Federation & SSO

Web Access Management (WAM)

The Access Gateway works well for providing coarse-grained authorization when protecting web applications. Requests go through a proxy, which applies authorization rules, and forwards the request to the underlying servers that provide the application. This model is simple to deploy and easy to maintain.User identity is checked and propagated through HTML header injections or query strings or authentication headers to applications hidden behind a proxy server. The real URL of these applications is hidden from the public view.

Single Sign On

Each partner system, as well as your own application, may have its own set of new user id’s and passwords. Such applications move in and out of security domains. The user experience suffers when many login credentials have to be remembered.

The SSO feature can let your users login once and roam unchallenged through the security realm. For end users, it reduces the burden to remember an array of passwords and reduces the need to individually login to each application. Users may login once, and roam freely in secured domains without being challenged again. Participating domains are not required to give up their own logins and credentials. The ability to hold multiple identities, each with their own roles, permissions, access-levels and entitlements across multiple domains allows for a wide network of co-operating domains to communicate seamlessly. Authenticated subjects can access restricted resources requiring multiple logins and credentials without the need to login at each domain.

Unlike SSO solutions from many industry leaders, Open Access Manager’s solution is not based on a proprietary cookie. Instead it is based on SAML 2, a well-accepted industry standard.  Using SAML allows OpenIAM Access Manager to not only provide SSO capability at the web application tier, but also across other layers such as Web Services.  It also allows Open Access Manager to integrate easily with existing technologies that a company have.

Federation

Your business has partners, suppliers and other organizations. For them to collaborate effectively, identity information needs to be propagated. You need to know when a user at a partner site comes on board or leaves. You need Federation capabilities provided by the OpenIAM Access Manager. New revenue streams may be generated through enablement of trusted partnerships where authentication and authorization is carried out over federated business networks.

  • Federation refers to interoperation between entities in different security domains, either in different organizations, or in different tiers in the same organization.
  • A trust relationship must exist between the involved entities to federate identity and enable authentication across realms.
  • Each domain may rely on different technologies and mechanisms to authenticate and authorize.
  • Federation enables loose coupling at the IDM level separating the way each organization does its own security implementation while they adopt a common mechanism to propagate identity.

It is expensive for your partners to track user credentials and user attributes in your domain, as they do not have the same proximity to your users as you do. The OpenIAM Identity Manager integrates seamlessly with the OpenIAM Access Manager. OpenIAM can act as an identity provider and use Federation protocols to facilitate user provisioning and manage credentials and user attributes.

Security Token Service

A Security Token Service (STS) is a system role defined by the WS-Trust specification. A Web Service Client interacts with the STS to request a security token for use in SOAP messages. In addition, a Web Service Provider interacts with an STS to validate security tokens that arrive in a SOAP message. An STS arbitrates between different security token formats. The token transformation capability defined in WS-Trust provides a standards-based solution to bridge incompatible federation deployments or web services applications.

Web service providers should not be required to support multiple authentication mechanisms even though they have to work with different web service clients. The SAML standard is well recognized and OpenIAM Security Token Service can validate SAML tokens to bridge different web services.