SOA Single Sign-onStreamline and persist authentication across heterogeneous Web services | |
The Problem: Heterogeneous Nature of Web Services Web services are a practical technology for connecting heterogeneous applications spanning departments and partners. However the distributed and sometimes heterogeneous nature of Web service integration complicates access control in a SOA. The same client application may have to present distinct credentials to each service in a composite SOA application. Moreover, every time the client requests information from one or more of the services in the composite application it will have to re-authenticate against each, slowing performance and adding latency to the transaction. Avoiding these problems requires a facility to streamline authentication across heterogeneous services and persist sessions across multiple authentications. Solution: Extend SSO to SOA A related problem has already been solved for humans interacting with applications in the Web world. For users accessing multiple back-end applications through a browser connected to a portal, products exist for providing one-time login or Single Sign-on capability to backend systems. Using Single Sign-on, a user can avoid having to remember multiple passwords to re-authenticate to each application they access. Moreover, Single Sign-on insulates the user from browser-based redirection across back-end Web sites. Single sign-on (SSO) works well in the Web sphere because Web browsers support both cookie caching and Web address redirects. Session tokens generated by an SSO product like Tivoli Access Manager with WebSEAL or CA SiteMinder can be cached by a browser and presented to each back-end application exposed through the portal without the end user having to re-enter authentication credentials. The end user only needs to login one time to bootstrap the process. This same requirement exists for Web services and SOA where client applications need to access multiple back-end Web services without re-authenticating and redirection of the client request. Ideally this would be accomplished using the same SSO infrastructure organizations have in place for their Web needs. Layer 7 Value: Support for Popular SSO Systems Using the SecureSpan Gateway and SecureSpan XML VPN Client, Layer 7 offers enterprises a first of its kind ability to reuse existing SSO infrastructure for Web services. The SecureSpan Gateway has built-in capabilities to integrate with Web SSO products from IBM, RSA, Oracle, Novell, Sun, CA and Microsoft. This serves two purposes. First, it allows the SecureSpan Gateway to delegate identity and access policy decisions to the SSO products. Secondly it allows SSO authentication and session tokens (cookies or SAML assertions) to be passed using Web services protocols to a Web services client application. However, that alone is insufficient to provide a client application with SSO capabilities since, unlike the Web, Web services have no browsers to cache session tokens and provide address redirects. The SecureSpan XML VPN Client provides a solution. The SecureSpan XML VPN Client is designed to perform a similar function to a Web browser in a Web services transaction: it can automatically negotiate cryptographic and security session parameters; it can package and transmit client credentials in a WS* compliant format; it can sign messages and message parts using a digital certificate it provisions; and most critically for SSO it can cache cookies or session tokens passed to it by the SecureSpan Gateway, embedding these tokens in SOAP messages, and performing URI-based redirects to the appropriate service . It can perform all these tasks automatically without custom programming on either the client or Web service. The combination of the SecureSpan Gateway and XML VPN Client therefore offer a unique ability to deliver enterprises SSO for Web services and SOA. Moreover, SecureSpan delivers this value to enterprises using existing Web SSO infrastructure, saving enterprises both implementation time and expense.
Share: | More | ResourcesDatasheet: Download PDF | 196Kb
Solution Brief: Download PDF | 208Kb
Datasheet: Download PDF | 196 Kb
Solution Brief: Download PDF | 208 Kb |
