CSG 2012

799 views

Published on

My presentation from CSG 2012 (@ uiowa.edu) about cloud provisioning, SCIM, APIs and OAuth 2.0.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
799
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • NIST defines 3 service models\nHow you actually use the cloud\n\n
  • No IdM: just a recommendation for a service, or a discount\nManual IdM: someone creates each user\nSelf-sign-up: usually using email verification (old Google Team Edition)\nBulk load: CSV file of users\nAPI: “unique” API to create users\nCreate on first login: use SAML assertion or OpenID + AX to create user\nNo API or Attribute standards... yet\n
  • Does the app support groups?\nDoes it have a group API?\nCan you disable the apps group management?\nCan you sync groups back?\n
  • disable or delete or disable then delete\ndid the user own data?\nhow is that data handled?\nhow is audit trail affected if user is deleted?\nhow is licensing affected if user is deleted?\n\n\n
  • \n
  • \n
  • \n
  • \n
  • What if...\nyou had a “primary” provider?\nand that provider could provision accounts with other providers?\n
  • Enterprise IT...\nWe already have IdM\nSimpler integration with new providers\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Tool vendors saw SOAP & SOA & WS as a huge opportunity\nDevelopers saw SOAP as a way to get RPC through the firewall\n“the two port internet”\n
  • \n
  • \n
  • remember, URL means “Uniform Resource Locator”\n
  • \n
  • \n
  • If our APIs are not easy to use, people will work around them\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • CSG 2012

    1. 1. RESTRICTED R UNDER 17 REQUIRES ACCOMPANYING PARENT OR ADULT GUARDIAN MAY CONTAIN METAPHORS THAT HAVE BEEN STRETCHED BEYOND THEIR BREAKING POINTMAY CONTAIN CODE SAMPLES THAT CAUSE DISTRESS TO PROGRAMMERS AND NON-PROGRAMMERS MAY CONTAIN STATEMENTS THAT UPSET FANS OFWS-*, XML, JAVA, PHYSICAL SERVERS OR THE ENGLISH
    2. 2. IdM in the Cloud
    3. 3. Provisioninghttp://www.flickr.com/photos/soldiersmediacenter/4128493336
    4. 4. Groups http://www.flickr.com/photos/pineapples101/4557395008
    5. 5. Deprovisioning http://www.flickr.com/photos/cpstorm/140115572
    6. 6. Makes my head hurt!
    7. 7. Provisioning API?Provisioning is essentially the samefor each serviceso why aren’t the APIs the same?
    8. 8. Internet Identity Workshop Spring & Fall Mountain View, CA
    9. 9. It’s Bob’s fault
    10. 10. Common ProblemSmall businessesStartups No problem in old Windows world But now manual provisioning to all cloud providers
    11. 11. ImprovementSmall businessesStartups Manual provisioning to one provider “Primary” provider provisions others Provision users and groups
    12. 12. Simple Cloud IdentityManagement http://simplecloud.info/
    13. 13. IESG hated the name Participants wanted to work with IETF Renamed, but retained acronym Trying to avoid Jabber / XMPP mess
    14. 14. System forCross-Domain IdentityManagement http://simplecloud.info/
    15. 15. Groupswhat if cloud providers implementSCIM? “consume” users push groups to campus SCIM endpoint
    16. 16. What is SCIM?SAML bindingRESTful API Create, Update, Delete Users, Groups JSON (& optionally XML) OAuth 2 preferred for authentication
    17. 17. POST /Users HTTP/1.1Host: example.comContent-type: application/jsonAuthorization: Bearer h480djs93hd8{ "schemas":["urn:scim:schemas:core:1.0"], "userName":"bjensen", "externalId":"bjensen", "name":{ "formatted":"Ms. Barbara J Jensen III", "familyName":"Jensen", "givenName":"Barbara" }}
    18. 18. WTF?
    19. 19. Cloud, APIs & Mashups http://www.flickr.com/photos/cizauskas/1422943356
    20. 20. APIsOne of the advantages of cloudservicesProgrammatic data accessEnables mashups and integrationacross appsAPIs usually unique to service
    21. 21. API EcosystemMajor changes over last few yearsREST, JSON, OAuth defacto standardSOAP, WS-* dying out for public APIs
    22. 22. API Growthhttp://blog.programmableweb.com/2012/02/06/5000-apis-facebook-google-and-twitter-are-changing-the-web/
    23. 23. API Value ChainApp App App World of API InternalUser Store App Developer APIs API Team Systems
    24. 24. Application Developers are KingmakersApp App App World of API InternalUser Store App Developer APIs API Team Systems
    25. 25. #1 Rule for SuccessMake it easy for developersBuild APIs they can poke at withsimple toolsExploration and documentation
    26. 26. SOAPSimple Object Access Protocolbut really it’s RPC (CORBA, COM, etc)tunnels RPC through firewalls w/HTTPWS-*, WSDL and expensive tool kitsuses XML good for document markup no native support for data structures
    27. 27. this means updatePOST /InStock HTTP/1.1Host: www.example.orgContent-Type: application/soap+xml; charset=utf-8Content-Length: 299SOAPAction: "http://www.w3.org/2003/05/soap-envelope"<?xml version="1.0"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> this means </soap:Header> <soap:Body> read <m:GetStockPrice xmlns:m="http://www.example.org/stock"> <m:StockName>IBM</m:StockName> </m:GetStockPrice> </soap:Body></soap:Envelope>
    28. 28. Makes my head hurt!
    29. 29. KISSREST: using HTTP as it was designed Create, Read, Update, Delete resourcesJSON: JavaScript Object Notation maps directly to programming constructs easier to process than XML
    30. 30. GET /stocks/IBM?currency=USD HTTP/1.1Host: www.example.orgAccept: text/plainHTTP/1.1 200 OKContent-type: text/plain194.29
    31. 31. GET /historicalPrices/1.0/?stock=AAPL&api_key=... HTTP/1.1Host: api.stocklytics.comHTTP/1.1 200 OKContent-Type: text/csvdate,open,close,high,low,volume2012-06-12,574.4600,576.1600,576.6200,566.7000,155493002012-06-11,587.7200,571.1700,588.5000,570.6300,210949002012-06-08,571.6000,580.3200,580.5800,569.0000,123951002012-06-07,577.2900,571.7200,577.3200,570.5000,13563100
    32. 32. Why do APIs matter?We have large volumes of data oncampusCloud is not a one way streetSometimes cloud apps will need topull from campus APIsWe need easy-to-use APIs
    33. 33. AuthentorizationHow do those cloud apps authenticateand get authorized to access ourusers’ data?
    34. 34. Not like this
    35. 35. OAuth 2.0“the valet key for the web”simplified version of OAuth 1.0 cryptography is no longer mandatory relies more on HTTPSeasier for developers
    36. 36. You’re probably using it alreadyDo you use 3rd party apps withFacebook, Twitter or Google Apps?
    37. 37. OAuth Revocation

    ×