Small and midsize organizations that are required by a larger partner to automate authentication of users when accessing Web applications should consider Trustgenix Inc.s IdentityBridge Standard Edition.
Click here to read the full review of IdentityBridge Standard Edition.
2
Small and midsize organizations that are required by a larger partner to automate authentication of users when accessing Web applications should consider Trustgenix Inc.s IdentityBridge Standard Edition.
IdentityBridge Standard Edition—a stripped-down version of IdentityBridge Enterprise Edition—will satisfy any federated identity mandate that requires using either of the two main federation protocols: SAML (Security Assertion Markup Language) or Liberty Alliance.
IdentityBridge Standard Edition costs $5,000 per connection, significantly less than the installation price of most full-fledged access management systems. For example, IdentityBridge Enterprise Edition, which can be used to streamline authenticated sign-on with multiple partners, costs $30,000 per connection.
Support for IdentityBridge Standard Edition is provided at no additional cost for the first year; the cost for basic support after that is $900 per year.
IdentityBridge Standard Edition, which started shipping in February, must be installed on a Microsoft Corp. Windows 2000 Server or Windows Server 2003 system.
More onerous for most organizations, though, will be IdentityBridges requirement for Microsofts Internet Information Services. We would like to see Trustgenix broaden the products Web server support to include the widely used Apache Web server, as well as other open-source and commercial Web servers. (Broader Web server platform support is available in IdentityBridge Enterprise Edition.)
However, IdentityBridge Standard Edition can draw on identity data stored in any LDAP Version 3.0-compliant directory store. (We used Windows Active Directory and Novell Inc.s eDirectory.) IdentityBridge also supports Sun Microsystems Inc.s Java System Directory Server.
Despite its Windows-centric requirements on the user side, IdentityBridge enables communication between sites running any SAML- or Liberty Alliance-compliant authentication system, regardless of what platform the partner site is using.
During tests, we used IdentityBridge Standard Edition to access an application, embedded in a Web portal, from a trusted site. Using test accounts, we logged on to our Windows Active Directory-enabled domain and then clicked on the application URL. In the background, IdentityBridge Standard Edition authenticated the test user account against Active Directory (a split-second operation that was unnoticeable during tests); the user was then authenticated to the trusted test site.
We accessed a variety of test Web resources at the trusted site, including a product inventory list and pricing sheets, without any need to provide a user name or password. In this sense, IdentityBridge Standard Edition acts as a single-sign-on package. IdentityBridge Standard Edition also integrates with several third-party single-sign-on tools.
IdentityBridge Standard Edition will likely lower overall password management costs, which should be figured into the cost of acquiring the product. For example, when we added or changed users in our directory, the users access rights were automatically applied to our partner site. And when one of our test users “left” our company, the change we made to the directory to cut off the users access was reflected at our trusted partner.
The Trustgenix system also enables universal log-out. When we ended a Windows session during tests, IdentityBridge Standard Edition successfully shut down all connections.
Once the product is up and running, end users and IT staff will need almost no training to use the product effectively. The product includes useful wizards, as well as well-written documentation that clearly and accurately describes each implementation step.
During tests, even initial setup—when metadata about the location and trust method of the partner site (SAML or Liberty Alliance) is imported into the system—was a simple process that took us only a few moments. IdentityBridge also handled the entire process of preparing similar information about our site for import into the identity management system at the trusted partner.
It should be noted that a partners use of SAML 1.0 will increase implementation time. With SAML 1.0, IdentityBridge must be directly accessible from the Internet, so significant care should be used to secure all aspects of the IdentityBridge server.
Page Three
Sample RFP: Federated ID products
- Describe federated identity from the point of view of product implementation. (Look for a coherent description of application access.)
- What are the major implementation milestones?
- Can the product be upgraded to a higher-end platform? If so, what are the upgrade milestones?
- What federated identity protocols are supported by the product?
- Is the product a hardware appliance or software-only? Is there a choice?
- What portals does the product work with?
- What directories does the product work with?
- How is directory metadata exchanged with the partner identity system?
- How much does each connection license cost?
- Describe how the product updates user information to maintain current and correct knowledge of: a) allowed users b) disallowed users c) expired users
- Can the system maintain log files that comply with currently mandated state and/or federal regulations regarding user access to application data?
Source: eWEEK Labs
Next page: Evaluation Shortlist: Related Products.
Page Four
Evaluation Shortlist
Computer Associates International Inc.s eTrust SiteMinder This high-end system is the result of CAs acquisition of Netegrity Inc. CA has a number of acquisitions to digest, so keep a close eye on product development (www.ca.com )
IBMs Tivoli Access Manager for e-business Covers mainframe to Web-based identity management (www.ibm.com)
Novells iChain with SAML extensions Requires Novells eDirectory but integrates with a wide range of identity tools from Novell (www.novell.com)
Oracle Corp.s Oblix ShareID This product is the result of Oracles acquisition of Oblix Inc.; Oracle is still bringing PeopleSoft Inc. and J.D. Edwards & Co. products into the fold, so the same advice we gave for SiteMinder applies here (www.oracle.com)
RSA Security Inc.s ClearTrust Offers broad integration with RSAs other identity and access management tools (www.rsasecurity.com)
Labs Technical Director Cameron Sturdevant is at cameron_sturdevant@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.