Craig Burton Distinguished Analyst, KuppingerCole

cb@kuppingercole.com

Identity in an API Economy

The API Economy and SAML

• Introduction to the The API Economy Ecosystem

• The Cambrian Explosion of Everything

• An API for Everyone and Everything

• Admin-based mapping is broken

• E2S (Entity to Service) automation—beyond SAML

• Summary

2

Identity in an API Economy

The API Economy

• The Five KuppingerCole API tenets

1. Everything and everyone will be API-enabled

2. The API Ecosystem is core to any cloud strategy

3. Baking core competency in an API-set is an economic imperative

4. Enterprise inside-out

5. Enterprise outside-in

3

The API Ecosystem

Understanding the API Ecosystem

• The API Ecosystem is divided into to type of API designs

– The API Provider—the enterprise inside-out

– The API Consumer—the enterprise outside-in

4

The API Ecosystem

Understanding the API Ecosystem

• The API Provider—the enterprise inside-out

– API types

• Open APIs—published APIs for public consumption

• Dark APIs—unpublished APIs for closed consumption

• The API Consumer—the enterprise outside-in

– API types

• Open APIs—published APIs for public consumption

• Dark APIs—unpublished APIs for closed consumption

• Internal APIs—legacy applications with traditional information and

resources

5

The API Ecosystem

Understanding the API Economy—the billionaire club

6

The API Ecosystem

Understanding the API Economy—Twitter unpacked

• 13 billion API calls a day

• 54 million+ calls an hour

• 900,000+ calls per minute

• 15,000+ calls per second

Twitter traffic drove 2012 Olympic Coverage—All API-driven

7

The API Ecosystem

Understanding the API Ecosystem

8

The API Ecosystem

Open API Growth Rate

9

The API Ecosystem

API Growth Rate

• Open APIs

– We just hit the 7,000 API mark

– 8,000 by year end

– 16,000 by 2015

• Dark APIs

– Dark APIs are 5x+/- Open API growth rate

– 80,000 by 2015

10

The Cambrian Explosion of Everything

Growth In the Cambrian Era—unprecedented growth of life

11

The Cambrian Explosion of Everything

Apple’s numbers

• 400 million iOS devices

• 700,000 apps

• Average person uses 100+ apps per device

• 84 million iPads

• 68% market share in 2012

• 17 million iPads sold in April-June 2012

• More iPads than any PC vendor’s entire product line

• 94% of Fortune 500 are investing in or deploying iPads at work

12

The Cambrian Explosion of Everything

Cisco’s predictions and KC API tenet #1

• 2.8x devices per person on the planet by 2015

• 19.6b devices

• 7 billion people

• Tenet #1: Everyone and Everything is API-enabled

– 26.6 billion APIs

13

Broken Model

The Admin-based mapping model Is broken

• Identity model for ALL current SAML-based systems do not scale

• Identity model is Admin-based

• All entities are mapped to services by people (Admins)

• The Math

– Mapping 26.6 billion entities to just one service

– 640,000 admins 24 hours a day for 5 years

– Apple numbers 100+/10 apps per device

• Broken

14

Federation is evolving

Approach IdPs SPs Type of IdP

1:1 – e.g. with a specific supplier

1 1 Owned by federation partner

1:n – e.g. authN to many cloud services

1 n Owned by company

n:1 – e.g. a service for many suppliers or cloud service customers

n 1 Owned by many federation partners

n:1 – e.g. supporting different logins

n 1 Owned by whomever – Facebook, enterprise, government (eID),…

n:n – reality, if you look at the big picture

n n Look at all the federations of your company and you have a mix

15

The traditional federation approach: Direct connections

16

Users Apps

The future federation approach: Meshed/service-focused

17

Users Apps

E2S Automation

e2s (Entity to Service) Automation—Beyond Admin-based SAML

• Scalable SAML will require automation

• Automation is enabled via APIs

• The future of e2s identity mapping must be API-based to meet today’s

demand

– 400 million+ iOS devices

– 26.6 billion APIs

– These numbers are conservative

18

E2S Automation

e2s (Entity to Service) Automation—Beyond Admin-based SAML

• OpenID Connect is SAML’s API future

– Tractability unknown

– No vendor is using it for automation yet

– No vendor is doing e2s automation yet

• SCIM (System for Cross-domain Identity Management) is potential e2s

automation protocol

• Note: Salesforce Identity gives both of these standards a boost of reality.

19

Identity in the API Economy

Summary

• SAML will not support all use cases (but some)

• Other standards are not as mature

• That means:

– Don’t rely on an approach that is focused on traditional approaches

– Understand these approaches as a subset of the big picture

– Design your architecture for hat big picture

– Start with the subset you need

– Look for technology which is built for (or who’s suppliers are devoted to)

the big picture

20

Identity, Access and Privacy Using

SecureSpan Simple, Scalable Solutions for OAuth, OpenID Connect, and SCIM

K. Scott Morrison

CTO

Oct 2012

The Old Enterprise

Formal and structured security & connectivity

VPNs & prop. Protocols for thick clients

HTTP(s) for browsers

SOAP+WS-* for B2B

Enterprise

Network

Line of

business

servers

Road

Warriors with

VPN

Browser

Clients

Formal

Trading

Partners

Firewall

VPN

SSL WS-S

The New Hybrid Enterprise

Highly agile security & connectivity

REST, OAuth, OpenID Connect, SCIM

Enterprise

Network

Line of

business

servers

Mobile

Devices

Informal,

API-driven

integrations

Firewall

Clouds

Recall: Change Drivers

are Social, Mobile & Cloud

From: CB

Internal

Directories

Client

Directories

The Hybrid Enterprise Is Made Possible By APIs

24

Web App

API

Server

Web Client

Mobile App

An API is a

RESTful service

A Fundamental Shift is Occurring

The Old Enterprise The New Hybrid Enterprise

This is the secret to

achieve scale and

agile federation

The Problem:

How to we bridge the gap

between the need, and a

concrete implementation?

Issues • Agility

• Scalability

• Distribution

First Consider The Foundation Technologies

OAuth

OpenID

Connect

SCIM

To get access to an API.

To share information about users.

APIs for Identity Provisioning and

Management Across Domains.

Now prioritize these

considering maturity and

available infrastructure

Priority #1: OAuth

Make it easy

Make it scale

How to Make OAuth Easy

Simple, drop-in virtual or hardware

gateway

Acts as both Authorization Server (AS) and

Resource Server (RS)

Advanced security on all APIs

Threat detection, audit, QoS mgmt, etc

Enterprise

Network

SecureSpan

Gateway

Protecting RS

Informal,

API-driven

integrations

Firewall

Mobile

Devices

Clouds,

Webapps, etc

Protected

Resource

Directory

SecureSpan

Gateway as

AS

All Authorization Grants

➠ Authorization code

➠ Implicit

➠ Resource owner password

credentials

➠ Client credentials

How Easy?

How Easy?

How Easy?

How to Make OAuth Web Scale

DMZ

Firewall 1

Protected

Resource

Directory

SecureSpan

Gateway as

Secure Token

Store

Secure Zone

Firewall 2

SecureSpan

Gateway

cluster RS

SecureSpan

Gateway

cluster as AS

How to Make OAuth Scale – Architecture

OVP

Client

Store

Token

Store

Internal (secure) network DMZ

Resource

Server

Authorization

Server

API Proxy

Server

Token

Server

IDMS

client

Internet

Accessed when

client requests

resources

Accessed when

client requests

user authorization

and tokens

Endpoints accessible through an API

Endpoints accessible through OAuth protocol API

Resource provider

Accessible through an LDAP query

• Who is asking

• Which API?

• What scope?

• Is token valid?

• etc…

• Prove who you are

• Authorize entitlement

• etc…

• Create

• Check

• Expire

• Revoke

• etc…

Priority #2: Introduce OpenID Connect

OVP

Client

Store

Token

Store

Internal (secure) network DMZ

Resource

Server

UserInfo

CheckID

SessionMgmt

IDMS

client

Internet

Endpoints accessible through an API

Endpoints accessible to outside clients

Resource provider

Accessible through an LDAP query

DynamicReg

Discovery

• Provide access token

• Get attributes (eg:

family_name, picture,

gender, birthdate, etc)

• Provide IDtoken

• Validate and return claims

Optional

Optional

Core

1. Refresh endpoint

2. End session endpoint

Priority #3: Introduce SCIM

“…make it fast, cheap, and easy to

move users in to, out of, and around

the cloud. “ http://www.simplecloud.info/

RESTful API

for user/group

CRUD user/group

schema

Summary

Implement OAuth now!

- Don’t roll your own

- Plan for failure

- Plan for scale

Plan for OpenID Connect

- Understand what you need to share

- Look to integration with existing identity providers

Plan for SCIM

- Came about because of obvious need

- Maturing very fast

Oct 2012

K. Scott Morrison

Chief Technology Officer

Layer 7 Technologies

1100 Melville St, Suite 405

Vancouver, B.C. V6E 4A6

Canada

(800) 681-9377

smorrison@layer7tech.com

http://www.layer7tech.com

For further information: