Using IDaaS to Enable IAM for Applications JULY 22, 2014

2  

Introduction – Ken Riggio

•  VP, Software Development - Ticketing •  B2B Identity and Access Management •  B2C Identity and Access Management •  Consolidated System of Inventory and Catalog Management •  Integration

•  Music Enthusiast \m/ •  Dungeon Master! •  Computer Nerd •  NOT an Identity Management Expert

3  

Introduction – Live Nation Entertainment

•  Business Segments •  Concerts

•  Venue Owner (House of Blues, Verizon Amphitheater, …) •  Venue Operator •  Promoters •  Festival Operator

•  Artist Nation •  Artist Management

•  Sponsorships & Advertising •  Ticketing ($1.4 Billion in Revenue, 21.7% of total)

4  

Introduction – Ticketing

•  Clients (thousands of clients, tens of thousands of users) •  Arenas, Stadiums, Amphitheaters, Music Clubs, Concert Promoters,

Professional Sport Franchises and Leagues, College Sports Teams, Performing Arts Venues, Museums, Theaters

•  Sales Channels (hundreds of millions of users) •  Web Sites – Ticketmaster, Livenation, TicketWeb, TicketsNow, Get Me In!,

TicketExchange, … (71%)

•  Mobile Apps (14%) •  Ticket Outlets – Venue Box Offices, Walmart, Retail Kiosks, … (10%)

•  Telephone (5%)

5  

Business Objectives – Re-Architecture

•  The Old •  17+ different systems that do the same thing… •  Old technology (i.e. Assembly Programs running on VAX emulator) •  Monolithic Applications •  Long Delivery Cycles

•  The New •  Consolidated and Unified Experience •  Primarily Java & JavaScript (Node.js) •  SOA 2.0 and EDA •  Continuous Integration and Continuous Delivery

6  

Business Objectives – Core Principles

•  Increase Business Agility •  More features, faster. •  React quickly to new business opportunities. •  Adopt new technologies as the become available. •  Technology should enable, not constrain.

•  Reduce Operational Expenses •  Focus head count on building the future, not supporting

the past.

7  

Requirements – Identity and Access Management

•  B2B •  Multiple Tenants (Clients)

•  Authentication •  Authorization

•  Access to various applications

•  Web Applications •  Mobile Applications

•  Scanners (Devices) •  Roles

•  Entitlements

•  User Management (Delegated Administration)

8  

Requirements – Identity and Access Management

•  B2C •  Multiple Tenants (Channels with Different User Bases)

•  Authentication •  Authorization

•  Access to Premium Services

•  Fraud Flags and Restrictions •  Bot Mitigation

•  User Self Service

9  

Challenges – Identity and Access Management

•  B2B •  Data Firewall

•  Clients •  Internal Live Nation Segments (Ticketing v. Concerts)

•  Cross Tenant Entitlements

•  Tenant A wants to enable Tenant B to be a Promoter for Tenant A’s events.

•  B2C •  Performance (Burst Traffic!!!)

•  Both

•  Legacy… Integration, Migration…. Dealing with the past in general!

10  

Solution – Identity Bridge Service

•  Don’t Try To Read the Diagram! ;)

•  API that abstracts and integrates with multiple identity providers.

•  A common API •  Really wish I

knew about SCIM when we started this project.

11  

Solution – Identity Bridge Service

•  Ignore the Fine Print, I will walk you through it.

•  Multiple Consuming Applications

•  Common Interface (IBS)

•  Routed to 1 or more Identity Providers based on phase of integration and migration

•  Bridge provider facilitates lazy migration.

•  Strangler Pattern

12  

Solution – Bring it to the Cloud

•  Identity Bridge Service API (IBS) •  Authentication •  Authorization •  User Management •  Tenant Provisioning •  Session Management

•  IBS Eats Its Own Dog Food •  Access to the API is controlled using its own authentication and

authorization services. •  Web-based User Interface (also protected using IBS)

13  

Solution – Bring it to the Cloud

IBS  

VERIZON  AMP  

HOB  

FILLMORE  

14  

Integration – Varying Client Capabilities

•  Small Clients •  Few Employees •  Little or No Technical Abilities •  Limited Resources

•  Big Clients •  Thousands of Employees •  Strong Technical Team, Potentially Have Their Own Development

Teams •  Have Their Own Internal Identity Solutions

15  

Integration – Client Needs

•  However, They Both Have Same Core Needs •  User Provisioning

•  User Management •  Authentication

•  Authorization

•  Why? •  Create and Manage Events, Products, Merchandising, Pricing

•  Reporting •  Marketing

•  Sales

•  Access Control (umm..Ticket Scanning)

16  

Integration – Client Implementation Options

•  Small Clients •  Use Our Web-Based “Permissioning” UI •  Use Our Applications and Scanners

•  Big Clients •  Multiple Options •  They Can Use Ours and do the “swivel chair” •  They Can Use Our “Services” integrating with their own UI •  Their Local Identity Solution can Provision Users through IBS to

leverage the Ticketing application platform.

17  

Integration – Our Web-Based “Permissioning” UI

18  

Integration – Our Web-Based “Permissioning” UI

19  

Integration – A Quick Digression into Mobile

•  Issues Exist on Desktop but Mobile has Made it Worse •  Lots of reverse engineering, de-compiling, and data extraction •  Certificates, API Keys, Long Running Access Tokens, etc. have

been farmed and used by bots. •  Audits and Logs show “same device application” calling us

thousands of times per minute trying to get access to tickets •  Privacy Laws have pushed us to use device application ids,

instead of actually device information as part of authentication (smaller fingerprint L).

•  Most companies would love the fact that people are creating automated ways of buying their stuff… For us, it’s a nightmare.

20  

Integration – A Quick Digression into Mobile

•  Mitigation Strategies •  Session-based •  No more than one concurrent session •  A given token cannot be used more than once. Each response

returns a new session token. •  Alerts •  Speed bumps •  Off switch :P

21  

Deployment– B2B vs B2C

•  Ultimately, There is No Functional Difference •  We have different scaling issues though

•  B2B has Constant Moderate Usage •  B2C has Period Burst Usage

•  Options •  Scale solution to handle both concurrently •  Provide two physical deployments, one service B2B, the other B2C.

•  We chose the later.