MacMaven Consulting offers SiteMinder architecture, installation, integration, development, and support services in the New York City area.
Introduction to SSO
Many large corporations have turned to off-the-shelf software for handling their SSO (single sign-on) needs. You have experienced SSO on web sites, even if you haven’t noticed it. SSO is used to jump from one web site to another, without having to repeatedly enter your username and password. There are two general flavors of SSO. The newfangled method is called federation. This allows SSO between sites on different domains. For example, Citibank provides SSO between citicards.com and thankyou.com. Most corporate federation uses a technology called SAML. The other type of federation is used on social sites, like Facebook. When you use Facebook credentials to log into partner apps, it’s using OAuth behind the scenes.
The “old school” flavor of SSO uses a cookie. This cookie allows users to use any participating site within a domain. Cookie SSO technology is especially popular for corporate intranets, where there might be hundreds of distinct applications under a single domain. It would be intractable for employees to use separate credentials for each corporate application.
Why SiteMinder?
SiteMinder is a popular web access management package and has been around since the late 1990s. It was developed by a company named Netegrity, which was acquired by CA. [Update: CA was acquired by Broadcom.] It is commonly used in corporate intranets and can also be found protecting major public-facing web sites, such as chase.com. SiteMinder provides SSO, a policy engine for user authorization, auditing, hooks into a wide array of authentication mechanisms, plus SAML and OAuth functionality.
You might be wondering why a company would buy an expensive product like SiteMinder when there are plenty of free or low-cost SSO solutions. Here are a few reasons:
1. Developing secure security software is difficult. Unless a developer is well-versed in application security, it’s a safe bet that a home-grown solution will be riddled with vulnerabilities. SiteMinder is practically a legacy tool in the corporate web security arsenal. It’s been used on major sites for years. While no product is impervious to attacks, odds are that CA has done a better job hardening SiteMinder than your developers could ever hope to do with a home grown system. As we’ve learned in the news, even a security expert can make serious mistakes. See Heartbleed.
2. SiteMinder is cross-platform. If your company uses a single development language or OS, it’s perfectly reasonable to stick with SSO tools built into the platform. But if you’re in a heterogeneous environment, SiteMinder greatly eases implementation. Integrating your web application into SiteMinder generally involves reading parameters in the HTTP request header. These headers are injected by web agents, which are plugins for most of the popular web servers.
3. Some SSO solutions are intended for only for corporate networks, such as Kerberos. While Kerberos is a well-proven solution, it isn’t practical to use over the Internet. SiteMinder can be used with Internet-facing applications. As a cookie is used to maintain the user session, compatibility with all web browsers is assured. Also, SiteMinder scales to web sites with millions of users. (For those who want to leverage corporate SSO technologies, SiteMinder is compatible with Kerberos and Integrated Windows Authentication.)
4. SiteMinder gives you SSO, federation, session management, and a policy engine out of the box. Even if you purchased each of these products separately from various vendors, integrating all of this functionality would be a considerable challenge. Using SiteMinder can be a major time saver.
MacMaven’s founder, Dan Kessler (that’s me), has 10 years of experience providing SiteMinder enterprise solutions. Contact us for more information.