Above the Fray

By Anne Chen  |  Posted 2002-06-24 Print this article Print

Above the Fray

In the meantime, a few companies such as Centerpost are working to support multiple authentication systems. Centerpost recently signed a deal with Microsoft that will allow its Passport users to opt in if they want to receive airline itinerary and other information in the form of .Net alerts over standard e-mail. The authentication is secured using the HTTP Secure, or HTTPS, standard, Goren said.

When specifications are released by Liberty Alliance, Goren said, his company will write APIs to integrate with it as well. The idea is to give all users single-sign-on ease of use, whether they have Passport or Liberty IDs.

"We need to support 100 percent of our users, whether theyre aligned with AOL or Microsoft," Goren said. "Giving them a choice of authentication is what our customers are looking for. Im not going to alienate an entire customer base because I want to take sides in a vendor political battle."

But corporations such as Centerpost that are willing to support all major single-sign-on systems are in the minority. At automobile industry e-marketplace Covisint LLC, in Southfield, Mich., Dave Miller, chief information security officer, doesnt have time to wait the year and a half he thinks it will take for interoperability among identity management systems. Nor does he want to manage multiple authentication systems.

Instead, Miller has chosen to deploy a federated single-sign-on system himself that allows employees from automobile manufacturers and suppliers to access Covisints B2B portals. By building his system on emerging Web security standards, Miller said he hopes it will one day tie in to large single-sign-on services such as Passport.

To reduce the number of user names and passwords members must use to access disparate applications such as catalogs and auction sites housed by member suppliers and manufacturing heavyweights such as DaimlerChrysler AG, Ford Motor Co. and General Motors Corp., Miller has deployed RSAs ClearTrust 4.7 software. Covisint manages digital identities and provides single sign-on for users. Miller is also using the software as the basis of a federated single-sign-on system he is building.

"There are a lot of applications that OEMs and suppliers were not willing to give access to because they felt it was part of their competitive advantage," Miller said. "However, they still want the concept of the user being able to go to one spot and using only one ID and password to gain access to applications based on policies in a secure fashion. Our own federated model allows us to pass credentials from our site to participating sites—for example, between Ford and DaimlerChrysler."

Using ClearTrust and Oracle Corp.s Oracle8i relational database on the back end, Miller built his single-sign-on system around the emerging SAML security standard. Using an open standard such as the XML-based SAML allows Miller to prepare for future interoperability among other Web sites or services such as Passport or Liberty that might one day support single sign-on using the same open standards.

"The industry is in the infancy of creating a standard that will do cross-domain authorization, but companies that have a need for this right now will develop their own solutions in the short term," Miller said. "Because I dont know which service will win yet, our plan is to move toward a standard implementation with a simple, straightforward way of passing credentials."

So far, Miller has deployed this federated single-sign-on system for Ford and is deploying it for DaimlerChrysler. Miller said this system enables administrators at the automobile manufacturers to easily close out user accounts that give access to Fords applications, for example, as well as any Covisint applications when an employee leaves.

Miller said the system has also proved successful in encouraging users to come up with secure password schemes. Miller requires that passwords be changed every 30 days and requires numerals and two uppercase letters in each one. He is now exploring the use of user-based certificates with passwords to further secure his authentication system.

While companies such as Covisint have a pressing need to deploy single sign-on, others such as CUNA Mutual Group, a subsidiary of Credit Union National Association Inc., in Madison, Wis., can afford to take a wait-and-see approach, holding off on building their own federated single-sign-on platform or signing on with Passport or another service until standards and interoperability develop.

But even at CUNA, Steve Devoti, manager of directory services, is planning a strategy for Web-based single sign-on by beginning to reduce the number of log-ins required of users. Devoti is doing that by reducing the number of directories he supports. While he currently manages 12 directories, he hopes to whittle that number down to three: one for employees, one for B2B partners and one for consumers. The reason? Devoti said the fewer applications users need to sign in to, the easier it will be to move to single sign-on and reduce management hassles.

Devoti has deployed Oblixs NetPoint access management software along with Microsofts Active Directory to handle identity management and authentication. CUNA Mutual, which sells financial services products through credit unions, provides 50 Web-based applications to credit unions, allowing members to pay claims, check on the bond worthiness of an employee and access fraud protection programs. All the applications are protected by a home-grown system using Active Directory as the repository for the information, as well as the NetPoint product for single sign-on.

The Burton Groups Blum said companies such as CUNA Mutual that can afford to wait are smart to do so. He added that companies would also be wise to gradually replace legacy systems with new applications that use general-purpose sign-on mechanisms such as public-key infrastructure, SAML, Kerberos and Active Directory, instead of using a rip-and-replace strategy.

Devoti said he knows that in the future, credit unions may want to support authentications from Passport or from members of Liberty Alliance. That means they will ask him to accept the same user IDs and password combinations to provide seamless access to brokerage systems that CUNA hosts. This is the key reason he is developing his Web single-sign-on strategy with open standards such as SAML and XML in mind. Devoti also said he purchased the NetPoint access management product because of its ability to accept Passport authentications. The product provides CUNA with authentication modules for HTTP basic authentication using Secure Sockets Layer channel encryption, passwords through Web forms and database authentication.

"As an IT manager who needs to be forward-looking and try to predict what well need to do in the future, I know we will probably need to work with facilities from Liberty Alliance and Passport," Devoti said. "My hope is that open standards will be adopted for the communication of security assertions. As the world becomes more seamless, we cant afford to lose more control over what our customers are seeing or doing."

Related Stories:
  • CenterPost Boosts Web Services
  • Single Sign-On Goes to Work
  • Testimony Homes In On Passport
  • Liberty Is All About Identification Control
  • Web Services Edged Forward
  • Novell Joins Liberty Alliance
  • SAML Apps Before Their Time?

    As a senior writer for eWEEK Labs, Anne writes articles pertaining to IT professionals and the best practices for technology implementation. Anne covers the deployment issues and the business drivers related to technologies including databases, wireless, security and network operating systems. Anne joined eWeek in 1999 as a writer for eWeek's eBiz Strategies section before moving over to Labs in 2001. Prior to eWeek, she covered business and technology at the San Jose Mercury News and at the Contra Costa Times.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel