Exclusive: Oblix’s ShareID 2.0 a first-rate authentication middleman

ShareID 2.0 takes the extra risk out of the extranet

Although it’s not common practice for a company to grant internal network-resource access to employees of another company, it’s not unheard of either. The problem with the practice lies in authentication management. When a business partner requires access to certain resources, the unfortunately common solution is to create accounts for specific employees of the partner within the local directory. Although there are ways to manage this access, maintaining these user accounts is not in the best interest of any IT department, for both security and maintenance reasons. Oblix has just announced ShareID 2.0, a product that aims to fill this gap by providing a means for managing resource access between cooperating entities without the risks.

In theory, the process is simple. A ShareID server runs an autonomous service linked to an LDAP directory at the source site, also called the identity provider. The destination site running the target Web application is linked to the source site via SAML (Security Assertion Markup Language) 1.0 or 1.1 and preshared certificates. A user at the source site can then authenticate to the local directory service and gain access to applications running at the destination site -- or resource provider -- via a local portal.

With this model, the onus of identity management falls to the administrators of the users’ local site who are better suited to the task. In this fashion, ShareID can reduce administration overhead for cross-domain application services. ShareID also can provide local authentication for an assortment of remote applications.

In practice, the solution is similarly straightforward. ShareID currently supports Microsoft’s Active Directory and Sun ONE directory, as well as Oblix’s CoreID. A specific user is configured in the directory, and given binding privileges. Then the ShareID server is configured to locate and bind to the local LDAP directory at the OU (organizational unit) level and given information about a destination site, including a certificate.

Once all the certificates have been generated and shared, a link can be constructed that passes an application URL to the ShareID server. After a user has authenticated to the ShareID server, and thus the local directory, the server permits the user access via a portal to applications without requiring the user to log in again. ShareID encrypts all communication through the server via SSL and x.509 certificates.

On Your Mark, Get Set, Share

ShareID source-side configuration isn’t complex, but it does lack some polish, requiring manual modification of some XML and properties files. For simple installations, Oblix provides a Web-based setup wizard. Following initial installation, I defined variables in the Web console for the local site LDAP services. I then created an assertion profile that defined local identities to the destination server.

Beyond the cooperative aspects of the solution, such as certificate generation and exchange between entities, ShareID is quite simple to install and use at a source site. In fact, it’s possible to build a ShareID server, configure and test it, then ship it to a source site for nearly plug-and-play integration. This approach requires knowledge of the source-site directory structure and will need to be carefully planned with the source-site administrators, but it eases integration time significantly.

On the destination side, the implementation is not quite as simple, especially when dealing with many source sites and their respective assertions. Once applications have been defined for use with ShareID, a user is created in the local directory and given access to the application. An assertion is created to map source-site users to the local user. Once the certificates have been shared between the source and destination sites, the link is tested.

Oblix has also addressed a common authentication problem in ShareID 2.0. Traditionally, when a user uses a resource, he or she may bookmark the application. This bookmark will cease to function when the session times out or the browser is closed, as the link will not be accompanied by an assertion attesting to the user’s identity. To resolve this issue, ShareID uses SmartMarks, which cause the destination site to redirect an unauthenticated user to the ShareID login of their local ShareID source server. The user logs in, and is then redirected to the original resource.

Share With Care

A solution such as ShareID begs for auditing. While the authentication links may be performing normally, logging and auditing are necessary to ensure continued function as well as tracing user access. ShareID permits local logging based on administrator desires, following Unix syslog format with error, info, and debug logging levels. Also present are features to control log-file size and log rolling.

ShareID is built on open source code, using Apache Tomcat/4.1.29 on the back end, as well as Perl scripts to handle some internal functions. Thus, the solution is not Windows-centric, supporting installations on Windows and Linux. Similarly, the Web interface is not bound to any browser and functions as expected in Internet Explorer, Mozilla, and Safari.

ShareID is the first product of its kind, providing a multiplatform, stand-alone federated identity service in a small, fairly easily managed package. Native integration with more directories, such as Novell’s eDirectory, would be nice, but the overall package is a winner.

Click for larger view.
InfoWorld Scorecard
Scalability (20.0%)
Performance (25.0%)
Management (25.0%)
Configuration (20.0%)
Value (10.0%)
Overall Score (100%)
Oblix ShareID 2.0 8.0 8.0 9.0 8.0 9.0 8.4