Muti-domain Web SSO
Multi-domain Web Single Sign-On (Web SSO) simplifies service registration, since a user just needs to register once to all services he/she wants, even though those services are provided by separate applications. Sometimes Multi-domain Web Single Sign-On is called Cross-Domain Web Single Sign-On, for simplicity it can be called as Web SSO. In general Web SSO is agentless, thus it is suitable for customer use since it doesn’t require any agent or plugins to be installed in the customer’s end-point.
Unlike Service Oriented Architecture (SOA) which tends to do thorough service integration with an Enterprise Service Bus, Web SSO only focuses on the authentication and authorization part. However, both SOA and SSO make the entire service from all applications become available to the customer, as long as he/she authorized to consume the services. Because of its simplicity, Web SSO implementation outperforms Service Oriented Architecture (SOA) in term of project speed to integrate many applications. Web SSO is significantly useful for a large company which already has many web applications, or a fast growing company who has multiple e-Service initiatives in parallel.
There are 2 common Web SSO technologies on market, which are HTTP Header Single Sign-On, and Federated Identity.
HTTP Header Gateway Single Sign-On
HTTP Header Gateway provides a solid security and act as a fence (read: gate) before a request can reach the actual website, thus a software vendor usually sells it as an access management solution. HTTP Header Gateway is originally built as a Policy Enforcement Point (PEP) to simplify access permission and administration to multiple website, from a centralized Policy Administration Point (PAP), as described in XACML (eXtensible Access Control Markup Language).
HTTP Header Gateway is most suitable for many applications in the same DMZ (Demilitarized Zone in data center). If the applications are located in several DMZs, the gateways would need a secured transport layer to communicate each other, and this overhead might impact the authentication response time. HTTP Header Gateway is common on market including Indonesia, since it doesn’t require much changes in the application and supported by almost all major security software brand like IBM, Oracle, and NetIQ.
HTTP Header Gateway is suitable for an Enterprise which has web applications developed by different vendors which has different UserID naming convention between one web applications to another, for example: credit card application requires numeric value for its identity, email requires “@” for its identity, complete phone number requires “+” (plus sign) for its identity, and so on. Since a single person can have multiple identities, it would require another application that can integrate all the other applications, this integrating application is what we called Web SSO and it has a very strong centralized authorization enforcement.
HTTP Header Gateway is suitable most for Enterprise Business Portal, it allows multiple identities across applications and it has high performance, but it requires secured communication between the gateway and the applications, thus it is most suitable for many application in the same DMZ.
Federated Identity is basically a circle of trust between Service Providers (SP) and an Identity Provider (IdP). SP is the application itself, which handles the authorization for every user action, and it must be able to consume the authentication token (usually SAML) from it’s IdP. While the IdP itself is an authentication service, which provide login form to the user as it’s authentication service.
The positive side of Federated Identity is open standard, it is already supported many IdP like Google, Yahoo, Twitter, LinkedIn, Amazon, and many others. Therefore, a web application can leverage on those existing IdP, so that a new customer doesn’t require to fill a registration form, and of course the customer doesn’t require to remember another UserID and password.
For enterprise that has many applications, migrating all of the applications into SP compliant might be very costly. However this painful obstacle can be relieved by implementing SP Gateway, which already available on market, and supported by all major security software brand like IBM, Oracle, and NetIQ.
Federated Identity is suitable most for subscribers or retail portal, it can reuse the existing identity that the customer already has, and it supports distributed DMZ, but it has slower authentication response time.
PT Global Innovation Technology is the Web SSO Vendor in Indonesia that implemented Multi Domain Web Single Sign-On and Identity Federation in National Spatial Data Infrastructure (NSDI) together with NTT Data Japan.