Best of Both Worlds
[integrating eSSO and WAM]
It is possible to integrate WAM and eSSO systems. The benefit is SSO to both environments, with a single authentication and robust authorization capabilities for Web applications. In addition, since some WAM systems support federation, an organization can provide SSO to enterprise, Web and federated applications. Organizations can integrate eSSO and WAM via the following methods:
- Use identity management vendors' capabilities to integrate WAM and eSSO. In this case, the eSSO client will typically push its own authentication token into the Web browser as a cookie. When the user visits a Web application protected by the WAM system, the WAM system validates the eSSO authentication cookie, and then issues a WAM authentication cookie. The benefit of this approach is tighter integration of eSSO and WAM policy, and potentially easier management of the user identity.
- Extend the organization's Windows infrastructure to bind the eSSO and WAM systems together. Once the user has authenticated to Windows, he can get SSO to Microsoft Web applications. But, there are some domain trust issues, minimum Web browser requirements and non-Windows Web application issues.
- Leverage the eSSO system's Web authentication capabilities. In this scenario, the eSSO application completes the Web authentication form for the WAM system and transparently logs the user on to the WAM system. This method is generally the least secure because the password is replayed into the Web application. Other methods typically utilize some cryptography to transition the session.
