APIEvangelist.com covers Vordel

Kin Lane, over at APIEvangelist.com covers Vordel as an example of an API Service Provider. He mentions that:

Vordel has an impressive client list including the FBI, Coast Guard and Dunn & Bradstreet, and delivers some progressive integrations, like a deployment of their API gateway for Blackhawk Network, which extends REST services to their business partners like iTunes and Facebook.

Kin mentions the Blackhawk Network API: For more info on this API deployment, check out the video of the API gateway deployment here (skip on to 14 minutes and 30 seconds in, to get to the core info about the API).

IdP (Identity Provider) to SP (Service Provider) SAML with the Vordel Gateway

Signed SAML tokens are often used to propagate identity information in an API request. Although we're increasingly people using OAuth with the Vordel Gateway, SAML remains the established technology and is not going away anytime soon. Here is an overview of how you can create a signed SAML Assertion at the IdP (Identity Provider) then send this in an API request to a SP (Service Provider). As an extra architectural detail, I am issuing the SAML Assertion using a REST STS interface.

You'll notice below that I'm using the snazzy new Vordel 6.2 release, because of the new re-arranged search interface on the right, and the new "libraries" (blacklists, whitelists, etc) and "resources" (scripts, schemas, stylesheets, etc) groups on the left.

Here is the IdP policy. It's very simple. I am firstly authenticating the browser client, then calling out to a REST STS to request a signed SAML Assertion for the user. I'm the validating the signature on the SAML assertion.


That request to the REST STS? If I hit it directly with a browser, it looks like this:

Notice the response is signed and the digital signature is inside the SAML assertion. This means that the XPath used to validate the signature must not take the signature itself into account. The XPath for this is: (//saml:Assertion)/descendant-or-self::node()[not(ancestor-or-self::dsig:Signature)] . This is one of the example XPaths provided with the Vordel Gateway.

Now, I am placing the signed SAML Assertion into a form variable called SAMLResponse, as shown below. This is what I am sending to the Service Provider (SP):

<form method="post" action="http://sp.example.org:8080/SAML2/POST" ...>
<input type="hidden" name="SAMLResponse" value="PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDph
(truncated)
Pg==" />
<input type="submit" value="Connect to Service Provider"/>
</form>

At the Service Provider, I Base64-decode the SAML Assertion in the Vordel Gateway, check its signature and the trust of its issuer, and then return the response from my service. I can see all this happening in the Traffic Monitor of the Vordel Gateway. I see the IdP service, the REST STS, and the Service Provider.


I double-click on any of the services, I see the tracking of what happened step-by-step inside the policy. You'll notice that the steps here map to the steps in the first screenshot above. The Traffic Monitor shows the time for each step also, as it runs on my laptop.

So that shows how you can setup an IdP, SP, and REST STS all on the Vordel Gateway. Now, normally you would not be running all these components on the same machine. But it's certainly a useful exercise to learn about how it all works.-->

Tablet-tastic new site

If I can prise my Android tablet out of my kids hands for a moment, I can show the new tablet-optimized Vordel site. Neat new layout, and everything fits nicely on the tablet's screen.


And here's a tip for Vordel Gateway customers who use tablet computers. If you log into the Gateway's web interface with a tablet, all of the functionality is available to you:

For example, here is the Real-Time Monitoring:

Definitely an excuse to buy a tablet computer, if you don't have one already...

Video: Three Cloud Computing Case Studies

When an organization says they are "using the cloud", it can mean a number of very different things. Using an IaaS service such as Amazon EC2 or Terremark is different from using Google Apps for outsourced email, which is different again from exposing an API into Facebook.

So here is a video of three Cloud Computing case studies from Vordel's customers. They cover one each of SaaS, IaaS, and PaaS. In first two examples, customers are connecting up to the Cloud; firstly to Google Apps (for single-sign-on to Google Apps email) and secondly to Terremark to manage virtual servers. In the third example, the connection is from the Cloud (a Facebook app) to a company's APIs. Here's the video, and see if you can spot the Animal House references :-)



I made the presentation using Prezi, so you can click through the presentation (minus the audio) up on Prezi.com.

Today at Oracle Open World - Cloud SaaS, PaaS, and IaaS Case Studies

Today I'm presenting three Cloud case studies at 5pm in Room 3022 in Moscone West, here at Oracle Open World. The case studies are one each of:

- SaaS (Software as a Service) for single sign-on to Google Apps
- PaaS (Platform as a Service) exposing business services as an API
- IaaS (Infrastructure as a Service) applying governance to the Cloud-based virtual machines

I had originally called my presentation "How to cover your *aaS" but that title didn't make it past the Oracle Open World selection judges :-)

Hope to see you there!