Thursday, May 24, 2018

Magic Quadrant for Full Life Cycle API Management (2018)

The latest magic quadrant for Full Life Cycle API Management has been released a month ago. I just received a mailer from CA. 

Well done, CA Technologies remains in the Leaders quadrant. Not sure why Google (Apigee) is so high up, as we don't see much competition from them in this region. As long as you are totally cloud-based in this region, especially Singapore, you're basically out of the game. I'm saying if you are looking for large customers. The game is still very much on-premise.

Interestingly, Tyk has made it to the Niche Players quadrant. That's real hard work for a new player who has been in this market for less than 5 years. Really impressive! Kudo to the Tyk team!


Tuesday, May 22, 2018

What API is not about and about?

My team has been covering a potential customer for a while with regard to a API Gateway deployment. POC done. Presentation done. Then a competitor came in to disrupt ... it's common. Singapore is a saturated market. There are finite number of customers to chase after. If customers don't come to you and you hear that they are looking at a product from your competitor, you quickly go in to disrupt the market. 

If you are the product principal and you have the time and energy and you have a willing partner, then you will do this sort of things. I'm someone that is not too keen to do this. The pie is always big enough for everyone, that's my view. If you go in to disrupt the market, you're usually going into a price war. It's not about product superiority anymore. More importantly, the quality of the consultants are not considered.  

This is a vicious cycle. Nothing good will come out of it. Customers think they are getting a good deal. I say they are mostly blind. Partners/Vendors are not stupid either. If a partner bids with a superbly low price, you think the partner will give you his best consultants? You pay peanuts, you get monkeys. As simple as that. 

Anyway, I went in to make my last presentation. I only showed 2 slides. 

API is really not about Secure File Transfer, Security, Throttling and Message Queues. These are given. If a gateway has no such features, they will never get a chance into the board room in customers' place. 

Honestly, 80-90% of the API products out there in the market have similar features. All are equally good. Why? For most customers (80%), they only use a subset of features (20%). I can confidently say most API products meet the requirements of most customers. 

API is really about People - Customer & Vendor. 

I know that the competitor is partnering with a SI that does mostly systems related work - PAM, Secured File Transfer. 

In our experience, these type of people are only used 20% of the total time spent in a typical API projects. They are utilized during the Build phase and the Maintenance/Patching phase. In Build phase especially, my own experience told me that my API Consultants are of no use here. They simply do not understand networking, firewall, zoning, routing, high-availability, scaling, hardening, vulnerability assessment, security scanning. This is where a trained Systems Consultant is useful. They will be able to work with the Network Security team from the Customers' sides effectively. 

But as soon as the Build phase is over, the Systems Consultants become totally "useless". This is where API Consultants come in. They are there to help Customers with "Discover, Simplify, Transform, Add Values". In short, to provide API Design services. This usually takes up 80% of the total time spent in typical API projects.

API is all about proper thought process. It's not a simple "Oh, let's create a new API and map it 1-to-1 with your backend service". An intern will do! Why spend so much money?


Thursday, May 17, 2018

SAML-message with NotBefore

I was integrating our corporate JIRA with One Identity Cloud Access Manager via SAML2. I chose the plugin from Resolution GmbH

Integration was a breeze. Their wizard is brilliant! I got the whole integration completed successfully within 15 minutes.

One issue I encountered was - "SAML-message with NotBefore xxx is not valid yet."

This was quite easily resolved. Do make sure the IdP (One Identity Cloud Access Manager) and SP (JIRA) are sync-ed with the same NTP server.

The error disappeared as soon as I have NTPd configured on my JIRA server.


Tuesday, May 15, 2018

One Identity Cloud Access Manager - Backend SSO Method

Out of the box, One Identity Cloud Access Manager provides the traditional credential SSO methods like IWA (Integrated Windows Authentication) and HTTP Header. I like that it provides Form Fill, though I would keep this as a "hidden secret weapon" in the event customers have some legacy applications that I have no choice but to perform password replay.

In the same box (yes, same box. some other vendors require you to add-on :>), the trendier Federated SSO Methods like SAML2 and OpenID Connect/OAuth 2.0 are provided. No additional add-on. No additional cost. SAML2 IdP is enabled out of the box. OpenID Connect Provider is enabled out of the box. Very easy to integrate with any 3rd party federated clients. 

I was trying to integrate our in-house JIRA via SAML2 and it took me less than 15 mins for the first try. 

Thursday, May 3, 2018

One Identity Cloud Access Manager - Not Authorized

I was playing with One Identity Cloud Access Manager this afternoon and hit into "Not Authorized - Sorry, but it seems as if you're not authorized to access the selected application".

This is what I have observed. If the administrator configured a new protected application after you have logged in to the Application Portal (a one-stop landing portal for you to single sign-on to multiple protected backend applications), the new application link (e.g. Web SVN (Management)) will immediately appear on the portal.

However, as soon as you click on the new link, you'll hit into "Not Authorized" error.

To workaround this, log out and log in again. The new link is now accessible.



Wednesday, May 2, 2018

CA SSO Access Gateway

I met with a potential customer today and he was interested to deploy CA SSO Access Gateway in the DMZ, while keeping CA SSO Policy Server in the Intranet.

He was not sure what were the possible integrations provided by CA SSO Access Gateway with his backend applications.

I showed him the diagram below. Self-explanatory.

  • SAML (Federation)
  • OpenID Connect
  • HTTP Header (Web Agent)