The benefits of using a Single Sign-On system are endless. User-rights are tightly integrated with user and company policies and these policies are all centralized in data center or such within a given organization. Users have only one identity (user IDs and Passwords) to maintain. Companies have the feeling of security that all the entry points to a number of applications and data are secured in the LDAP Directory which controls the company’s user and password-policy. Now that Single Sing-On has been defined and the positives aspects have been discussed what are your options when it comes to Single Sing-On web applications. I will discuss two which are:
- Custom Solution
What is CA SiteMinder? It is a centralized Web access management system that enables user authentication and single sign-on, authentication management, policy-based authorization, identity federation and auditing of access to Web applications and portals.
What security challenges does it meet? It enables you to mitigate IT security-related risks and reduce application development and operational costs, while enhancing the user’s experience and easing regulatory compliance.
Why should you care? In my humble opinion SiteMinder provides a single authentication module for any portal or a single web application for a variety of possible reasons. It addresses key authentication, authorization and personalization requirements of building secure web sites, in a cost effective and efficient way without creating an in-house solution that is not scalable and is not cost effective once you factor in the entire project life cycle. When in comes to in-house solutions why spent the time and effort of development, testing, documentation, and so on when SiteMinder will do the job for you.
Of course there is nothing wrong with developing your very own custom solution and there are times when this will of course be much more effective than purchasing a commercial off the shelf (COTS) product. Only you can make that decision and Visual Studio 2008 or Visual Studio 2005 along with the Microsoft .NET framework provides a number of options which are:
There is a very good article on MSDN title Single Sign-On Enterprise Security for Web Applications that I suggest you take the time to read.
One may ask how does it work? Software resides on your web server and it understands what pages are part of your intranet site(s) and intercepts URL requests for them. These requests are held and a transaction is sent to a policy server that handles the authentication through LDAP. The user is given a login page and asked for an ID and password. Once authenticated, the user’s request for the protected page is then sent back to the web server.
- User hits a given URL for an ASP.NET application.
- The SiteMinder Web Agent intercepts the request and checks its resource cache. If there is no information in cache about this resource (URL), the Web Agent then sends the request to the Policy Server, asking if the resource is protected.
- The Policy Server responds indicating that the resource is protected.
- The Web Agent forwards the request to a login page for challenging the user for their credentials.
- The Web Agent forwards the credentials back to the Policy Server for authentication and authorization.
- The Policy Server authenticates the user. After verifying the user’s identity, the Policy Server checks rules in the Policy Store, where user entitlements are stored and grant the user access to the resource.
- The Policy Server notifies the Web Agent that the user is authenticated and authorized for this resource.
- The Web Agent constructs several SiteMinder HTTP headers with information about the authenticated user (userid), generates an encrypted session cookie and redirects the request to the original target URL.
- The request reaches the ASP.NET application where the userid can be extracted from the SiteMinder headers for further processing.
The SiteMinder IIS agent is an ISAPI filter/extension. It resides on the web server and the agent handles all the redirects for authentication and preserves the original request so that after authentication is performed the user is sent on to the correct location. SiteMinder supports a concept called responses. With a response you can set any HTTP header you want. As described above, SM_USER is set by default, but you can also set REMOTE_USER or any other header you would like. Since SiteMinder supports a significant number of authentication schemes, you could continue to use Windows Integrated Authentication with the IIS server. You could possibly use a HttpModule in conjunction with Siteminder, see SiteMinder and ASP.NET .
Checkout CA SiteMinder for yourself to determine is this is a potential solution for your project.