White Papers Password Management Best Practices
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Integrating the Hitachi ID Identity and Access Management Suite with WebSSO Systems

arrowAbstract
Web single sign-on (WebSSO) systems are a widely deployed technology for managing user authentication and access control across multiple web applications. These systems help companies to effectively manage users on both Intranets and Extranets.

WebSSO and password management systems are sometimes perceived as redundant. In reality, they are complementary tools, with almost no overlapping functionality. Integrating WebSSO systems with password management and provisioning tools provides increased value to organizations with heterogeneous systems.

WebSSO systems are effective tools for managing authentication and access control, but are limited to on web applications. Password management and access provisioning systems extend these capabilities to legacy systems, network operating systems, e-mail systems and more.

Integrating WebSSO systems, password management and account provisioning products yields maximum value for identity management.

This document discusses how Hitachi ID Identity and Access Management Suite can be deployed in conjunction with WebSSO products, how the technologies interact, and how they complement one another.

Introduction

Integrating WebSSO systems, password management and account provisioning products yields maximum value for identity management.

This document is organized as follows:

WebSSO systems defined

WebSSO systems, also known as Web Access Management (WAM) systems, are used to manage users across multiple web applications. They separate user authentication and access control from other application infrastructure, in order to share the same security data and enforcement mechanism between multiple web servers and applications.

User directory

WebSSO systems typically maintain a database of users, their authentication (e.g., passwords, tokens and/or personal questions and answers), and their privileges. This database may exist in an LDAP directory or a relational DBMS.

Central and delegated administration

WebSSO systems normally include facilities for centralized, delegated and self-service administration of the directory and of user privileges. Centralized administration is used to configure the system, delegated administration allows designated people to manage subsets of the user population, and self-service management lets users perform routine tasks on their own profiles, such as updating personal information or resetting a forgotten password.

Shared authentication infrastructure

WebSSO systems include components that plug into most web servers, intercept attempts by users to access pages, and:

This process provides for single sign-on across multiple web applications.

Access control

WebSSO systems typically also provide an API, where web applications can make function calls to determine whether a given user is allowed to perform a given task. Authorization decisions may incorporate policies, roles, user attributes, organization rules, etc.

WebSSO as an HTTP proxy

Some WebSSO systems (e.g., Evidian) are able to act as web proxies, intercept HTTP requests, authenticate users, and insert credentials into the HTTP stream sent to web applications.

This approach has the benefits of simple deployment without impacting the configuration of existing web application servers and support for externally hosted applications and consumer-oriented web sites where it would be impossible to insert an authentication agent.

Common WebSSO systems

Some of the most common WebSSO systems are Netegrity SiteMinder, Oblix NetPoint and IBM/Tivoli Access Manager for e-business.

Please refer to [link] for a full list and links to each vendor's web site.

Password and access management systems defined

Another class of tools targeted at medium to large organizations streamline heterogeneous management of passwords, provisioning of login access, and termination of that access:

Password management systems defined

Password management systems are designed to reduce the cost of ownership of password-based authentication, and to improve the security of password authentication.

Password Manager is a password management system that supports:

Password Manager yields cost savings by:

Password Manager improves authentication security by:

Access management systems defined

Access management systems are designed to streamline changes to user access to systems. They reduce the delay between organizational change and matching changes in user access to I.T. infrastructure, and ensure that user access is terminated once it is no longer required.

Identity Manager is an access management system that supports:

Identity Manager yields cost savings by:

Identity Manager improves access security by:

Common components and processes

WebSSO products and Password Manager / Identity Manager share some common components:

Beyond some superficial similarities, WebSSO products and Password Manager / Identity Manager use different features and technology to solve similar problems in different circumstances:

What WebSSO systems do well

As described above, WebSSO systems are an effective infrastructure for:

WebSSO systems are a mature technology, and useful in most Intranet and Extranet environments.

What WebSSO systems cannot do

WebSSO systems do not address all the authentication and access management requirements of an enterprise, however. They cannot manage sign-on to or access control in systems such as network operating systems, midrange servers, mainframes, e-mail systems or client/server applications.

In effect, WebSSO systems are limited to managing authentication in a single enterprise directory (typically LDAP), and interacting with users over a single channel (a web browser).

Filling the WebSSO capability gap

Enterprise password and authentication management, as implemented by Password Manager, allows organizations to simplify sign-on and administration of authentication data on every system, rather than just web applications.

Password Manager password synchronization, in conjunction with WebSSO, reduces the number of credentials that a user must manage across every system, web-based or not.

Password Manager self-service password reset means that users can maintain a single, secure Q&A profile, and use it to securely reset forgotten or disabled passwords on both web and legacy systems.

It is important to note that while most WebSSO systems provide a self-service password reset capability, it does not address the systems that typically generate the bulk of password problems in an Intranet: the network operating system and mainframe. In most environments, LDAP passwords are subject to relatively weak constraints (simple passwords, infrequent changes), and consequently are not a major contributor to password problem call volume at the help desk.

Better self-service password reset for web applications

The Password Manager web user interface can be readily integrated with a WebSSO, and replace the built-in self-service password reset feature with a more secure and globally relevant one.

Change authorization workflow for the enterprise

Password Manager access change authorization workflow means that users can simultaneously request updated privileges to both web-based and legacy IT infrastructure. Those requests are routed to appropriate authorizers, and when they are approved are automatically fulfilled globally.

Summary

WebSSO systems simplify authentication to multiple web applications, and enable unified user administration that spans a single directory and supports multiple web applications.

Password Manager manages all forms of user authentication across every system in the enterprise, including directories, network operating systems, client/server and ERP applications, midrange and mainframe systems, etc.

Identity Manager manages user access to every system in the enterprise, and can create, update and delete accounts based on a change request authorization workflow, central and automated user administration and more.

Enterprises derive maximum value by deploying all three systems: central and delegated administration, plus unified authentication, to web applications, plus streamlined administration of users, passwords and non-password authentication that spans every system, not just web applications.

References

(1)

WebSSO vendors today include:

Vendor Product
CA SiteMinder
Entrust GetAccess
IBM/Tivoli Access Manager for e-business
Novell iChain
Oracle Access Manager
RSA ClearTrust

 

To find out more about Password Manager, visit http://Hitachi-ID.com/password-manager/.
To find out more about Identity Manager, visit http://Hitachi-ID.com/identity-manager/.
To find out more about Hitachi ID Systems, visit http://Hitachi-ID.com/.