This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
Agent: Agents are installed on Web servers and other resources, and are responsible for enforcing authentication and authorization. Some Web applications may have their own internal authorization that cannot be externalized, and in this case, the agent enforces only authentication. Agents can also be proxy-based, to provide authentication and authorization services to resources without a locally installed agent.
Policy Server: The agent takes its cues from the policy server, which dictates how the user should authenticate, and what resources he or she has access to. The policy server usually has a Web-based administrative interface.
Repository: The repository stores information about users and WAM policy. Typically, the repository is an LDAP directory.
Best of Both Worlds
[integrating eSSO and WAM]
It is possible to integrate WAM and eSSO systems. The benefit is SSO to both environments, with a single authentication and robust authorization capabilities for Web applications. In addition, since some WAM systems support federation, an organization can provide SSO to enterprise, Web and federated applications. Organizations can integrate eSSO and WAM via the following methods:
- Use identity management vendors' capabilities to integrate WAM and eSSO. In this case, the eSSO client will typically push its own authentication token into the Web browser as a cookie. When the user visits a Web application protected by the WAM system, the WAM system validates the eSSO authentication cookie, and then issues a WAM authentication cookie. The benefit of this approach is tighter integration of eSSO and WAM policy, and potentially easier management of the user identity.
- Extend the organization's Windows infrastructure to bind the eSSO and WAM systems together. Once the user has authenticated to Windows, he can get SSO to Microsoft Web applications. But, there are some domain trust issues, minimum Web browser requirements and non-Windows Web application issues.
- Leverage the eSSO system's Web authentication capabilities. In this scenario, the eSSO application completes the Web authentication form for the WAM system and transparently logs the user on to the WAM system. This method is generally the least secure because the password is replayed into the Web application. Other methods typically utilize some cryptography to transition the session.
This was first published in August 2006