InfoQ

InfoQ

News

My Bookmarks

Login or Register to enable bookmarks for unlimited time.

The content has been bookmarked!

There was an error bookmarking this content! Please retry.

Single Sign-On beyond the firewall

Posted by Gavin Terrill on Nov 05, 2007

Sections
Architecture & Design,
Development,
Enterprise Architecture
Topics
Architecture ,
Security ,
WS Standards
Tags
SAML

It seems like only yesterday that developers were coming to grips with implementing Single Sign-On (SSO) across the enterprise. Now, organizations are concerned with how they can extend that thinking to beyond the corporate firewall. John Dunn wrote about the basic tenants of Federated Identity Management (FIM) in a recent Techworld article:

The first thing to say about FIM is that it is not really a technology as such – despite what some vendors will appear to claim - more a concept for understanding how technologies such as web services can be used to make possible a goal that has started to obsess forward-thinking IT die-hards: how can users at different organisations share or ‘federate’ data and conduct transactions using each other’s networks?

SAML (Security Assertion Markup Language) 2.0 is the standard endorsed by OASIS to facilitate SSO in FIM. John discusses three important SAML features that make it appropriate for FIM projects:

First, it requires no ongoing synchronisation, and sets up connections on the basis of a particular request at a particular moment in time. This makes it simple and auditable. Second, it allows the communication of privacy settings and manages sessions better once the person has logged out of a federated resource. Perhaps most critically, it is an abstraction layer that can unite otherwise different authentication systems from different vendors, something that has thus far tended to cause a mountain of problems for FIM projects.

John then discusses a checklist of issues for companies starting to investigate FIM. These include:

  • Ensuring your company has robust authentication in place. Your users will be accessing partner sites, and vice-versa.
  • Evaluating the security implications of employees accessing multiple systems
  • Compliance concerns
  • Determining who is responsible in the event of a failure

The vision of Federated Identity invokes exciting possibilities, however John concludes the article with some sobering advice:

Longer term, it has the potential to transform even the humblest IT operation into something quite new. But as a concept, federation surely represents the future of networks, so that they become not as islands of digital power, but overlapping ‘networks of networks’. It is happening already. But it will force companies to re-examine their own security processes before they jump into its whirlpool of potential difficulties.

More InfoQ coverage of SAML is available here.

No comments

Watch Thread Reply

Educational Content

New-age Transactional Systems - Not Your Grandpa's OLTP

John Hugg discusses high volume transaction processing applications with high and low frequency profiles, and how VoltDB can be used for that purpose.

Cool Code

Kevlin Henney examines code samples to see what can be learned from them starting from the premise that one won’t write great code unless he knows how to read it.

Collaboration: At the Extremities of Extreme

Jason Ayers share the observations he made watching a team of developers collaborating in real time on the same code base, pushing XP, pair programming and continuous integration to their extremes.

Yesod Web Framework

Michael Snoyman presents Yesod, a web framework written in Haskell and containing a web server, templating, ORM, libraries (templating, gravatar, etc.).

Transactions without Transactions

Richard Kreuter and Kyle Banker on how to avoid classical RDBMS transactional systems by using compensation mechanisms, transactional messaging or transactional procedures.

Attila Szegedi on JVM and GC Performance Tuning at Twitter

Attila Szegedi talks about performance tuning Java and Scala programs at Twitter: how to approach GC problems, the importance of asynchronous I/O, when to use MySQL/Cassandra/Redis, and much more.

10 tips on how to prevent business value risk

One category of risk that project teams need to ensure they address is business value failure – delivering a product that fails to provide value for the business investor.

Interview: Software Systems Architecture: Working With Stakeholders Using Viewpoints and Perspectives

InfoQ spoke to the authors of Software Systems Architecture on a couple of new topics, the System Context viewpoint and Agile, which have been added to the second edition.