Using IDaaS to Enable IAM for Applications JULY 22, 2014
Dec 05, 2014
Using IDaaS to Enable IAM for Applications JULY 22, 2014
2
Introduction – Ken Riggio
• VP, Software Development - Ticketing • B2B Identity and Access Management • B2C Identity and Access Management • Consolidated System of Inventory and Catalog Management • Integration
• Music Enthusiast \m/ • Dungeon Master! • Computer Nerd • NOT an Identity Management Expert
3
Introduction – Live Nation Entertainment
• Business Segments • Concerts
• Venue Owner (House of Blues, Verizon Amphitheater, …) • Venue Operator • Promoters • Festival Operator
• Artist Nation • Artist Management
• Sponsorships & Advertising • Ticketing ($1.4 Billion in Revenue, 21.7% of total)
4
Introduction – Ticketing
• Clients (thousands of clients, tens of thousands of users) • Arenas, Stadiums, Amphitheaters, Music Clubs, Concert Promoters,
Professional Sport Franchises and Leagues, College Sports Teams, Performing Arts Venues, Museums, Theaters
• Sales Channels (hundreds of millions of users) • Web Sites – Ticketmaster, Livenation, TicketWeb, TicketsNow, Get Me In!,
TicketExchange, … (71%)
• Mobile Apps (14%) • Ticket Outlets – Venue Box Offices, Walmart, Retail Kiosks, … (10%)
• Telephone (5%)
5
Business Objectives – Re-Architecture
• The Old • 17+ different systems that do the same thing… • Old technology (i.e. Assembly Programs running on VAX emulator) • Monolithic Applications • Long Delivery Cycles
• The New • Consolidated and Unified Experience • Primarily Java & JavaScript (Node.js) • SOA 2.0 and EDA • Continuous Integration and Continuous Delivery
6
Business Objectives – Core Principles
• Increase Business Agility • More features, faster. • React quickly to new business opportunities. • Adopt new technologies as the become available. • Technology should enable, not constrain.
• Reduce Operational Expenses • Focus head count on building the future, not supporting
the past.
7
Requirements – Identity and Access Management
• B2B • Multiple Tenants (Clients)
• Authentication • Authorization
• Access to various applications
• Web Applications • Mobile Applications
• Scanners (Devices) • Roles
• Entitlements
• User Management (Delegated Administration)
8
Requirements – Identity and Access Management
• B2C • Multiple Tenants (Channels with Different User Bases)
• Authentication • Authorization
• Access to Premium Services
• Fraud Flags and Restrictions • Bot Mitigation
• User Self Service
9
Challenges – Identity and Access Management
• B2B • Data Firewall
• Clients • Internal Live Nation Segments (Ticketing v. Concerts)
• Cross Tenant Entitlements
• Tenant A wants to enable Tenant B to be a Promoter for Tenant A’s events.
• B2C • Performance (Burst Traffic!!!)
• Both
• Legacy… Integration, Migration…. Dealing with the past in general!
10
Solution – Identity Bridge Service
• Don’t Try To Read the Diagram! ;)
• API that abstracts and integrates with multiple identity providers.
• A common API • Really wish I
knew about SCIM when we started this project.
11
Solution – Identity Bridge Service
• Ignore the Fine Print, I will walk you through it.
• Multiple Consuming Applications
• Common Interface (IBS)
• Routed to 1 or more Identity Providers based on phase of integration and migration
• Bridge provider facilitates lazy migration.
• Strangler Pattern
12
Solution – Bring it to the Cloud
• Identity Bridge Service API (IBS) • Authentication • Authorization • User Management • Tenant Provisioning • Session Management
• IBS Eats Its Own Dog Food • Access to the API is controlled using its own authentication and
authorization services. • Web-based User Interface (also protected using IBS)
13
Solution – Bring it to the Cloud
IBS
VERIZON AMP
HOB
FILLMORE
14
Integration – Varying Client Capabilities
• Small Clients • Few Employees • Little or No Technical Abilities • Limited Resources
• Big Clients • Thousands of Employees • Strong Technical Team, Potentially Have Their Own Development
Teams • Have Their Own Internal Identity Solutions
15
Integration – Client Needs
• However, They Both Have Same Core Needs • User Provisioning
• User Management • Authentication
• Authorization
• Why? • Create and Manage Events, Products, Merchandising, Pricing
• Reporting • Marketing
• Sales
• Access Control (umm..Ticket Scanning)
16
Integration – Client Implementation Options
• Small Clients • Use Our Web-Based “Permissioning” UI • Use Our Applications and Scanners
• Big Clients • Multiple Options • They Can Use Ours and do the “swivel chair” • They Can Use Our “Services” integrating with their own UI • Their Local Identity Solution can Provision Users through IBS to
leverage the Ticketing application platform.
17
Integration – Our Web-Based “Permissioning” UI
18
Integration – Our Web-Based “Permissioning” UI
19
Integration – A Quick Digression into Mobile
• Issues Exist on Desktop but Mobile has Made it Worse • Lots of reverse engineering, de-compiling, and data extraction • Certificates, API Keys, Long Running Access Tokens, etc. have
been farmed and used by bots. • Audits and Logs show “same device application” calling us
thousands of times per minute trying to get access to tickets • Privacy Laws have pushed us to use device application ids,
instead of actually device information as part of authentication (smaller fingerprint L).
• Most companies would love the fact that people are creating automated ways of buying their stuff… For us, it’s a nightmare.
20
Integration – A Quick Digression into Mobile
• Mitigation Strategies • Session-based • No more than one concurrent session • A given token cannot be used more than once. Each response
returns a new session token. • Alerts • Speed bumps • Off switch :P
21
Deployment– B2B vs B2C
• Ultimately, There is No Functional Difference • We have different scaling issues though
• B2B has Constant Moderate Usage • B2C has Period Burst Usage
• Options • Scale solution to handle both concurrently • Provide two physical deployments, one service B2B, the other B2C.
• We chose the later.