • Internal Live Nation Segments (Ticketing v. Concerts)
• Cross Tenant Entitlements
• Tenant A wants to enable Tenant B to be a Promoter for Tenant A’s events.
• B2C • Performance (Burst Traffic!!!)
• Both
• Legacy… Integration, Migration…. Dealing with the past in general!
![Page 10: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/10.jpg)
10
Solution – Identity Bridge Service
• Don’t Try To Read the Diagram! ;)
• API that abstracts and integrates with multiple identity providers.
• A common API • Really wish I
knew about SCIM when we started this project.
![Page 11: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/11.jpg)
11
Solution – Identity Bridge Service
• Ignore the Fine Print, I will walk you through it.
• Multiple Consuming Applications
• Common Interface (IBS)
• Routed to 1 or more Identity Providers based on phase of integration and migration
• Bridge provider facilitates lazy migration.
• Strangler Pattern
![Page 12: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/12.jpg)
12
Solution – Bring it to the Cloud
• Identity Bridge Service API (IBS) • Authentication • Authorization • User Management • Tenant Provisioning • Session Management
• IBS Eats Its Own Dog Food • Access to the API is controlled using its own authentication and
authorization services. • Web-based User Interface (also protected using IBS)
![Page 13: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/13.jpg)
13
Solution – Bring it to the Cloud
IBS
VERIZON AMP
HOB
FILLMORE
![Page 14: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/14.jpg)
14
Integration – Varying Client Capabilities
• Small Clients • Few Employees • Little or No Technical Abilities • Limited Resources
• Big Clients • Thousands of Employees • Strong Technical Team, Potentially Have Their Own Development
Teams • Have Their Own Internal Identity Solutions
![Page 15: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/15.jpg)
15
Integration – Client Needs
• However, They Both Have Same Core Needs • User Provisioning
• User Management • Authentication
• Authorization
• Why? • Create and Manage Events, Products, Merchandising, Pricing
• Reporting • Marketing
• Sales
• Access Control (umm..Ticket Scanning)
![Page 16: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/16.jpg)
16
Integration – Client Implementation Options
• Small Clients • Use Our Web-Based “Permissioning” UI • Use Our Applications and Scanners
• Big Clients • Multiple Options • They Can Use Ours and do the “swivel chair” • They Can Use Our “Services” integrating with their own UI • Their Local Identity Solution can Provision Users through IBS to
leverage the Ticketing application platform.
![Page 17: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/17.jpg)
17
Integration – Our Web-Based “Permissioning” UI
![Page 18: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/18.jpg)
18
Integration – Our Web-Based “Permissioning” UI
![Page 19: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/19.jpg)
19
Integration – A Quick Digression into Mobile
• Issues Exist on Desktop but Mobile has Made it Worse • Lots of reverse engineering, de-compiling, and data extraction • Certificates, API Keys, Long Running Access Tokens, etc. have
been farmed and used by bots. • Audits and Logs show “same device application” calling us
thousands of times per minute trying to get access to tickets • Privacy Laws have pushed us to use device application ids,
instead of actually device information as part of authentication (smaller fingerprint L).
• Most companies would love the fact that people are creating automated ways of buying their stuff… For us, it’s a nightmare.
![Page 20: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/20.jpg)
20
Integration – A Quick Digression into Mobile
• Mitigation Strategies • Session-based • No more than one concurrent session • A given token cannot be used more than once. Each response
returns a new session token. • Alerts • Speed bumps • Off switch :P
![Page 21: CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications](https://reader033.fdocuments.us/reader033/viewer/2022042713/5483ff0eb47959ce0c8b4a87/html5/thumbnails/21.jpg)
21
Deployment– B2B vs B2C
• Ultimately, There is No Functional Difference • We have different scaling issues though
• B2B has Constant Moderate Usage • B2C has Period Burst Usage
• Options • Scale solution to handle both concurrently • Provide two physical deployments, one service B2B, the other B2C.
• We chose the later.