Enterprise Identity

In collaboration with a product manager and engineers, I helped release an application security service to customers in less than 6 months.

Conversations with stakeholders

I talked with the Product Manager (PM) and the Team Anchor (engineering lead) about their progress thus far. They mentioned that after two kick-off meetings they weren't much closer to a shared understanding about what the first version of this product would look like, and what capabilities it should initially offer.

Solve the security admin's pain points first so that application developers can just focus on code (vs. configuration).

The team needed a clearer vision around a front-end experience for security administrators, and a clearer understanding of how application developers could serve themselves for their own application security needs.

An open source authentication and authorization service already underpinned the core security model for users and services, and we'd have to work within its constraints (at least for now).

Some questions still begged for answers:

• What were the minimum configuration choices we should offer without sacrificing security and user experience?
  
• What could we push down to the system layer—away from users—to make options simpler and more obvious?
• What could we reasonably use from the existing authentication system for application security? 
  

Feature goals for the first release

• Integrate applications with SAML 2.0 based enterprise identity providers
  
• Secure all types of applications (web, mobile, and native), as well as the API’s both on and off the platform
  
• Single sign-on between applications on the platform
  
• Secure Java applications with a single click via the SSO Service Connector
  
• Multi-tenant single sign-on service that allows for segregation of applications and identities based on the unique needs of the organization
  
• Easy-to-use self service administration, user interface for tenant management, and on-boarding Identity Providers for SSO
  
• Role based access control for Service Administrators & Application Developers
  
• Self service interface for registering applications and associating identity providers for SSO
  
• OAuth 2.0 Authorization Server with support for all four OAuth 2.0 Grant Types
  
• Zero downtime upgrades with blue green deployment model
  
• Certified with industry-leading federated identity providers including CA SiteMinder, Ping Identity, OpenAM, VMware Identity Management, Okta, and more
  

Skills gap combined with a mad rush.

The team was self-described as mostly backend engineers. Fortunately, we were in the process of developing a design system and I had enough web application development experience to help fill the skills gap.

The team felt a sense of urgency. I was told I had a month to prototype, and then development would have to start.

I made a few working agreements with the team:

• Every prototype I shared was subject to frequent changes
  
• This would prevent the team from running with a half-baked idea
• Every prototype used real code in order to be nearly production-ready
  
• This would enable the team to copy/paste some of the prototype code
• Every usability test participant worked at Pivotal (IT Admins & Developers)
• This would speed up usability testing, and yet defer validation with actual customers.

In order to cycle through as many iterations as possible, while using real code, I resolved to use my Ruby on Rails and JavaScript skills to make the prototypes.

Sketching happened at ad hoc whiteboard sessions with stakeholders. Then, I would bring the ideas to life with "real" code in the form of working-yet-janky prototypes.

I was nervous about the approach, but I used strict time boxes and minimalistic version control to keep the exploration on track.