Navy Deploying Its Battle Plan: SAML

By Anne Chen  |  Posted 2003-10-20

Navy Deploying Its Battle Plan: SAML

At the U.S. Navys Space and Naval Warfare Systems Command, the battle plans to gain control of an it environment with an estimated 200,000 applications center on single-sign-on capabilities and the use of saml.

By deploying a single-sign-on solution based on Security Assertion Markup Language, the Navy will not only enhance employee productivity but also simplify domain adminis-tration as well as reduce security administration, help desk support and application development costs, said Terry Howell, Navy Enterprise Portal program manager for SPAWAR, in San Diego.

Once fully deployed, the identity management solution—which will reach 720,000 users—is expected to deliver a return on investment of 300 percent over three years, Howell said. The Navy spends an estimated $1 billion per year on its intranet alone.

"The potential savings associated with this project are huge," Howell said. "Once we are able to deploy functionality like user provisioning, well really start seeing a lot of savings. Eventually, those savings could be in the millions, if not billions, because well be able to manage users and applications more efficiently."

SAML has become a central player in securing Web services at many widespread organizations such as the Navy. For enterprises struggling to authenticate users for an increasing number of online applications, the standards ability to enable single sign-on makes it an attractive and potentially cost-effective solution.

In fact, Gartner Inc., a research company in Stamford, Conn., predicts that an ROI of nearly 300 percent and savings of $3.5 million can be achieved over three years by a business of 10,000 employees that has implemented an effective automated identity management system.

Next page: Dry-Docking Legacy Apps


In 2001, Adm. William Fallon, vice chief of naval operations, created Task Force Web, an initiative to winnow the Navys thousands of legacy applications. The program called for all Navy applications to be Web-enabled by next year and available to some 720,000 Navy users via the Navy Enterprise Portal.

The task proved to be much larger than anyone thought. At the time, the Navy had about 200,000 applications in use, many of which were deployed at the department level and overlapped with those in other Navy units. To control that environment, the Navy decided to deploy a portal based on a Web services architecture. It was decided the portal would be based on open standards, so the Navy chose to build its Web services architecture using the J2EE (Java 2 Platform, Enterprise Edition) environment.

The Navy spent about $1 million to develop internally a middleware layer that enables the agency to substitute standards or data definitions without forcing changes to user services or underlying databases. This portal connector links the Navys disparate legacy applications and Web services.

"We have applications [such as warfare simulation programs] that provide the intentions of the good guys and others that supply the intention of the bad guys," Howell said. "You want to bring those together to see the whole picture, and a single Web service could show a common operational picture."

SPAWAR—which acquires and deploys the technology used in ships and airplanes, as well as in network operating centers in the continental United States and overseas—decided single sign-on would be the most effective way to handle identity management for users to access the Navy Enterprise Portal.

"Users could have 100,000 identities, all with their own way of granting authorizations, and our primary thought was how to make this work as were migrating these applications into a Web services environment," Howell said. "The Web services architecture will enable us to implement a unique, globally available identity to every user, and with that in place, well be able to enable single sign-on."

Because of the Navys need to support personnel and contractors stationed around the globe, SPAWAR chose to support single-sign-on capabilities that are managed as a reusable Web service.

For identity management authorization, SPAWAR decided to use open standards, including SAML; XML; Simple Object Access Protocol; and Universal Description, Discovery and Integration. This led to the Navys decision earlier this year to pilot Oblix Inc.s NetPoint Identity Management and Access Control Solution 6.1 because Oblix supports SAML.

Next page: Sea Trials


In the initial phase of the program, SPAWAR deployed NetPoint to handle SAML-enabled, single-sign-on authentication of 5,500 users aboard the battleship USS Teddy Roosevelt, enabling them to access applications that do everything from tracking parts to pinpointing the location of enemy vessels.

NetPoint handles the exchange of SAML security assertions between users on the ship and servers onshore, and it automatically logs users in to the Navy Enterprise Portal and its available applications.

The deployment of the project was successful enough that the Navy is planning to use NetPoint to provide single-sign-on capabilities to all 720,000 naval users and civilian contractors who access the Navy Marine Corps Intranet. Eventually, that number could reach as high as 3 million because all users associated with the Navy will be able to have their identity managed this way, Howell said.

To expand the use of single sign-on to a wider scale, SPAWAR is deploying Microsoft Corp.s Active Directory throughout the naval organization, and it will populate the directory so that all Navy users can be issued a global ID. Howell will also face technical problems for users who are afloat and have limited bandwidth and connectivity.

Approximately 10,000 users currently have single-sign-on capabilities. Howell said he would like to deploy single sign-on for the Navys entire continental U.S. user base during the next year. How quickly he might be able to do so will depend on funding.

"Right now, were providing this infrastructure that no one has had available prior to this," Howell said. "Its taken users time to migrate their legacy applications. But the migration speed has gone from a trickle to a faucet. Eventually, itll be a fire hose."

Case file

  • Company U.S. Navys Space and Naval Warfare Systems Command

  • Location San Diego

  • Challenge Web-enable all Navy applications by next year via the Navy Enterprise Portal; provide single-sign-on capabilities for the portal

  • Solution Use only open industry standards such as SAML to deploy a Web services environment; deploy Oblixs NetPoint for identity management and access control

  • Tools Oblixs NetPoint; Microsoft Corp.s Windows 2000, Windows Server 2003, Active Directory and SQL Server

  • Whats next Deploy the Navy Enterprise Portal to ships and onshore; provide user provisioning

    Source: eWEEK reporting

    Senior Writer Anne Chen can be contacted at

  • Rocket Fuel