CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications
0 likes740 views
The document discusses the implementation of Identity as a Service (IDaaS) for Identity and Access Management (IAM) in Live Nation's ticketing system. It highlights the shift from a fragmented legacy system to a unified approach that enhances business agility and reduces operational costs while addressing the unique needs of both B2B and B2C clients. Key solutions include the Identity Bridge Service, which integrates multiple identity providers and supports various client capabilities and deployment strategies.
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2C Applications
- 1. Using IDaaS to Enable IAM for Applications JULY 22, 2014
- 2. 2 Introduction – Ken Riggio • VP, Software Development - Ticketing • B2B Identity and Access Management • B2C Identity and Access Management • Consolidated System of Inventory and Catalog Management • Integration • Music Enthusiast m/ • Dungeon Master! • Computer Nerd • NOT an Identity Management Expert
- 3. 3 Introduction – Live Nation Entertainment • Business Segments • Concerts • Venue Owner (House of Blues, Verizon Amphitheater, …) • Venue Operator • Promoters • Festival Operator • Artist Nation • Artist Management • Sponsorships & Advertising • Ticketing ($1.4 Billion in Revenue, 21.7% of total)
- 4. 4 Introduction – Ticketing • Clients (thousands of clients, tens of thousands of users) • Arenas, Stadiums, Amphitheaters, Music Clubs, Concert Promoters, Professional Sport Franchises and Leagues, College Sports Teams, Performing Arts Venues, Museums, Theaters • Sales Channels (hundreds of millions of users) • Web Sites – Ticketmaster, Livenation, TicketWeb, TicketsNow, Get Me In!, TicketExchange, … (71%) • Mobile Apps (14%) • Ticket Outlets – Venue Box Offices, Walmart, Retail Kiosks, … (10%) • Telephone (5%)
- 5. 5 Business Objectives – Re-Architecture • The Old • 17+ different systems that do the same thing… • Old technology (i.e. Assembly Programs running on VAX emulator) • Monolithic Applications • Long Delivery Cycles • The New • Consolidated and Unified Experience • Primarily Java & JavaScript (Node.js) • SOA 2.0 and EDA • Continuous Integration and Continuous Delivery
- 6. 6 Business Objectives – Core Principles • Increase Business Agility • More features, faster. • React quickly to new business opportunities. • Adopt new technologies as the become available. • Technology should enable, not constrain. • Reduce Operational Expenses • Focus head count on building the future, not supporting the past.
- 7. 7 Requirements – Identity and Access Management • B2B • Multiple Tenants (Clients) • Authentication • Authorization • Access to various applications • Web Applications • Mobile Applications • Scanners (Devices) • Roles • Entitlements • User Management (Delegated Administration)
- 8. 8 Requirements – Identity and Access Management • B2C • Multiple Tenants (Channels with Different User Bases) • Authentication • Authorization • Access to Premium Services • Fraud Flags and Restrictions • Bot Mitigation • User Self Service
- 9. 9 Challenges – Identity and Access Management • B2B • Data Firewall • Clients • Internal Live Nation Segments (Ticketing v. Concerts) • Cross Tenant Entitlements • Tenant A wants to enable Tenant B to be a Promoter for Tenant A’s events. • B2C • Performance (Burst Traffic!!!) • Both • Legacy… Integration, Migration…. Dealing with the past in general!
- 10. 10 Solution – Identity Bridge Service • Don’t Try To Read the Diagram! ;) • API that abstracts and integrates with multiple identity providers. • A common API • Really wish I knew about SCIM when we started this project.
- 11. 11 Solution – Identity Bridge Service • Ignore the Fine Print, I will walk you through it. • Multiple Consuming Applications • Common Interface (IBS) • Routed to 1 or more Identity Providers based on phase of integration and migration • Bridge provider facilitates lazy migration. • Strangler Pattern
- 12. 12 Solution – Bring it to the Cloud • Identity Bridge Service API (IBS) • Authentication • Authorization • User Management • Tenant Provisioning • Session Management • IBS Eats Its Own Dog Food • Access to the API is controlled using its own authentication and authorization services. • Web-based User Interface (also protected using IBS)
- 13. 13 Solution – Bring it to the Cloud IBS VERIZON AMP HOB FILLMORE
- 14. 14 Integration – Varying Client Capabilities • Small Clients • Few Employees • Little or No Technical Abilities • Limited Resources • Big Clients • Thousands of Employees • Strong Technical Team, Potentially Have Their Own Development Teams • Have Their Own Internal Identity Solutions
- 15. 15 Integration – Client Needs • However, They Both Have Same Core Needs • User Provisioning • User Management • Authentication • Authorization • Why? • Create and Manage Events, Products, Merchandising, Pricing • Reporting • Marketing • Sales • Access Control (umm..Ticket Scanning)
- 16. 16 Integration – Client Implementation Options • Small Clients • Use Our Web-Based “Permissioning” UI • Use Our Applications and Scanners • Big Clients • Multiple Options • They Can Use Ours and do the “swivel chair” • They Can Use Our “Services” integrating with their own UI • Their Local Identity Solution can Provision Users through IBS to leverage the Ticketing application platform.
- 17. 17 Integration – Our Web-Based “Permissioning” UI
- 18. 18 Integration – Our Web-Based “Permissioning” UI
- 19. 19 Integration – A Quick Digression into Mobile • Issues Exist on Desktop but Mobile has Made it Worse • Lots of reverse engineering, de-compiling, and data extraction • Certificates, API Keys, Long Running Access Tokens, etc. have been farmed and used by bots. • Audits and Logs show “same device application” calling us thousands of times per minute trying to get access to tickets • Privacy Laws have pushed us to use device application ids, instead of actually device information as part of authentication (smaller fingerprint L). • Most companies would love the fact that people are creating automated ways of buying their stuff… For us, it’s a nightmare.
- 20. 20 Integration – A Quick Digression into Mobile • Mitigation Strategies • Session-based • No more than one concurrent session • A given token cannot be used more than once. Each response returns a new session token. • Alerts • Speed bumps • Off switch :P
- 21. 21 Deployment– B2B vs B2C • Ultimately, There is No Functional Difference • We have different scaling issues though • B2B has Constant Moderate Usage • B2C has Period Burst Usage • Options • Scale solution to handle both concurrently • Provide two physical deployments, one service B2B, the other B2C. • We chose the later.