Entitlement Service API

Does your Entitlement API support the use of digital signatures? If not, what would need to be done to include these?
A: Digital Signatures are used generally in the domain of cryptography and usually their use is related to ensuring that data has not been changed between the provider and the consuming end. The Entitlement Service uses certificates, encryption and digital signatures in relation to many things, including:

  • encrypting and signing authorization tokens (licenses) delivered to clients. Clients have a separate public key by which they can decrypt and validate authorization tokens.
  • hosting a set of trusted certificates, which allows client applications to validate that the service endpoint they are interacting with is in fact the entitlement service. This prohibits setting up a “fake” entitlement service to provide positive answers to authorization checks. Client applications are built to include a public key that they use to validate the “trusted certificates” response from the Entitlement Service. This mechanism can be used in the system generally to establish trust on client side for any web service in addition to the Entitlement Service.
  • https as protocol scheme
Does your Entitlement API govern concurrent usage?
A: Yes, our Entitlement API can be configured to reflect certain constraints and one of these can be concurrency. For example, it can be set to allow a user to access an application via a web-browser and also access the same application via a mobile client application, but prevent that same user from accessing the application using a second web-browser or a second mobile application? Other constraints can include geography, time, device, counting of content access and user state (i.e. logged in, not logged in)
If we are trying to reward different user types or users who access our content from a particular device, such as a mobile phone, can your Entitlement API be configured to allow 10 pieces of content be delivered to a mobile device and only 1 to web browser client?
A: Yes, for our Entitlement API, this is a particular entitlement that would simply need to be configured to reflect those particular constraints – a user from a mobile device can access 10 pieces of content and a user from a web browser can access 1 piece of content.

The recommended way to implement this is to define separate product packages for each client / device type, which further allows to use different license models for each.

It could also be extended to different types of content – for example, a user from a web-browser client can access 10 articles and 1 video clip while a user from a mobile device can access 10 articles and 10 video clips.

Many of our users are just browsing our content and have not registered with us. Can your Entitlement API limit their content access even if we don’t know who they are?
A: Yes, this is possible by means of our Identity Provider and Entitlement API working together.  A ‘browsing user’ is simply a type of user as defined by the Identity Provider.

We define “pseudo roles” for users including categories:

  • author
  • owner
  • authenticated user
  • last editor
  • viewer

In this scenario the “viewer” role (meaning unauthenticated user) would be allowed certain things, which may be more limited than authenticated user. One such “viewer” Entitlement configuration may define the ability to access (eg.)  3 pieces of content before the client application directs the user to a paymentwall.

Your Identity Provider and Entitlement API are APIs to which we would connect our client applications. The underlying applications for your APIs are proprietary software and are not open source. What happens in the event that we choose to deploy one or both of your APIs, but then 18 months later for whatever reason, we decide to move to another provider? To what degree are we locked in?

A. If you deployed any of our APIs and then subsequently choose to move to another provider for whatever reason, you are not locked-in, either commercially or technically.
You own the data
Commercially, our APIs are provided on a monthly subscription basis with a one-month notice period so you have flexibility in terminated our commercial relationship. Technically, all of our APIs are standards-based and therefore it is straightforward to transition to a new provider. For example, if you wanted to move to a different Entitlement Provider, the product package definitions can all be exported from our Entitlement API and ingested into a new provider given that they support all requirements that you have. Similarly, user IDs within the Identity Provider can be moved to another Identity Provider. Each migration would involve a migration project, but this is something that we would help you with as you would like us to.

An additional benefit of our APIs that is not easily found with open-source products in the Identity and Access Management sector is expert support. Our company provides multiple support channels and packages should you need further assistance after the initial deployment. With open-source IAM projects the integration cost often far exceeds the cost of a commercial solution because disparate, point-solutions are being made to work together. By contrast, our APIs are composable services, designed from day 1 to work well with each other, integrate simply into other, standards-based systems and all stem from the same Java-based development framework, that is itself a mature product with a development guide, roadmap and support packages.

We use AWS as our default infrastructure provider. Can you deploy your APIs on AWS?
A: Yes, this can work in two ways. Either you deploy our APIs yourselves onto your AWS instances and then your operations team can manage them.  Alternatively, if you prefer, we can deploy our APIs onto your AWS instances and manage them on your behalf each month accordingly to an agreed SLA. This would incur an additional monthly fee on top of the monthly API subscription fee and depends on the size of the deployment. You would pay Amazon directly for your infrastructure usage.
How scalable is your Entitlement API?
A. Our default deployment model is designed to support 20-30 million user profiles, and the entitlement traffic generated by them.   The largest customer implementation that has been tested involved 300 million end users so our Entitlement API can likely handle any significant load you may choose to through at it.
Where does the ‘configuration’ take place and where are the define product packages and policies (constraints) stored?
 A: Configuration can be done using the REST API or alternatively using the Entitlement Service’s configuration UI. Product packages, license models, licensed items, etc entities are stored in the Entitlement Service’s database.
How would your Entitlement API work with the Hybris Entitlement engine?
A: You wouldn’t deploy the two together. Our Entitlement API is an alternative to Hybris entitlements.
The Hybris Entitlement Engine charges per API call. Do you do that?
A: No, we offer a per user per month fee, or a flat monthly fee for larger customers. Client applications can optimize the number of API call needed and the value of an API is not related to the number of calls that may be made to it. Particularly in the case of a digital product that is licensed monthly, the client application can be configured to make a license check only a few times each month in order to verify that a valid license existing.   With a well-designed Entitlement API, this license validity information can be stored locally and therefore require minimal license checks (via API calls) at the end of each calendar month (or defined subscription period). This allows you to creating a better user experience for your customers.
If I become a customer using the 10Duke Entitlement API and a year from now a new device is released, for example the Apple iWatch, and I want to deliver a variant of my newspaper’s app for that device, what would I need to do?
A: Once you have your new ‘Newspaper’ App for iWatch, you would need to define a new licensable product package (eg. ‘Newspaper App for iWatch;) and then configure the Entitlements
Service (using its API) to include that new package. (As an iOS app, this may be exactly the same as your existing ‘Newspaper App’ Product Package for iPhones and iPads in which case nothing would need to change, but if the ‘Newspaper App for iWatch’ product package was unique then it would need to be added as a product package). Once the entitlement rules for this new product package have been defined and configured, that it is ready to be included in the overall product set. This configuration process with take 5 to 10 minutes to do.
What are some user case examples for the 10Duke Entitlement Service to help me understand it better?
A: Here are three example use cases:

  1. You sell digital content online via a monthly subscription model.

– users can subscribe to a free account

– once subscribed they are able to access 10 pieces of content

– once they hit the 10 piece limit, they are pushed to paywall where they are required to subscribe to a paid account in order to maintain access to content.

In this scenario, our Entitlement service provides the metering on the subscribed user and tracks their usage before pushing them to the paywall.  What is particularly neat is that it supports a ‘constraints-based’ model which then supports metering against a number of factors including:

  • access device type:  you may want to provide more content to users on iOS devices than Android devices for some business reason.  Our ENT service could allow iOS users to access 20 pieces of content whereas Android users could only access 5.
  • content type:  you may want to provide un-subscribed users with access to 10 pieces of video content and 3 text articles. Our ENT service will support this.
  • user origin: similarly, you may want to provide unsubscribed users, accessing content from the UK, with 10 pieces of video content and 10 pieces of text content before pushing them to a paywall.   By contrast, users from other parts of the world can only access 3 pieces of video content and 3 pieces of text content.
  • concurrency: if you need to allow a user to access the same content, but from  more than one device, our ENT service supports this.

If you think of Spotify, they have a piece of software built in-house which governs which users can access Spotify’s catalogue (with or without ads) and on how many devices for each users. Our ENT service can provide exactly the same functionality out of the box.

  1.  Selling digital content to ‘anonymous’ users

Similar to the example above, it may be the case that you have a lots of users visiting a website but you don’t know who they are.  Our ENT service can still be used to apply a meter to them. The ENT service is an ‘identity-based’ Entitlement so it has the ability to gradually build up a user provide even if we don’t initially have access to their email address. The ENT service can do this initial from an IP address and then build the user profile from there.  So this means:

  • you can use the ENT service to provide a certain number of pieces of content to an anonymous user before pushing them to a Registration wall, after which they can then be given certain access rights to other pieces of content before being pushed to a paywall (as per example 1).
  1.  Selling software applications on a subscription basis to one user with multiple devices.

-You selling anti-virus software.

-Each license you sell allows your customer to use the software on one PC and 2 mobile devices.

– our ENT service would govern the access of the customer to the application from each device over the defined subscription period. When that period ends, the applications on each device would no longer function without renewal.

What are your services for authorisation?
Our Entitlement API is a service that allow you to define and control user access to any protected resource (like an application, item of data, or piece of content).  It takes care of authorisation decisions.
In the case of a 2nd product, does the licence to that product sit within the same Entitlement or a new/different one?
It depends on the vendor’s preference.
Can you offer the same services or something similar to Gemalto?
Yes, 10Duke entitlements can offer the same capability as Gemalto except that our solution is cloud-based and much more flexible and we don’t rely on license key or dongles.
Can you see how frequently the users use the software or what functions they use in the software?
Yes, this insight is provided by our Event Data API which is a collection of all data relating to when users access your application, what licenses they use and what features or modules of your applications they use.
Can the customer define the names when internally controlling the licence?
Yes, there are a couple of different features our solution has to enable this. For example, we can whitelist a domain so that any user from a particular company will be able to access a license to a product.  Also, we have an company administration tool with which a company admin can administer their own users and control licenses internally.
Can your product make a connection to our CRM database?
Yes, our solution can be integrated with most CRM products.  Data is passed between the systems using either XML or JSON.
Does your solution support offline license usage?
Yes, the solution can be configured to support offline usage for a defined period of time. When the defined period expires, the client application would need to connect to the licensing service to check that the license is still valid.
Does your solution provide an overview of what licenses have been issued?
Yes, in our SysAdmin tool you can see what licenses have been issues, which have expired, which are due for renewal and several more information points.
Is it possible to give a partner the responsibility to issue licenses?
Yes, via the Org Admin tool the responsibility of issuing license can be given to your customer so that they are able to administer their own users and own licenses. For larger organisations, this is typically something they prefer to do and it reduces your internal admin workload as well.
Do you do the integration process?
Integrating our APIs to your applications is something that you can do yourself if you wish and we are there in a support role as needed.  Our APIs are well documented (developer.10duke.com) and we also provided a number of open-source SDKs that can help your technical team connect your applications to our APIs. We are also on hand to help guide you through how 10Duke Entitlement is configured.
In SysAdmin, can you see the organisation they are are from in the user tab?
In SysAdmin you can see user emails and thereby what organisation they belong to. Equally, if you filter by organisation, you can see what users belong to that organisation.
If I have a new group that I want to give access to the same Entitlement, do I just add them to the Entitlement?
Yes
After an Entitlement is created, can we delete the specific product package (and the licensing will still work?) If yes, is it retained in SysAdmin primarily for reference/future use?
Yes, provided none of the underlying licensed items are deleted from the system. Yes, the product package information is retained primarily so it can be used again. There is no cost to hold it in system.
If our customer buys a 40-person licence of 'Product A' and one user has activated 'Product A' a on 3 devices (old laptop, new laptop and office desktop), would this account for 3 of the 40 licences or just one?
It is entirely up to the vendor’s preference and the Entitlement engine can be configured either way to support either the consumption of one licence or three. It can be constrained per individual or per device.
How is organisation membership established and by who?
The user is set with an entitlement by the licence administrator (a team leader within the organisation).
One of our licence models is using a MaxAggregateUse constraint. Can we remove the constraint from the licences that have been already granted based on this licence model?
Yes, the constraint can be removed.
When it comes to talking to the customer about renewal, can we see how often they have used the software in the last year?
Yes, our Event Data API provides you with a lot of detail from when a user last access your application, to which feature or features he used, to what license he is using. This information can also be provided at an organisational level, so you can view usage across a company.
What makes the difference between you and Flexera? Why can you be competitive?
The 10Duke approach to software licensing is fundamentally different to that of Flexera’s and our product we designed to overcome many of the limitations found in Flexera’s, Gemalto or Repriese products. This blog post goes into more detail about the differences between 10Duke and Flexera, but the main points to be aware of are:

Our solution does not require a license server to be installed on the customer site
The 10Duke Entitlement Service does not rely on license keys and therefore there is no need to issue, revoke, replace, or reconcile licenses. This mean your internal cost of license admin will be a fraction of what it is if you use Flexnet.

The 10Duke solution is ‘always on’ means that it dramatically reduces unauthorized usage of your software. Unless a user is logged in and has a valid license, they can’t use your software. Period.
If you provide a suite of application to your customers, including web, desktop and mobile apps, licenses to all of them can be configured and managed all through the 10Duke system. That is something Flexera just can’t do.

 

Identity Provider API

 

If I am using the 10Duke Identity Provider, how does one of my customers reset their password?
The default password reset process requires the customer to click on a ‘Forgot Password?’ link and then enter their registered email address. The IdP then sends a link via email to the customer which takes them through a password reset process. The default security level (which can be made either more strict and more lenient) uses an expiration time-based token and a user secret in the process. More strict security can include e.g. SMS delivered tokens to ensure that the genuine user has required the password reset.
If we are running 3 separate web applications, do your Identity Provider Support Single Sign-on between them so the user only has to sign in once?
Yes, the user would log in to the first web application, but in practice they would be actually logging into the Identity Provider. This would then authenticate them and grant access to the first web-application. When the user tries to access the second web application, a similar process would occur and the IdP would authenticate them to the second application. The process is the same for the third (or N) web application. For the user, they only login once and each subsequent authentication happens so quickly it is not normally noticeable by them. Similarly, once they log out of one application, they are logged out of the IdP itself and therefore are logged out of all applications.
Does your Identity Provider support fingerprint scanners as a method of authentication?
Yes, the IdP can be configured to include a number of alternative way to authenticate users. The challenge is harder on the client application side as the protocol and best practises require that clients connecting to the IdP do not know how the user is authenticated. This means that the IdP is responsible for presenting the challenge and the client application(s) must have the capability to present relevant UI and methods for the user to interact. Common technologies and methods usually use “smart card” based approaches.
Does your Identity Provider allow us to work with companies where the company is a customer and may have a number of people within it who receive a subscription but are managed as a ‘group’ subscription?
Yes, our Identity Provider has a particularly extensive model for supporting organisational structures. In this case, the IdP could recognize ‘The company, customer’ for which there are designated representatives who can login and manage the subscription and to which people the subscription is provided. The number of subscriptions and type of subscription within that group is government by the Entitlement Service, which working in the SSO environment is able to connect users to their organizations and thus further make the connection between a user and her right to consume the customer organizations entitlement.
How are clients updated when a new version of the Identity Provider solution is released?
Changes to OAuth, SAML and other SSO protocols are rare and therefore in most cases there is not a need to update client applications for this reason. Also, the HTTP / endpoint contract that the IdP provides supports versioning, which means that old client versions may be maintained for a time period deemed feasible by our customers without adversely impacting their current SSO service in production.
What Social Login providers does the 10Duke Identity Provider support?
The 10Duke IdP supports any social login provider that function as an OAuth 1.0a, OAuth 2 or SAML 2 provider so services such as Google+ , Facebook, LinkedIn, Twitter, Instagram and more.
Does your Identity Provider allow users alter, correct or delete their profile data?
Yes, the Profile management/edit screen are fully customizable and allow end users to edit fields such as name, organization, profile picture, password, mobile number, email address, etc.
Can you apply data validation (address/email address/ profanity etc.?)
Yes, e.g. email and password validation is a built in feature (by means of configuration).
Are users able to reset their own password?
Yes, an easy but very secure process is provided out of the box
Can you restrict access to some of the user's data fields from different apps / sites using the sign in system (e.g. one app could collect info not seen generally)
Yes, this is possible using consumer scope privilege configuration (consumer = connecting application + user)
Can you delete users e.g. if needed for legal reasons. Can you also retrieve their records and history?
Yes, complete delete and full audit trail features are available.
Is there any integration with email service provider / notifications provider?
Yes, e.g. AWS based messaging is available out of the box
Does your platform offer diagnostic capability and if so, how granular is this (e.g. can we see down to an interaction)?
Yes, detailed event-based logging and reporting is supported
Can you have multiple identities linked to a single user profile?
Yes, for example, you can allow the same user to access your apps from a social profile, such as Facebook, but also directly using an email/password combination. These IDs can be reconciled as one profile in the IdP database.
Do you provide a customisable database schema for a single user profile store?
Yes, 10Duke’s Dynamic Schema implementation enables a flexible data access service.
Can all information relating to an individual be easily extracted to ensure that Subject Access requests can be met within statutory time limits?
Yes, the 10Duke IdP has uses a normalized data model, which makes such actions
straightforward
Can the service/solution be easily record where information comes from and where it may be disclosed to?
Yes, activating an audit trail and logging to track such information routing covers this and related requirements.

 

File+ API

What are some typical use cases for File+?
File+ case be used for:

video transcoding tasks such as accepting user-uploaded videos or generating output video file to support playout on multiple devices.

audio transcoding to allow uploaded audio files to be played back on a variety of device types, regardless of format

mashing or producing composite media from several input media assets

creating thumbnail images for videos and images automatically on upload

inserting and updating metadata in media files

image manipulation including common tasks such as cropping, resizing, rotating, etc.

doing CAD file format conversions

What industry sectors is it typical used in?
File+ can be used in any market where there are large datasets and have a need for file storage or management across a wide geographic coverage and a need to transfer large amounts of data from A to B. These include:

media companies, particularly with large video assets.
gaming companies, needing to push executables as well as updates to executables
anti-virus companies, needing to push executables as well as updates to executables
law firms storing and managing large amounts of documentation in the cloud.
architects storing and managing large design files in the cloud.
healthcare companies storing and managing large image files in the cloud.
building and construction industry storing and managing large CAD models or BIM files in the cloud.

How does it compare to using web upload form for placing files into the cloud?
A web-upload form normally receives a one file at a time or occasionally multiple files upload. The scalability of such a solution is limited. As File+ is available via a RESTful endpoint, it can be incorporate much more flexibility, into a client application and cover a much wider range of use cases.
Is File+ an alternative to FTP?
ftp enables file transfer/copying and is much more limited in scope than File+. There are a number of known issues with FTP including security, poor scalability in terms of limitations of the size of file that can be transferred and how many files that can be transferred. By contrast, you can use File+ as a more flexible, scalable solution that gives you as a developer a dedicated file management application rather than just a limited transport mechanism.
Is File+ an alternative to Rsync?
Yes. Rsync has well-know scalability issues. It has limited efficiency (for example, just building an index of what needs to be synched, is slow) whereas File+ has much broader scope and can be applied to a wider variety of use cases, in addition to being able to keep files in sync.
Is File+ an alternative to AWS S3?
Yes, File+ offers very similar functionality to S£ but can be used on premise or in private cloud deployments. AWS is secure, as it uses client-side encryption, but if you encrypt data before transfer then they are equally secure. The AWS S3 API doesn’t offer conversion features as well as file management features so with File+ you arguably get more out of the box. If you wanted to run a hybrid cloud, using AWS S3 but also another set of storage servers, you could use File+ to manage both.
What deployment models are supported by File+?
File+ can be deployed in a variety of ways including on-premise, in a private cloud or in a hybrid cloud.

 

Smart Feeds API

How does Smart Feeds differ from just polling the data over a network, dropping it into hadoop and then analysing it in Splunk. What’s the secret sauce?
You’re right that some Hadoop+Splunk combo could start to produce results in a similar fashion but the two solutions are significantly different due to 5 main factors:

– *The core (secret sauce) is that Smart Feeds has a 4 tier architecture that takes raw event data generated by the sensors, buffers and persists it and then renders it into a concept of ‘feeds’ which are specific categorizations of the sensor data (for example, by type of sensor, by location, etc.) so that a feed specific to all fridge sensors in shops with a floor area of 1000m2 can be simply pushed through to a client application and made available to the end user to view. The key here is scale (‘000s of sensors, producing raw events every second or half second ) and the ease of defining/configuring feeds to be consumed by the client app.

– *Setup/ integration time. With Smart Feeds, if your sensor data is already available via wifi, it will take just a couple of hours to set up and get a purpose-built end to end solution running. This is in comparison to a toolchain that would require integrating two general tools and applying them to a specific business case. Hadoop is powerful, but you need to get a guy (or two) to get it up and running, integrate to Splunk, configure Splunk to find and spit out the correct data and then once it’s all set up, you’ve also got the cost of assigning resource to manage the whole toolchain. Slow, slow, slow….

– *Cost – running some combo of Hadoop and Splunk won’t be cheap in terms of licensing, personnel and server costs. Also, is that what you want your guys working on? Smart Feeds is less expensive and completely SaaS and our guys can do the integration bit quickly and for free.

– *End to end – part of the simplicity of Smart Feeds is that is supports a variety of roles and permissions to the app itself, so you can let people from all different part of the business into see the data if you want to. The operational analytics guy may be the main one, but you could also send your CEO, or a store manager, a url, and get him/her to login to view temp data from a specific store, across a set of stores, or across the whole estate. Smart Feeds helps to bring the data alive, make it accessible and helps people understand what is going on with elements of the business that are not normally focused on (but are nevertheless critical).

– *Hunger – where I think that Smart Feeds will get really interesting is in predictive analytics.

 

General FAQ’s

Will you participate in a proof of concept project?
Yes, please. Deploying and configuring our APIs is straightforward. We would provide the APIs under an evaluation license at no cost. Any work done during the PoC could be used in any subsequent production deployment and therefore can be viewed as an initial investment. We can start tomorrow.
Yes, please. Deploying and configuring our Identity Provider and Entitlement API is straightforward. As the initial product package definitions that would be created as part of the PoC would then be directly applicable in any production deployment, we would charge our flat £125 plus VAT during the PoC and would provide the APIs under an evaluation license at no cost. Any work done during the PoC would then be used in any subsequent production deployment and therefore can be viewed as an initial investment. We can start tomorrow.
Can you tell me a little more about your business model?
We provide our APIs on a SaaS basis, with a minimum monthly (baseline) and then charge per active user per month. An active user is typically defined as any user that makes at least once license check per month.
How much do your APIs cost per month?
It depends on which APIs we are talking about and the scale of activity your business generates. We provide our APIs on a SaaS basis, typically with a flat baseline fee which includes some level of authentication/authorisation activity and then with a per active user fee on top of this.  More advanced features such as MFA or use of or OrgAdmin application incurr additional charges. our typical contract term is 6 months, with one month notice thereafter but we also offer 12, 24, 36 and 48 month contracts.

 

Request a Demo