Thursday, 10 January 2013
Over the course of the past decade and a half, I have worked with several different "Single Sign-On" or at least "Reduced Sign-On" Solutions. All from large reputable companies, like IBM, Oracle, Sun, Quest, Microsoft...
Most of these were limited to one or two authentication types, and relied heavily on infrastructure, placing large Capex and Opex constraints squarly on your shoulders. Most relied on a client side app to connect to Active Directory, LDAP, or basic auth web services. They would then store your obsfucated credentials in a "Wallet" or local store for seamless authentication to these target apps. Others were simply "Authenticating Reverse Proxies" and provided a unified way to aggregate various websites and portals that require authentication.
Enter Symantec with O3:
Over the past year and a half, Symantec has been quietly cultivating a sleeping giant.
Imagine a scenario where you could manage your user's profiles in such a manner that would only expose applications/portals/sites or specific views of those, depending on:
- The users' network location (Corporate - Home - Public Internet )
- The device the user is connecting from, (Corporate Laptop or tablet, Personal device, public kiosk)
- The users own credentials. (Username / Password, or add 2 factor RSA for apps requiring additional controls.
Each application exposed would have it's own defined directory store / authentication source including Internal Corporate apps leveraging Active Directory or LDAP, Business Partner applications requiring SAML or true Cloud Services such as Amazon, Workday or SalesForce.
Symantec's O3 Cloud Authentication service has virtualized the function of authenticating an end user into a multitude of systems and services. It provides an authentication gateway to allow you to securely expose internal corporate services and directory stores, and to assign them to user profiles along with very robust connectivity to most of the major Cloud services players!
In Symantec words:
"Symantec O3 is a cloud information protection platform that provides context-based access control, information security and information management “as a service” for users of cloud applications and services. It supports any endpoint, including mobile. It provides compliance information for access and information events that supports audits and forensics."
- Kerberos, NTLM, or SPNEGO Integrated Windows Authentication
- Active Directory Federation Services (ADFS)
- OTP (One Time Password) Tokens, such as RSA fobs for 2 factor authentication
- HTTP Basic Auth
Integrating any of these is a straight forward task within the adminstration portal. The Administration portal provides templates and drop downs for an authentication type, and dozens of Cloud Partners are configured "out of the box".
Working with Symantec and their O3 team has been inspiring to say the least.