Security solutions Executive brief Understand the varieties and business value of single sign-on. August 2005
2 Contents 2 Executive overview 2 SSO delivers multiple business benefits 3 IBM helps companies implement SSO in a variety of computing models 5 Complete Web SSO encompasses a variety of capabilities 6 Desktop SSO 7 Back-end and portal SSO 8 Three-tier SSO 8 SSO to host application emulators 9 Cross-domain SSO 9 Deploy federated SSO to facilitate cross-enterprise interactions 10 Derive additional value from legacy applications with client/ server SSO 10 Enjoy security management benefits beyond SSO 12 For more information 12 About Tivoli software from IBM Executive overview Although many businesses are interested in single sign-on (SSO) because of the promise that it can simplify administration and enhance user experiences, there is more than one kind of SSO. By surveying the different types of SSO and the benefits of each, you ll be in a good position to clearly articulate your company s SSO requirements and to identify a solution that can deliver a full range of SSO capabilities. SSO delivers multiple business benefits To be an on demand business, a company frequently requires SSO capabilities. By providing users with the ability to log in once across the applications and operating systems that they need to access, a business delivers both quantifiable and qualitative benefits, including: Reduced administration costs When users must log in multiple times, they are more likely to forget passwords, which in turn leads to greater help-desk costs. In fact, Gartner estimates that 15 to 35 percent of the calls to a help desk are for password resets, and each call generates, on average, $20 in IT costs.* SSO can significantly reduce these calls and their resulting costs. Greater user productivity and experience SSO allows users to access business systems faster, which enables them to get more done. And users who can sign in once feel better about their transaction experience than users who must log in multiple times with many different IDs and passwords. Faster application deployment When companies deploy a superior SSO and security system that allows application developers to call out to external security services, security no longer has to be coded into each application. As a result, a company can get new applications to market quickly, and can later update application business logic and enhance security much more efficiently.
3 Highlights IBM helps companies implement SSO in a variety of computing models The benefits of SSO grow as it is applied against an expanded pool of IT environments. As computing models have evolved from distributed client/server systems to Web-based applications and now even to federated SSO configurations often involving emerging standards such as Security Assertion Markup Language (SAML), Liberty Alliance and Web Services Federation Language (WS-Federation) businesses are able to realize increasingly significant value from SSO solutions particular to each model. IBM software combined with offerings from IBM Business Partners supports Web SSO, federated SSO and client/server SSO By leveraging IBM Tivoli Access Manager for e-business in conjunction with IBM Tivoli Federated Identity Manager and offerings from IBM Business Partners, companies are implementing SSO under each of these models: The predominant computing model today is the Web model, involving HTTP/HTTPS transactions, with applications on Web servers, application servers or both. More than 1,400 customers worldwide deploy Tivoli Access Manager for e-business to provide SSO to Web-based applications. The software integrates with more than 70 software vendor applications. Many businesses are moving toward federated, cross-domain configurations to cost-effectively introduce partner-hosted capabilities into their customers Web experiences. These environments typically involve a business that has partner relationships, where the partner isn t necessarily using the same software as the business itself. Consequently, it is essential that federated, cross-domain software supports the latest interoperability standards used in SOA-based environments: SAML, Liberty Alliance and WS-Federation. IBM addresses these requirements with Tivoli Federated Identity Manager, which tightly integrates with Tivoli Access Manager for e-business.
4 IBM software along with IBM Business Partner solutions address SSO requirements for three coexisting computing models. Although few, if any, of the more modern computing solutions being developed today use the client/server model, many legacy client/server applications can still benefit from SSO. The flexible integration of Tivoli Access Manager for e-business with offerings from IBM Business Partners facilitates the extension of SSO to distributed client/server environments. On the following pages, you can learn more about IBM solutions for Web SSO, federated SSO and client/server SSO. Later, this document explores additional key benefits that the core solution, Tivoli Access Manager for e-business and Tivoli Federated Identity Manager, can provide.
5 Highlights Complete Web SSO encompasses a variety of capabilities Tivoli Access Manager for e-business offers robust Web application SSO support, with excellent coverage of the initial point of focus between browsers and Web and application servers and much more. To facilitate browser/web server interactions, Tivoli Access Manager for e-business supports: Web trust configurations using IBM WebSphere Application Server SSO capabilities and others. Basic authentication SSO. Forms-based SSO. Lightweight third-party authentication (LTPA) SSO. Passing user information in the HTTP header. A global sign-on (GSO) mechanism for retrieving user names and passwords for back-end application resources. Address desktop SSO, back-end and portal SSO, three-tier SSO, SSO to host application emulators and cross-domain SSO Because IBM customers have been using Tivoli Access Manager for e-business and its precursors to solve Web SSO issues since the early 1990s, there have been many additions to its Web SSO capabilities, addressing a wide variety of business needs. Consequently and unlike products with a more limited scope Tivoli Access Manager for e-business can be used to address desktop SSO, back-end and portal SSO, three-tier SSO, SSO to host application emulators and cross-domain SSO. Only a robust Web SSO solution addresses all these areas.
6 Tivoli Access Manager for e-business extends Windows desktop SSO to a wide variety of Web application platforms. Desktop SSO Many IBM clients appreciate desktop SSO the way that they can log on once to the Microsoft Windows operating system and avoid subsequent sign-in requests to all their Windows applications. But a number of years ago, IBM made it possible to further leverage the Windows desktop SSO, extending it to Web applications protected by Tivoli Access Manager for e-business and running on UNIX, Novell and mainframe systems. (This is sometimes called Kerberizing Tivoli Access Manager for e-business because the technology is based on the Kerberos protocol that Microsoft uses in its Simple and Protected GSSAPI Negotiation Mechanism [SPNEGO] and Microsoft Windows NT LAN Manager [NTLM] implementations.) Companies who have used the last few releases of Tivoli Access Manager for e-business have appreciated the convenience and time savings that this expansion of desktop SSO provides.
7 Back-end and portal SSO It s not uncommon for companies to implement a so-called SSO solution for a portal, only to find that they still get many password prompts. This is because inferior SSO solutions handle the link between the Web browser and the portal, but not those between the portal and its portlets, which connect to other applications that need ID and password combinations. But with Tivoli Access Manager for e-business, user information can be passed to an application server or portal server, and that information can be used to build a credential appropriate to the back-end application environment. To extend SSO to back-end applications and portals, Tivoli Access Manager for e-business includes: Java Authentication and Authorization Services (JAAS ) standardized support for programmatic security. J2EE -standardized support for declarative security. A technology preview that enables programmatic and declarative security for.net applications. Special GSO support integrated with the WebSphere Portal credential vault to extend SSO support to the portal s back-end applications.
8 Tivoli Access Manager for e-business coordinates with WebSphere, RACF and J2EE technologies to enable SSO to mainframe applications. Three-tier SSO Mainframe applications protected by IBM RACF are widely appreciated for their high degree of security. Many businesses have Web-enabled these applications to extend their value, but not every SSO solution can manage authentication with mainframe applications. Tivoli Access Manager for e- business works in concert with WebSphere software, and RACF and J2EE Connector Architecture (JCA) capabilities to map user information for use in each environment that is involved in a user s request for enterprise server, or mainframe, data. Because such transactions involve browsers, middle-tier servers and enterprise servers, they are typically called threetier transactions. SSO to host application emulators Another set of applications that have had their value extended by Web enablement are emulation applications running on IBM zseries, IBM iseries and DEC/UNIX. The integration of Tivoli Access Manager for e-business with IBM WebSphere Host Access Transformation Services and IBM WebSphere Host On-Demand enables clients to provide SSO to these emulation applications.
9 Highlights Cross-domain SSO Cross-domain SSO is an area growing in significance, largely spurred by the popularity of federated configurations and the Web services revolution. For companies that need broad coverage of protocols and token types in support of a variety of cross-domain and cross-enterprise relationships, the following section provides more information. But for customers who want to implement more limited cross-domain SSO with fewer management capabilities and a community of partners all running Tivoli Access Manager for e-business IBM includes toolkits with a number of design alternatives in Tivoli Access Manager for e-business. Deploy federated SSO to facilitate cross-enterprise interactions As more and more customers implement complex solutions involving federation with third parties, customer demand is growing for extending the value of SSO to transactions that cross enterprise or domain boundaries. This is sometimes called federated SSO, which may or may not involve the use of a Web services architecture. Support a range of key federated SSO interoperability standards The powerful IBM solution for addressing federated SSO is Tivoli Federated Identity Manager, which includes Tivoli Access Manager for e-business. Together, these technologies provide robust management of identities involved in business-to-business SSO transactions. A key aspect of Tivoli Federated Identity Manager is its support of three key federated SSO interoperability standards: SAML, Liberty Alliance and WS-Federation. This is important because in business-to-business exchanges, you can t always be sure which protocol your partner will be able to support.
10 Highlights Customers looking to leverage federated configurations to expand their business with relatively minor investments can now do so with great security, thanks to the combination of Tivoli Federated Identity Manager and Tivoli Access Manager for e-business. Leverage integrated offerings to extend SSO to client/server transactions Derive additional value from legacy applications with client/server SSO To extend the support of SSO to client/server transactions, Tivoli Access Manager for e-business can be integrated with leading client-centric SSO solutions from IBM Business Partners, including: ActivCard ActivClient. Encentuate TCI. Passlogix v-go Single Sign-On. Note that IBM Tivoli Identity Manager can provision users for each of these solutions. Deploy a full range of security management capabilities Enjoy security management benefits beyond SSO Tivoli Access Manager for e-business not only delivers substantial SSO value, it also provides a number of additional security management benefits, including: Authorization for Web applications, enabling uniform application of policies that specify who can and who cannot access sets of resources. Reverse proxy, protecting intranet, Web and application servers from Internet access (and, optionally, from intranet access).
11 Front-end authentication for applications: Out-of-the-box support for multiple authentication mechanisms (including user identities and passwords, certificates and tokens), without requiring modification of back-end applications to support these technologies. Switch user capability (where an administrator can take over a user s session), and authentication step-up and forced reauthentication (for accessing highly sensitive target data and applications) essential authentication options for some businesses. Audit capabilities when combined with a clear, unified access-control policy, can be a key enabler of audit readiness and compliance with such regulations as Sarbanes-Oxley. Tivoli Access Manager for e-business is designed to help companies maintain and certify the validity of their records and disclosures of pertinent information. In addition to its federated SSO capabilities, Tivoli Federated Identity Manager extends the Web services security function of WebSphere and WebSphere Web Services Gateway by: Expanding support for security token types, which allows out-of-the-box use of SAML and Liberty Alliance tokens. Mapping user identities received from another domain to identities understood locally, and then mapping and adding attributes as necessary. Authorizing local identities for access to requested Web services, ensuring only legitimate use of the Web services.
For more information Many vendors talk about their SSO solutions, and yet they only address a small piece of the puzzle. Today, Tivoli Access Manager for e-business delivers SSO in the area where its need is most prevalent today the Web. Additionally, the software works with Tivoli Federated Identity Manager to address federated and Web services SSO, and with business partners to address legacy client/server configurations. To learn more about how Tivoli software can help you achieve your SSO goals and address a broad range of security challenges throughout your enterprise contact your IBM sales representative or IBM Business Partner, or visit ibm.com/tivoli About Tivoli software from IBM Tivoli software from IBM helps organizations efficiently and effectively manage information technology (IT) resources, tasks and processes in order to meet ever-shifting business requirements and deliver flexible and responsive IT service management, while reducing costs. The Tivoli portfolio spans software for security, compliance, storage, performance, availability, configuration, operations and IT lifecycle management, and is backed by world-class IBM services, support and research. Copyright IBM Corporation 2005 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America 08-05 All Rights Reserved IBM, the IBM logo, iseries, RACF, Tivoli, WebSphere, z/os and zseries are trademarks of International Business Machines Corporation in the United States, other countries or both. Linux is a trademark of Linus Torvalds in the United States, other countries or both. Microsoft, Windows and Windows NT are trademarks of Microsoft Corporation in the United States, other countries or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries or both. Other company, product and service names may be trademarks or service marks of others. * R. Witty, K. Brittain, A. Allan. Justify Identity Management With Metrics. Gartner Research. February 23, 2004. G507-1145-00