How to Move Away From CA SiteMinder to Open Source Authn / Authz - PowerPoint PPT Presentation

About This Presentation
Title:

How to Move Away From CA SiteMinder to Open Source Authn / Authz

Description:

Gluu provides an open source authentication and authorization platform for organizations who want to leverage open standards such as OpenID Connect, SAML 2.0, and UMA to enable strong authentication, single sign-on (SSO), and access management. – PowerPoint PPT presentation

Number of Views:176
Slides: 5
Provided by: gluu
Category: Other

less

Transcript and Presenter's Notes

Title: How to Move Away From CA SiteMinder to Open Source Authn / Authz


1
How to Move Away From CA SiteMinder to Open
Source Authn / Authz
So you have seen the light open standards and
open source IAM. But what if your organization
already has websites that use SiteMinderOAMTAMC
learTrust?   To liberate your organization, here
is Gluus secret recipe.   Skate to where the
puck is going The Winner is OAuth2   B2C
identity providerslike Facebook, Google,
Microsoft, and Yahooare moving to OAuth2 based
authentication and authorization APIs. While
federation SAML is the predominant B2B
authentication API, as usual, the B2C standard
will prevail. OAuth2 provides better support for
complex authorizations including the Person,
clients, websites and an ecosystem of APIs that
drive todays Internet.   Here is another simple
reasons why a JSON/REST protocol is preferred
over a XML/SOAP standard its smaller on the
wire. Mobile Internet bandwidth is high cost in
many places. And similarly, more efficient data
structures mean less memory and CPU resources
needed on the device and the server. Billions of
people authenticate per day, so not only does it
make economic sense, but its greener!
2
But the most important reason to move to OAuth2
Content. Put yourself in the shoes of a web
developer. It makes sense to support the large
consumer IDPs at the time of your launch. SAML
is something you add later when you sell that big
customer that makes you do it.   Dont throw good
money after bad   Make sure that new applications
use OAuth2. You dont want to create more work
for yourself in the future. Especially for green
field applications, its less than half the cost
to do the job right the first time. In some
cases, application developers may be able to
deliver new capabilities based on the new
infrastructure (like two factor authorization, or
central authorization), so you need to consider
opportunity costs as well.   Be reverse
compatible   While expanding the old SSO
deployment is undesirable, we still want it to
work. For example, through the use of a custom
authentication script, OX can include retrieving
one or more SiteMinder tokens. So if a person
authenticates to an OAuth2 protected resource,
and then navigates to a SiteMinder protected
website, SSO would be maintained. The same is
true for SAML. As applications are EOL, or need
to be upgraded, move them to OAuth2.  
3
Think about the front door   Businesses are
advised to invest in the part of their facility
that the customer sees. With access management
systems, this is the login experience, and the
authorization experience. Frequently I remind
Gluu customers to consider the authentication
triangle, the vertices are (1) security, (2)
price and (3) usability. Each authentication
mechanism has its own unique triangle. Much
attention lately has been focused on security.
But many of the advancements have been to enable
stronger security, while at the same time
improving usability. The best kind of
authentication is the one you never see! Consumer
IDPs are looking at many contextual indicators to
figure out if an interactive authentication is
needed. Organizations should follow suit.   Try
your best, but be flexible.   If a certain
application cant use OAuth2, its ok to fallback.
There might be an old version of IIS you need to
support. Or the SaaS provider just supports SAML
its ok! Dont worry. You want to guide
applications to use open standards. SAML or even
SiteMinder is a lot better than for the website
to store credentials for the person.   Is
SiteMinder Dead   Granted SiteMinder is Dead
is sensationalist. Old SSO protocols hang around
until you disconnect the last site. That can be
some time, which is why we want the standards to
be well tested. Thats why the title of the
previous blog said Decline, not Dead. If you
have a sizable organization, and are looking at a
green field, are you installing a commercial IAM
Suite, an IDaaS, or open source? The last two
didnt even exist until a few years ago. No
matter how you slice it, monolithic IAM Suites
like CA SiteMinder are going to get a smaller
percentage of the market, and reducing prices to
get a small number of new customers might not be
offset by revenue loss from existing customers.
In rapidly growing markets, the price goes down,
the total size of the market increases, and the
initial suppliers are challenged to make a very
difficult pivot.
4
In any case, at Gluu, we think there is a bigger
opportunity to provide service to the market that
doesnt yet have a SiteMinder, than disrupting
current monolithic IAM customers. Most current
solutions are hub and spoke usually a big IDP
and lots of internal websites, some external SaaS
services, and partner sites. How many inbound
SAML connections does your average organization
support? The answer is frequently not many. Big
companies can afford commercial Access Management
/ Federation software, but their partners usually
cannot. Net-net, this means the cost of
extranet user management is either too high or
even worse, its insecure. Organizations want open
source because there is a benefit if their
partners can cost effectively upgrade their
IAM. You can substitute SiteMinder with the IAM
product of your choice, for example Oracle Access
Manager (OAM), RSA Cleartrust, or IBM Tivoli
Access Manager (TAM). Although some IAM products
also use HTTP reverse proxies, the idea is
generally the same align with the old until you
migrate existing apps. Notice in this diagram,
there are two OAuth2 Authorization Servers.
OAuth2 enables federated authorization sometimes
many parent organizations make different
policies, and application developers need to
ensure all the policies are considered. Article
Source - http//www.gluu.org/blog/how-to-move-away
-from-ca-siteminder-to-open-source-authn-authz/
Write a Comment
User Comments (0)
About PowerShow.com