- Products
- SOA Governance
- API Management
- Cloud Integration
- Other Platforms
- Features & Benefits
- Solutions
- SOA
- API
- Cloud
- Government Solutions
- Other
- Case Studies
- Latest SOA Case Studies
- Latest API Case Studies
- Latest Cloud Case Studies
- More Case Studies
- US Intelligence Community – Secure Data Sharing
- Ogilvy & Mather – Web Services Security
- Quebec Finance Ministry – CGI Solution
- Belgium French Community (ETNIC) – Secure eGovernment Services
- British Columbia Attorney General - XML & Web Services Security
- US Army Accessions Command - Managing the Service Lifecycle
- Tutorials
- API Management
- Development
- Identity Access
- OAuth
- SecureSpan Basics
- Video Tutorials
- Library
- Free Trial
- cloudsecurityalliance
Follow Us:
SOA Single Sign On
Streamline and persist authentication across heterogeneous Web services
The Problem: Heterogeneous Nature of Web Services
Web services are a practical technology for connecting heterogeneous applications spanning departments and partners. However the distributed and sometimes heterogeneous nature of Web service integration complicates access control in a SOA. The same client application may have to present distinct credentials to each service in a composite SOA application. Moreover, every time the client requests information from one or more of the services in the composite application it will have to re-authenticate against each, slowing performance and adding latency to the transaction. Avoiding these problems requires a facility to streamline authentication across heterogeneous services and persist sessions across multiple authentications.
Solution: Extend SSO to SOA Through SAML
A related problem has already been solved for humans interacting with applications in the Web world. For users accessing multiple back-end applications through a browser connected to a portal, products exist for providing one-time login or Single Sign-on capability to backend systems. Using Single Sign-on (SSO) products and technologies like SAML, a user can avoid having to remember multiple passwords to re-authenticate to each application they access. Moreover, Single Sign-on insulates the user from browser-based redirection across back-end Web sites. Single sign-on (SSO) works well in the Web sphere because Web browsers support both cookie caching and Web address redirects. Session tokens generated by an SSO product like Tivoli Access Manager with WebSEAL or CA SiteMinder can be cached by a browser and presented to each back-end application exposed through the portal without the end user having to re-enter authentication credentials. The end user only needs to login one time to bootstrap the process. This same requirement exists for Web services and SOA where client applications need to access multiple back-end Web services without re-authenticating and redirection of the client request. Ideally this would be accomplished using the same SSO infrastructure organizations have in place for their Web needs.
Layer 7 Value: Support for Popular SSO Systems
Using the SecureSpan SOA Gateway and SecureSpan XML VPN Client, Layer 7 offers enterprises a first of its kind ability to reuse existing SSO infrastructure for Web services or leverage Layer 7's built-in SAML STS to enable SSO For SOA. The SecureSpan Gateway has built-in capabilities to integrate with Web SSO products from IBM, RSA, Oracle, Novell, Sun, CA and Microsoft. It also has the ability to generate custom SAML tokens from input credential or content in the message that can be used for downstream SSO. The ability to integrate with existing SSO products lets organizations reuse their existing Web SSO investment for Web services. The onboard SAML STS inside the Gateway conversely, makes it easy for administrators to customize SSO and fine grained entitlements policies for their Web services without resorting to any third party product.
The optional use of the SecureSpan XML VPN Client makes implementing SSO for SOA even easier. The SecureSpan XML VPN Client is designed to perform a similar function to a Web browser in a Web services transaction: it can automatically negotiate cryptographic and security session parameters; it can package and transmit client credentials in a WS* compliant format; it can sign messages and message parts using a digital certificate it provisions; and most critically for SSO it can cache cookies or session tokens passed to it by the SecureSpan SOA Gateway, embedding these tokens in SOAP messages, and performing URI-based redirects to the appropriate service . It can perform all these tasks automatically without custom programming on either the client or Web service. Without the XML VPN Client developers have to custom code client-side credential management and caching. The combination of the SecureSpan SOA Gateway or XML Firewall and XML VPN Client therefore offer a unique ability to deliver enterprises SSO for Web services and SOA using existing Web technology or SAML.