This blog is a brief introduction to 10Duke's Licensing Solution. We will go through its main concepts and how to integrate with 10Duke, including delegation of authentication, product configuration and delegation of authorization.
10Duke is a cloud-based licensing solution that allows you to configure, issue and manage the licenses you sell to your customers. It can be used by any person or company that is writing, publishing and providing access to software applications on specific licensed terms.
10Duke can be used to control access to web-based applications, mobile applications, desktop applications, plug-ins, embedded software as well as devices.
We use the term ‘control access’ rather than ‘sell’ deliberately. When software is licensed it doesn’t mean that it has necessarily been sold. Software can be provided free of charge, but access to it still may need to be controlled in some way. 10Duke allows you to license your software, regardless of whether or not you are selling it or providing it at no cost.
The information provided below outlines the standard way in which 10Duke is normally implemented and is designed to give you an overview of the key concepts underpinning the 10Duke licensing solution.
If your requirements are not identical to the scenarios outlined below, don’t worry. The 10Duke solution is very flexible and can most likely support your requirements. Please get in touch and we’d be happy to discuss your requirements in more detail.
There are 4 main components to the 10Duke solution:
As the name suggests, these are web-based applications that allow different types of roles to administer all or specific aspects of the 10Duke solution. There are two main admin applications:
SysAdmin - a tool used by you, the application vendor, to configure licenses, products, and manage users. Access to SysAdmin provides administrative control of a 10Duke solution.
OrgAdmin - this tool is similar to SysAdmin but more narrowly scoped. It is used by an end customer administrator to manage the licenses they have purchased from you and to manage the users who are able to access these licenses.
User Profile - this is a tool used by the end user of an application in order to manage and control their personal profile information, configure and reset their password and enable MFA if that option is provided to them.
10Duke is an API-based solution. The three main API products that 10Duke provides are available via a Graph-based API or a REST-based API. It is up to you which API format you choose to use and there are pros and cons to each. REST is more widely used and so, if you’re not sure, it is likely the best option.
10Duke is deployed from AWS and the backend applications are provided to you on a as-a-Service basis. There is no need for you to worry about management of the 10Duke applications. In order to integrate with 10Duke, you simply need to modify your software applications to call the 10Duke APIs in order to execute certain operations, request data or post data.
10Duke does support on premise licensing where your application is used in an air gapped network or similar scenario where there is no connection to the Internet available. Please contact us for more information.
In order to integrate with 10Duke, you will first need access to an Evaluation environment. This environment will be deployed for you by a 10Duke Delivery Team (please contact us if you wish to have an Evaluation environment deployed for you). 10Duke is a single tenant solution so it will be configured to suit any specific requirements you may have.
The initial integration steps you will need to follow are:
The 10Duke solution introduces an initial sign-in step when a user tries to use the application you are licensing to them. The sign-in process authenticates the end user by checking that they have provided the correct username (usually email) and a strong password. MFA may also be required at this step, but that is an optional feature you can enable.
In your application, you will need to introduce this log-in form to your application. Depending on the UI technology being used by your app, 10Duke provides some libraries that you can use to make this process quicker. When the user signs into your application, it will delegate the responsibility for making the authentication decision (i.e. checking that the username and password are correct) to 10Duke using the 10Duke Identity Provider API. If the login details are correct, 10Duke will return an access token to your application which it will then use to make a second call to 10Duke, this time to the 10Duke Entitlement API, to check if the user has a license to the specific application or feature of an application that they are trying to access.
Depending on the type of application you are trying to license, the authentication process will follow a particular ‘flow’ specified by either the OAuth 2 or SAML 2 standard. Both of these are protocols used for the purposes of authentication. Your 10Duke Delivery Team will recommend the best flow for you to use, based on your specific requirements.
To configure the products you want to license using 10Duke, you will need access to the 10Duke SysAdmin web application. Your 10Duke Delivery Team will provide this. There is a detailed SysAdmin User Guide available separately, so the following section will just provide a summary overview.
There are five steps in configuring your products:
- Grant licenses to all of the licensed items within a product package within specific Entitlement.
- Grant access for a specific group of users to that Entitlement
Please keep in mind that SysAdmin provides a visual and interactive means of accomplishing the above listed tasks. The same tasks can be carried out directly via the API as well.
Once your application is able to successfully authenticate an end-user signing in and it can receive the access token, and you’ve got your products configured, the next step is to make a license consumption call. As the name suggests, this is when your application is checking that the specific user has been authenticated and has access to a license for the particular application or application feature that they are trying to access.
With the 10Duke Entitlements API, it is important to note that there are two different APIs that your application calls, depending on the operation:
1. For CRUD operations, in order to configure, edit and manage licenses, license models, product packages and licensed items, the Entitlement REST API is used.
2. To check licenses exist and make license consumption calls, your application will use the 10Duke Entitlements Authz API
If your application makes a license consumption call that is successful, it will receive a signed and encrypted JSON Web Token (JWT). This token contains information about the license the user has access to, including the licensed items and the validity period of the token. This token is then stored locally by the client machine.
The next time your application makes a license check (the frequency of which is set by you) it will look for the JWT token stored locally in the first instance. As long as the token is valid the client application will operate as it should without any need to make a further call to our backend. However, when the JWT token expires, then your application will need to make another license consumption call to 10Duke backend to refresh the token.
If you have implemented the three main steps above, you will now have a basic implementation of a 10Duke licensing solution up and running. A new user should be able to login to your application, they will be seamlessly authenticated and granted access to your application based on the product as configured in 10Duke. Their access will be governed in turn by any license they have been granted, via their Organisation, as configured in 10Duke.
A brief introduction to 10Duke’s Licensing Solution. We will go through its main concepts and how to integrate with 10Duke, including delegation of authentication, product configuration and delegation of authorization.