Tuesday, May 22, 2018

What API is not about and about?

My team has been covering a potential customer for a while with regard to a API Gateway deployment. POC done. Presentation done. Then a competitor came in to disrupt ... it's common. Singapore is a saturated market. There are finite number of customers to chase after. If customers don't come to you and you hear that they are looking at a product from your competitor, you quickly go in to disrupt the market. 

If you are the product principal and you have the time and energy and you have a willing partner, then you will do this sort of things. I'm someone that is not too keen to do this. The pie is always big enough for everyone, that's my view. If you go in to disrupt the market, you're usually going into a price war. It's not about product superiority anymore. More importantly, the quality of the consultants are not considered.  

This is a vicious cycle. Nothing good will come out of it. Customers think they are getting a good deal. I say they are mostly blind. Partners/Vendors are not stupid either. If a partner bids with a superbly low price, you think the partner will give you his best consultants? You pay peanuts, you get monkeys. As simple as that. 

Anyway, I went in to make my last presentation. I only showed 2 slides. 

API is really not about Secure File Transfer, Security, Throttling and Message Queues. These are given. If a gateway has no such features, they will never get a chance into the board room in customers' place. 

Honestly, 80-90% of the API products out there in the market have similar features. All are equally good. Why? For most customers (80%), they only use a subset of features (20%). I can confidently say most API products meet the requirements of most customers. 

API is really about People - Customer & Vendor. 

I know that the competitor is partnering with a SI that does mostly systems related work - PAM, Secured File Transfer. 

In our experience, these type of people are only used 20% of the total time spent in a typical API projects. They are utilized during the Build phase and the Maintenance/Patching phase. In Build phase especially, my own experience told me that my API Consultants are of no use here. They simply do not understand networking, firewall, zoning, routing, high-availability, scaling, hardening, vulnerability assessment, security scanning. This is where a trained Systems Consultant is useful. They will be able to work with the Network Security team from the Customers' sides effectively. 

But as soon as the Build phase is over, the Systems Consultants become totally "useless". This is where API Consultants come in. They are there to help Customers with "Discover, Simplify, Transform, Add Values". In short, to provide API Design services. This usually takes up 80% of the total time spent in typical API projects.

API is all about proper thought process. It's not a simple "Oh, let's create a new API and map it 1-to-1 with your backend service". An intern will do! Why spend so much money?


Thursday, May 17, 2018

SAML-message with NotBefore

I was integrating our corporate JIRA with One Identity Cloud Access Manager via SAML2. I chose the plugin from Resolution GmbH

Integration was a breeze. Their wizard is brilliant! I got the whole integration completed successfully within 15 minutes.

One issue I encountered was - "SAML-message with NotBefore xxx is not valid yet."

This was quite easily resolved. Do make sure the IdP (One Identity Cloud Access Manager) and SP (JIRA) are sync-ed with the same NTP server.

The error disappeared as soon as I have NTPd configured on my JIRA server.


Tuesday, May 15, 2018

One Identity Cloud Access Manager - Backend SSO Method

Out of the box, One Identity Cloud Access Manager provides the traditional credential SSO methods like IWA (Integrated Windows Authentication) and HTTP Header. I like that it provides Form Fill, though I would keep this as a "hidden secret weapon" in the event customers have some legacy applications that I have no choice but to perform password replay.

In the same box (yes, same box. some other vendors require you to add-on :>), the trendier Federated SSO Methods like SAML2 and OpenID Connect/OAuth 2.0 are provided. No additional add-on. No additional cost. SAML2 IdP is enabled out of the box. OpenID Connect Provider is enabled out of the box. Very easy to integrate with any 3rd party federated clients. 

I was trying to integrate our in-house JIRA via SAML2 and it took me less than 15 mins for the first try. 

Thursday, May 3, 2018

One Identity Cloud Access Manager - Not Authorized

I was playing with One Identity Cloud Access Manager this afternoon and hit into "Not Authorized - Sorry, but it seems as if you're not authorized to access the selected application".

This is what I have observed. If the administrator configured a new protected application after you have logged in to the Application Portal (a one-stop landing portal for you to single sign-on to multiple protected backend applications), the new application link (e.g. Web SVN (Management)) will immediately appear on the portal.

However, as soon as you click on the new link, you'll hit into "Not Authorized" error.

To workaround this, log out and log in again. The new link is now accessible.



Wednesday, May 2, 2018

CA SSO Access Gateway

I met with a potential customer today and he was interested to deploy CA SSO Access Gateway in the DMZ, while keeping CA SSO Policy Server in the Intranet.

He was not sure what were the possible integrations provided by CA SSO Access Gateway with his backend applications.

I showed him the diagram below. Self-explanatory.

  • SAML (Federation)
  • OpenID Connect
  • HTTP Header (Web Agent)


Tuesday, April 17, 2018

Password Meter

We have been in the Security & Identity business for a long time. Recently, we have been engaged in a number of Identity Management projects in the Asia region.

In some projects, we build our own Access Request Portal on top of Identity Management products out there in the market.

Reason is simple - To Increase User experience!

From our observation, some IDM products are just too complex, too heavy; some IDM products lack features required by customers.

And since more and more IDM products are exposed by REST, it makes it compelling to build our own Access Request Portal.

We build a Access Request Portal that is lean and fast. No unnecessary features just to make Gartner happy. (You don't agree? Ha! )

In one of our projects, the CIO took a look at the User Profile tab and explore how we build the Password module. He didn't like what we have built. He has a strong view on what is a Strong Password. He even sent my team this to read up - Science Can Help You Choose a Better Password. Complexity isn't as important as you think.

So we stripped the original Password module and incorporated Password Meter.

Password Meter is pretty cool. It will "score" your password quality as you type in and give you advice immediately.

My team did it better! As Password Meter is open-source and published in GitHub, we enhanced it to support multi-languages.  

What's next is for the team to tidy up the sources and offer them back to the community.

That's the beauty of open-source! Some just don't get it. Money is never enough. 


Friday, April 13, 2018

One Identity Manager - Access Request History

Having implemented numerous IDM projects and seen multiple IDM products, all will provide a Access Request History view in a table format.

Besides providing the default table format, One Identity Manager provides a timeline view. 

Important feature? No. Wow feature? Yes, indeed. I like it a lot personally.