Session at the European Identity & Cloud Conference 2013
May 16, 2013 16:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 16, 2013 16:30
Session at the European Identity & Cloud Conference 2013
May 16, 2013 16:30
Sorry, I'll, I'll start again. My name's James Baker from the Azure active directory team at Microsoft. We're working on the, the sort of notion of pushing beyond the directory through the sort of the graph API and graph stores, the work that we are doing, and specifically looking at scenarios like this one, where we, where we can sort of attach to APIs and, and have them populate and have them sort of reflect out the, the information about things, you know, we don't wanna be prescriptive of what those things are. It's just things.
And so we'll hear as got the, sort of the demo that we sort of HOD together and I'll, I'll let him take you through it. Thanks, James. My name's will, will Lovegrove and I'm the owner of the company behind Daytona. And firstly, thank you very much, Craig. And thank you very much, Kim, for giving me this opportunity to come upstage, build the app and talk about some of the ideas that we're working on in my company. I put this diagram up because it gives me an opportunity to talk at an abstract level about what we're doing.
And it, it also gives me a chance to, to convey the message that I want to without delving into a demo, because I've been at this conference now for three days and I haven't seen anyone do a demo and I kind of just figured out why as I plugged my machine in and got really, really appalling connectivity. So let me talk to you a little bit about what we're gonna do, and then we're gonna try and actually provision provision some user data, interactive directory using nothing more than a spreadsheet, which is the frictionless way of managing employee identities.
So if I walk and talk through this, through this diagram, you're gonna see me open up an Excel document and enter into a new, a new user, I guess. And the objective is, is that I want that user to get access to this app over here, which we've call the EIC conference app. It's just a web app, but the context would be that, you know, maybe my company is paid for that web app. It could be a cloud based app. It could be software as a service and me as the owner of my organization, I want to administrate the users who have access to that. It could be any service could Be any service.
Is that better? That's better. Okay. So what this looks like, like a relatively complex diagram, but I'm gonna talk through it quite quick In Excel.
Wait, What's going on here? Take this, Hold This in your hand and put this to your, Okay. I'll tip it in. Okay. All right. A little bit better. Okay. So we're editing a document and Excel document containing employee information and it happens to be stored in Dropbox. And we chose that because that is the public cloud tool that my product Daytona interfaces into, through the Dropbox API. And by doing that, we can monitor changes in that document.
Guys, Craig already said, we, the demo checks, I, I have no chance pulling this demo off this, this tool Daytona. It, it creates a copy of the data stored in that Excel sheet in on the backend platform of windows as Azure. And it positions it as a data API inside a developer. Porwal the standard tools you need in order to exchange data through an API. Then what we did was inside a windows, it's your environment. We created what we're calling a data pump app.
And through that app, we managed the synchronization of the data, firstly, into active directory and secondly, into the windows, as your graph store and inside the spreadsheet, we have two TA you know, actually we've got two spreadsheets, one containing employee data and the other containing application data. And simply by connecting them in this way, we are able to populate the graph store and Azure directory with that information.
And then inside the web app, we've got an authentication mechanism that integrates into Gmail, Yahoo, or Facebook, meaning that if we put in an employee identity into the Excel sheet, as long as that identity can be related through to the identity providers that I previously mentioned, we can effect single sign on to this, to this app, which is Craig said, could be any app, Just Rethink that again. They build the app.
If, if there's a credential, a token for them that they already exist in any social network or a network that a company has, they can sign on automatically to that application. I don't have to go build a new name and password for the app.
Again, that's what I want. No more names and passwords every time an happens built That's exactly right.
In fact, the whole idea of putting names and passwords in Excel in Dropbox is kind of scary. So, you know, it really, really works on that level. As it turns out, my company uses Gmail as its company account. So the demo that I'm gonna show you uses my company's domain name, which is release consulting.co UK. And we effectively have an enterprise and extended enterprise management system that is perfectly in tune with, with, with my enterprise. Okay. That's the diagram of the schematic.
We're now gonna plunge into the and Enterprise great secure without you having to build the infrastructure To make That exactly. Exactly. I can. I can hear. Okay.
So, all right. So I might have come back to that spreadsheet, but let's see, first of all, let's take a look at the, the spreadsheets. If you like the raw material for users, it's nothing more than they than this, you know, the display name and then the email address and, and to prep for this demo, I've created a fictional member of my company and I've named him Aaron Arva and I've named him that because I, I know exactly where he is gonna appear in the list of users.
You know, that's right at the top release consulting is the domain name that my company uses. So lemme just copy that. And I'm also gonna put him into a group and because we're, you know, we mocked this up with the EIC conference, I'm gonna make him an attendee of this conference and I'm gonna hit save. And by saving it, what I've done is I've saved it if you like into Dropbox. And then Dropbox is synchronizing that through its own internal processes out into the public cloud. And my platform is able to gain access to that through the Dropbox API.
Now this is my platform and we automatically poll the Dropbox API every five minutes, but that's not good enough for this demo. So I'm just going to force that. And all I'm doing right now is I'm forcing my platform to take a data refresh from that Excel document. That's captured inside Dropbox now to move it over for, for the demonstration purposes, this is a year active directory.
If things have gone well, then Aaron, Ava is gonna appear inside this directory listing because what will have happened is, is that that user that I've just tapped in there will propagated right into as your active directory. So this is the, let's see how we go here. I was getting a little bit worried about the connectivity, so we'll see how we do. Now's the time for jokes or no, Let's fill a bit of space.
Yeah, actually let's grab the Michael sort of see off into the, it got back. Thanks. So while that's sort of populating and that does take a little bit of time, but you know, it's not a time critical thing. So little bit of time, there's fine. I want to talk about the graph store because whilst sort of populating users and groups into AADs sort of an important thing, you know, applications typically need more than that.
And, you know, as, as applications are sort of migrating up into the cloud, they need some fairly easy sort of storage that they can use to extend out of the sort of users and groups that, that exist in, in the structured a D. And so we've got this graph store mechanism, which is, you know, I don't, I don't like using the word two store, but it's a two store that more or less is able to hold nodes and edges of a graph of any description and any arbitrary payload that we can attach to them.
So you can sort of have an edge between a user in AAD and another entity in another system that's addressable by, and they just be construct the edge through those two URLs. You can put additional payload on the edge itself. And so this is a sort of a way forward of how you connect out, you know, what we may have called a, a virtual directory in previous terms, but it's just a way of extending out the directory, as well as doing things like custom attributes on directory entries.
You know, as we know, the, the ad on premise has a great ability to hold custom attributes, the cloud version doesn't because the multi teed store and arbitrary schema doesn't work in a multi teed store. And so the graph store becomes that arbitrary schema. You it's completely, it's not without type, but type gets applied sort of after the fact, if you like. And so you get a very flexible storage mechanism in there, how are we doing on The, we, we we're good refresh and Aaron Ava is there right at the top of the list. Exactly. Let's keep going on, Aaron. Okay. All right.
So, so to come back to, to the working demo, Aaron is now inside as your active directory and to bring it back to if we like this, this diagram, we've now populated active directory. And so the EIC conference app is aware of that employee and, and we'll give him access upon successful credential identification from in this case, Gmail. So let's pull that down. This is the, the app that we rigged up and we, we, you know, dressed it in the delivery of the, of the conference.
There's the identification, you know, login screen that we, we put together and it, you know, it would work for Yahoo Facebook. I'm gonna go with Google there, we've gone out to Google. Google's remembered that upstairs. I was running through this successfully and typed in Aaron's email address and password. So meaning that all I have to do is hit, hit, okay. Authenticate come back into the app that we've written, which is called wad manager, cloud app.net.
And, and there we are. We've got access for Aaron, and we've actually got him in, at a certain privilege level, which is just as an attendee. And if I wanted to really push the boat out on this demonstration, I could go back into Excel. I could change his group membership. I could make him a speaker. He'd see a slightly different interface with a, with access to some privileged information that only speakers get access to.
But, but I don't think I will Take, just think for a second. What he's Done Just working, you know, is create the data, synchronize it with the cloud, generate an API, and create a service with real data in it. That's accessible from a, an account that that was created that didn't require you to have a new name and password in 10 minutes. That's the kind of non friction I want to see. That's the kind of non friction we have to have to see the life management platform work. It effortless, no friction. I don't have to write code if I don't want to.
And I can, if I want to, and I can get any set of data available as an API, as a service for any purpose that I want. Correct. Yeah.
Well, If you think about what's going on behind those scenes, it's mind boggling. You guys have done an incredible job. Thank you.
Oh, thank you. Thank you. Thank you for that. So you want, is there more, I think we're okay. Let's go ahead and let myself sing Dance.
Greg, can you do a little mind? I mean, one point that is sort of worth making, I mean, it's a dinky little lap, as you can see here, but, you know, everyone knows the Facebook like sort of premise. And so we've got a similar sort of thing down here. Now you could ride a custom cloud based store to go and hold all of the likes and hold all of the conference schedule and all that sort of stuff. The graph store as an extension of Aaron's information goes and stores all these likes, and it's just stored as a bunch of two pools.
And in this case, it's a relationship between Aarons UPN in, in ad or AAD and a session in which is also stored in the graph store. So, you know, it's sort of a, a very easy way, and we believe that there's a bunch of contemporary applications for which this sort of graph like structure is a, is a, a more optimal way than some of the more relational approaches that we've taken in the on premise apps.
So, you know, we, we're putting graph store out there, it's in preview mode at the moment. I've sort of encourage you to go and hit it all. It's all at graph store, windows.net. The cool thing is that this is it's an API.
I mean, it's a service, but this data gets represented as an API. It's authenticated, it's authorized, but it's not onerous in its author authorization model. And so you were in control of that Who owns the data, this Microsoft Well at the moment Daytona does, or the ID conferences app does. And so it is, you know, it's, it's sticking with the multi-tenant tenant of Microsoft owns the service because the data is tinted. The tenant owns the data. So you're merely the you're the Custodian.
We are the custodian of that Data, but you don't claim ownership Or we not claiming, and we're not actually gonna do anything with it either. You know, we are not sort of Trying to make money off that data. We are not making money off That.
Oh, my word. Yeah.
To, to be fully transparent. We, we see this as a platform enhancement piece. This is not ever something that we are going to monetized or make a, sort of a commercial partnership by selling the data or anything like that. We are not in that business. We're about trying to enrich the platform.
And, you know, we're in trying to encourage everyone to bring things that sort of literally enrich the cloud based. You know, doesn't have to be Microsoft's platform. It has to be the cloud platform and the API economy. And I think, you know, the rising tide lifts all boats and it'll make the, sort of make this transition for a lot of people from on premise to cloud a lot easier if these sort of services and these sort of APIs are available and easily available. Thanks. Great work, Marcel.
Oh, any questions? Sure. Okay. I've got a question. Yes. Unfortunately I'm a bit paranoid. So I've seen, there is some Dropbox in between, so there's some public cloud service where you have to upload my Excel file too. So I assume that you can just exchange this Dropbox service with other ones, which just provide the proper API that you can use. But my question is I would like to upload an encrypted Excel file. So how would you like to, how do you have to extend then your framework to handle this?
Well, we we'd have to unencrypt it to get access to the data and peel that back. So at some point you'd have to share the credentials to help us UN encrypt it. You Could run it over HTG PS. Yeah. Yeah. To speak to your point about, about Dropbox, just briefly, you know, we designed originally Daytona to solve a problem that we encountered in very, very small businesses when we built mobile applications for them.
And, and we were, which is our background. So they wanted a way to update content in mobile apps, but they, every single company we spoke to just simply didn't have an API, neither did they want to extend the mobile app project to the job of creating an API specifically for something that they were unsure about. So the whole purpose about Daytona was lightweight drag and drop rapid deployment of an API. And in fact, we, we, we have a number of clients now that update content simultaneously across iPad, iPhone, and, and Android simply by editing Excel inside, inside Dropbox.
So in that sense, it's very low value data. It's not precious data. It wasn't designed to be in identity management, subsequently we've worked with box and we now integrate with box as well on our roadmap. We've got Google docs, Google drive SkyDrive.
And in, in fact, our philosophy is turning out to be, we don't want to impose a public cloud service onto the potential customers of this. We just wanna integrate into what they've already got, which is their choice about what they feel is the right level of security for their organization. So by integrating through APIs, you know, as long as, as long as, you know, SharePoint, SkyDrive Google docs expose the relevant APIs we can reach in there. All we then need to do is take a secure copy of that document.
And then if it's encrypted, then, then yes, we do have to work with the owner of that encryption and unencrypted. And that's not a use case we've encountered so far because we're working with relatively low value data at the moment, Certainly doable. Right. And the other requirement that I have is that you don't have to be locked into Dropbox. I can use whatever distributed system I want to use. Yeah.
I think, you know, from my point of view, the, what what's interesting about this is these guys are, are doing these, they're making the API economy a lot more accessible at the sort of low end of the security spectrum. In fact, in the, in, in terms of what was originally offered by the company, the application was a, was authenticated, but not the end user in the general use case. What they did by integrating with Azure active directory is they were now able to authenticate not only the, the application in this case, the ID conferences application, but also the individual end users.
So they added that level, but then you can imagine them now having higher security transports and this, that, and the other thing in order to move further and further up the stack. But I, I think it's a huge step to go from, well, you have the application, which is secure, but nothing beyond that to, we now have security in the sense of knowing the identity of the individual user of the, of the application, as well as the application. So I can now do an and between those two things and control what data they get to.
So that was kind of what I, what I thought that was quite an interesting step forward for, for that.