Open Standard Authentication in the Enterprise, Part 2
In previous post we started to talk about different complexities of SSO implementations. Lets review what type of solutions are common in current implementations.
Current Solutions
Federal Agencies employ two primary strategies to provide Single Sign On across multiple Domains, Applications and across Agency boundaries:
- Application Resource Forests;
- Password Synchronization across different directories. (covered in the next post).
Application Resource Forest
Application Resource Forests is one of the commonly used solutions to provide access to enterprise wide applications. The technical concept behind this approach is a very common way to implement enterprise wide applications without the requirement of duplicating user accounts and increase identity management costs.
Application Resource Forest is a good solution to provide SSO for applications that in general have the following characteristics:
- Support Windows Active Directory Integrated Authentication (Kerberos or NTLM);
- Can be managed by the central management group.
In general, any application that is designed to accept Active Directory generated access tokens will work in Application Resource Forest configuration. Many enterprise applications can take advantage of this approach, to name a few:
- Microsoft Exchange;
- Microsoft SharePoint; and,
- Microsoft OCS.
Application Resource Forest has the following benefits:
- It will allow Agency to consolidate many applications into one single management location and provide it to any other Department with a separate Active Directory Forest;
- Users will be able to continue to use their primary user accounts and passwords. There is no additional identity management costs involved with moving applications into the Application Resource Forest;
- Users will be able to use PIV to authenticate in their home Agency Active Directory Forest and then seamlessly access applications in the Application Resource Forest.
On the other hand, applications that do not fall under the above categories will not gain any specific benefit from the Application Resource Forest. Applications running on non-Windows platform usually do not support Windows Integrated Authentication. Many web applications designed to use separate authentication mechanisms or separate directory stores will not gain any value if implemented in the Application Resource Forest.
Application Resource Forest provides solution to all identified requirements. It will support PIV authentication from the account forest to the Application Resource Forest. It will reduce the cost of the identity management simply by not requiring new credentials in the Application Resource Forest, but also is, in its own, can be the foundation for the Private Cloud architecture at the Agency.
While the Application Resource Forest approach is a great solution to provide a single management point and SSO experience for many Windows Integrated applications, it won’t cover new or existing applications that do not support Windows Integrated authentication.
In the next post, I’ll talk about Password Synchronization across different directories SSO solutions.