When the auto industry was disrupted with the success of electric vehicles, no major manufacturer completely discarded the gasoline engine. The Fusion, Volt, Prius and Leaf all included gas engines to deliver greater efficiency in certain driving situations. The Single Sign-On (SSO) and access control industry has an analogous situation with the Security Assertion Markup Language (SAML) and web access management.
While SAML is a fine standard that has enjoyed significant adaption, especially its Browser POST binding, it has some inherent limitations that hinder compliance for the cloud. Because of the indirect nature of their identity provider, clients have direct access to their service provider once they are authenticated. Organizations have a more difficult time putting reactive and preventative controls in place for post-authentication activity; we must rely on the service provider for applying session timeouts, enforcing access control and tracking user activity.
Symplified provides a hybrid alternative that combines the best aspects of two approaches to SSO: the standards-goodness of SAML for federation, with the control and auditability of Web Access Management. Symplified’s unique all-in-one box architecture can do WAM or federation, where appropriate, or combine the two.
It always helps to understand the history of how we came to this point.
Two primary classifications of SSO solutions exist, each designed for a different purpose: Web Access Management (WAM) and Federation. WAM has a number of well-known vendors from the late 90’s, including Oblix, Netegrity SiteMinder, Securant, to name but a few. Many of these companies were acquired and became the WAM solution for large access management vendors. The architecture for most of these products came down to this for policy enforcement:
Typically a web server would have a PEP (think Web Agent) that would intercept traffic, verify session, challenge, block, per the verdicts by the PDP. All HTTP traffic is routed through the PEP, enabling robust audit and authorization capabilities for unique URLs.
Once the need to span multiple domains became more frequent, the SAML specification was published and pure-play federation solutions were paired with WAM vendors to provide what was often described as external and internal SSO, respectively. A simple representation of a service provider or SP-initiated federation with SAML:
Once a client authenticated, often via a WAM solution, the client would go directly to the service provider with a SAML assertion, where its identity would be trusted. Subsequent requests would have no interaction with the identity provider.
With Symplified’s SAML Proxy, the SAML interaction is the same, until post-authentication, where requests would be proxied through Symplified’s managed virtual appliance for WAM functionality: URL-based policies, 2nd factor authentication for certain URLs, and user activity logging.
Before, companies had to rely on a service provider’s ability to relay its audit data back to the company, which the company must then aggregate with its own IdP audit data to get a picture of the transaction. With Symplified’s hybrid SAML approach, all activity is being captured at one control point.
This opens all sorts of capabilities necessary for information protection in the cloud. Paired with a Data Loss Prevention (DLP) solution, content can be validated before uploaded to cloud-based content storage like DropBox. Risk-based access control decisions can be rendered before executing certain transactions. Symplified becomes a policy enforcement point for all things web. You may think it’s almost as much fun to drive as a Prius!