RESTRICTED
 R            UNDER 17 REQUIRES ACCOMPANYING
                 PARENT OR ADULT GUARDIAN
    MAY CONTAIN METAPHORS THAT HAVE BEEN
    STRETCHED BEYOND THEIR BREAKING POINT
MAY CONTAIN CODE SAMPLES THAT CAUSE DISTRESS
  TO PROGRAMMERS AND NON-PROGRAMMERS
  MAY CONTAIN STATEMENTS THAT UPSET FANS OF
WS-*, XML, JAVA, PHYSICAL SERVERS OR THE ENGLISH
IdM in the Cloud
Provisioning




http://www.flickr.com/photos/soldiersmediacenter/4128493336
Groups




         http://www.flickr.com/photos/pineapples101/4557395008
Deprovisioning
       http://www.flickr.com/photos/cpstorm/140115572
Makes my head hurt!
Provisioning API?

Provisioning is essentially the same
for each service


so why aren’t the APIs the same?
Internet Identity Workshop



        Spring & Fall
      Mountain View, CA
It’s Bob’s fault
Common Problem
Small businesses
Startups
 No problem in old Windows world
 But now manual provisioning to all
 cloud providers
Improvement
Small businesses
Startups
 Manual provisioning to one provider
 “Primary” provider provisions others
   Provision users and groups
Simple
   Cloud
  Identity
Management
 http://simplecloud.info/
IESG hated the name
 Participants wanted to work with IETF
 Renamed, but retained acronym


 Trying to avoid Jabber / XMPP mess
System for
Cross-Domain
   Identity
Management
  http://simplecloud.info/
Groups

what if cloud providers implement
SCIM?
 “consume” users
 push groups to campus SCIM
 endpoint
What is SCIM?
SAML binding
RESTful API
 Create, Update, Delete Users, Groups
 JSON (& optionally XML)
 OAuth 2 preferred for authentication
POST /Users HTTP/1.1
Host: example.com
Content-type: application/json
Authorization: Bearer h480djs93hd8

{
    "schemas":["urn:scim:schemas:core:1.0"],
    "userName":"bjensen",
    "externalId":"bjensen",
    "name":{
      "formatted":"Ms. Barbara J Jensen III",
      "familyName":"Jensen",
      "givenName":"Barbara"
    }
}
WTF?
Cloud, APIs &
  Mashups




     http://www.flickr.com/photos/cizauskas/1422943356
APIs
One of the advantages of cloud
services
Programmatic data access
Enables mashups and integration
across apps
APIs usually unique to service
API Ecosystem

Major changes over last few years
REST, JSON, OAuth defacto standard
SOAP, WS-* dying out for public APIs
API Growth




http://blog.programmableweb.com/2012/02/06/5000-apis-facebook-google-and-twitter-are-changing-the-web/
API Value Chain




App    App             App       World of          API   Internal
User   Store   App   Developer    APIs      API   Team   Systems
Application Developers are Kingmakers




App    App             App       World of          API   Internal
User   Store   App   Developer    APIs      API   Team   Systems
#1 Rule for Success

Make it easy for developers
Build APIs they can poke at with
simple tools
Exploration and documentation
SOAP
Simple Object Access Protocol
but really it’s RPC (CORBA, COM, etc)
tunnels RPC through firewalls w/HTTP
WS-*, WSDL and expensive tool kits
uses XML
 good for document markup
 no native support for data structures
this means
                          update
POST /InStock HTTP/1.1
Host: www.example.org
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 299
SOAPAction: "http://www.w3.org/2003/05/soap-envelope"

<?xml version="1.0"?>
<soap:Envelope
    xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header>                                   this means
  </soap:Header>
  <soap:Body>                                        read
    <m:GetStockPrice xmlns:m="http://www.example.org/stock">
      <m:StockName>IBM</m:StockName>
    </m:GetStockPrice>
  </soap:Body>
</soap:Envelope>
Makes my head hurt!
KISS
REST: using HTTP as it was designed
 Create, Read, Update, Delete
 resources
JSON: JavaScript Object Notation
 maps directly to programming
 constructs
 easier to process than XML
GET /stocks/IBM?currency=USD HTTP/1.1
Host: www.example.org
Accept: text/plain


HTTP/1.1 200 OK
Content-type: text/plain

194.29
GET /historicalPrices/1.0/?stock=AAPL&api_key=... HTTP/1.1
Host: api.stocklytics.com



HTTP/1.1 200 OK
Content-Type: text/csv

date,open,close,high,low,volume
2012-06-12,574.4600,576.1600,576.6200,566.7000,15549300
2012-06-11,587.7200,571.1700,588.5000,570.6300,21094900
2012-06-08,571.6000,580.3200,580.5800,569.0000,12395100
2012-06-07,577.2900,571.7200,577.3200,570.5000,13563100
Why do APIs matter?
We have large volumes of data on
campus
Cloud is not a one way street
Sometimes cloud apps will need to
pull from campus APIs
We need easy-to-use APIs
Authentorization

How do those cloud apps authenticate
and get authorized to access our
users’ data?
Not like this
OAuth 2.0
“the valet key for the web”
simplified version of OAuth 1.0
 cryptography is no longer mandatory
 relies more on HTTPS
easier for developers
You’re probably
  using it already

Do you use 3rd party apps with
Facebook, Twitter or Google Apps?
OAuth Revocation

CSG 2012

  • 2.
    RESTRICTED R UNDER 17 REQUIRES ACCOMPANYING PARENT OR ADULT GUARDIAN MAY CONTAIN METAPHORS THAT HAVE BEEN STRETCHED BEYOND THEIR BREAKING POINT MAY CONTAIN CODE SAMPLES THAT CAUSE DISTRESS TO PROGRAMMERS AND NON-PROGRAMMERS MAY CONTAIN STATEMENTS THAT UPSET FANS OF WS-*, XML, JAVA, PHYSICAL SERVERS OR THE ENGLISH
  • 3.
  • 4.
  • 5.
    Groups http://www.flickr.com/photos/pineapples101/4557395008
  • 6.
    Deprovisioning http://www.flickr.com/photos/cpstorm/140115572
  • 7.
  • 8.
    Provisioning API? Provisioning isessentially the same for each service so why aren’t the APIs the same?
  • 9.
    Internet Identity Workshop Spring & Fall Mountain View, CA
  • 10.
  • 11.
    Common Problem Small businesses Startups No problem in old Windows world But now manual provisioning to all cloud providers
  • 12.
    Improvement Small businesses Startups Manualprovisioning to one provider “Primary” provider provisions others Provision users and groups
  • 13.
    Simple Cloud Identity Management http://simplecloud.info/
  • 14.
    IESG hated thename Participants wanted to work with IETF Renamed, but retained acronym Trying to avoid Jabber / XMPP mess
  • 15.
    System for Cross-Domain Identity Management http://simplecloud.info/
  • 16.
    Groups what if cloudproviders implement SCIM? “consume” users push groups to campus SCIM endpoint
  • 17.
    What is SCIM? SAMLbinding RESTful API Create, Update, Delete Users, Groups JSON (& optionally XML) OAuth 2 preferred for authentication
  • 18.
    POST /Users HTTP/1.1 Host:example.com Content-type: application/json Authorization: Bearer h480djs93hd8 { "schemas":["urn:scim:schemas:core:1.0"], "userName":"bjensen", "externalId":"bjensen", "name":{ "formatted":"Ms. Barbara J Jensen III", "familyName":"Jensen", "givenName":"Barbara" } }
  • 19.
  • 20.
    Cloud, APIs & Mashups http://www.flickr.com/photos/cizauskas/1422943356
  • 21.
    APIs One of theadvantages of cloud services Programmatic data access Enables mashups and integration across apps APIs usually unique to service
  • 22.
    API Ecosystem Major changesover last few years REST, JSON, OAuth defacto standard SOAP, WS-* dying out for public APIs
  • 23.
  • 24.
    API Value Chain App App App World of API Internal User Store App Developer APIs API Team Systems
  • 25.
    Application Developers areKingmakers App App App World of API Internal User Store App Developer APIs API Team Systems
  • 26.
    #1 Rule forSuccess Make it easy for developers Build APIs they can poke at with simple tools Exploration and documentation
  • 27.
    SOAP Simple Object AccessProtocol but really it’s RPC (CORBA, COM, etc) tunnels RPC through firewalls w/HTTP WS-*, WSDL and expensive tool kits uses XML good for document markup no native support for data structures
  • 28.
    this means update POST /InStock HTTP/1.1 Host: www.example.org Content-Type: application/soap+xml; charset=utf-8 Content-Length: 299 SOAPAction: "http://www.w3.org/2003/05/soap-envelope" <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> this means </soap:Header> <soap:Body> read <m:GetStockPrice xmlns:m="http://www.example.org/stock"> <m:StockName>IBM</m:StockName> </m:GetStockPrice> </soap:Body> </soap:Envelope>
  • 29.
  • 30.
    KISS REST: using HTTPas it was designed Create, Read, Update, Delete resources JSON: JavaScript Object Notation maps directly to programming constructs easier to process than XML
  • 31.
    GET /stocks/IBM?currency=USD HTTP/1.1 Host:www.example.org Accept: text/plain HTTP/1.1 200 OK Content-type: text/plain 194.29
  • 32.
    GET /historicalPrices/1.0/?stock=AAPL&api_key=... HTTP/1.1 Host:api.stocklytics.com HTTP/1.1 200 OK Content-Type: text/csv date,open,close,high,low,volume 2012-06-12,574.4600,576.1600,576.6200,566.7000,15549300 2012-06-11,587.7200,571.1700,588.5000,570.6300,21094900 2012-06-08,571.6000,580.3200,580.5800,569.0000,12395100 2012-06-07,577.2900,571.7200,577.3200,570.5000,13563100
  • 33.
    Why do APIsmatter? We have large volumes of data on campus Cloud is not a one way street Sometimes cloud apps will need to pull from campus APIs We need easy-to-use APIs
  • 34.
    Authentorization How do thosecloud apps authenticate and get authorized to access our users’ data?
  • 35.
  • 36.
    OAuth 2.0 “the valetkey for the web” simplified version of OAuth 1.0 cryptography is no longer mandatory relies more on HTTPS easier for developers
  • 37.
    You’re probably using it already Do you use 3rd party apps with Facebook, Twitter or Google Apps?
  • 40.

Editor's Notes

  • #2 \n
  • #3 \n
  • #4 NIST defines 3 service models\nHow you actually use the cloud\n\n
  • #5 No IdM: just a recommendation for a service, or a discount\nManual IdM: someone creates each user\nSelf-sign-up: usually using email verification (old Google Team Edition)\nBulk load: CSV file of users\nAPI: &amp;#x201C;unique&amp;#x201D; API to create users\nCreate on first login: use SAML assertion or OpenID + AX to create user\nNo API or Attribute standards... yet\n
  • #6 Does the app support groups?\nDoes it have a group API?\nCan you disable the apps group management?\nCan you sync groups back?\n
  • #7 disable or delete or disable then delete\ndid the user own data?\nhow is that data handled?\nhow is audit trail affected if user is deleted?\nhow is licensing affected if user is deleted?\n\n\n
  • #8 \n
  • #9 \n
  • #10 \n
  • #11 \n
  • #12 What if...\nyou had a &amp;#x201C;primary&amp;#x201D; provider?\nand that provider could provision accounts with other providers?\n
  • #13 Enterprise IT...\nWe already have IdM\nSimpler integration with new providers\n
  • #14 \n
  • #15 \n
  • #16 \n
  • #17 \n
  • #18 \n
  • #19 \n
  • #20 \n
  • #21 \n
  • #22 \n
  • #23 \n
  • #24 \n
  • #25 \n
  • #26 \n
  • #27 \n
  • #28 Tool vendors saw SOAP &amp; SOA &amp; WS as a huge opportunity\nDevelopers saw SOAP as a way to get RPC through the firewall\n&amp;#x201C;the two port internet&amp;#x201D;\n
  • #29 \n
  • #30 \n
  • #31 remember, URL means &amp;#x201C;Uniform Resource Locator&amp;#x201D;\n
  • #32 \n
  • #33 \n
  • #34 If our APIs are not easy to use, people will work around them\n\n
  • #35 \n
  • #36 \n
  • #37 \n
  • #38 \n
  • #39 \n
  • #40 \n
  • #41 \n