Exclusive: Oblix’s ShareID 2.0 a first-rate authentication middleman
ShareID 2.0 takes the extra risk out of the extranetFollow @pvenezia
Although it’s not common practice for a company to grant internal network-resource access to employees of another company, it’s not unheard of either. The problem with the practice lies in authentication management. When a business partner requires access to certain resources, the unfortunately common solution is to create accounts for specific employees of the partner within the local directory. Although there are ways to manage this access, maintaining these user accounts is not in the best interest of any IT department, for both security and maintenance reasons. Oblix has just announced ShareID 2.0, a product that aims to fill this gap by providing a means for managing resource access between cooperating entities without the risks.
In theory, the process is simple. A ShareID server runs an autonomous service linked to an LDAP directory at the source site, also called the identity provider. The destination site running the target Web application is linked to the source site via SAML (Security Assertion Markup Language) 1.0 or 1.1 and preshared certificates. A user at the source site can then authenticate to the local directory service and gain access to applications running at the destination site -- or resource provider -- via a local portal.
With this model, the onus of identity management falls to the administrators of the users’ local site who are better suited to the task. In this fashion, ShareID can reduce administration overhead for cross-domain application services. ShareID also can provide local authentication for an assortment of remote applications.
In practice, the solution is similarly straightforward. ShareID currently supports Microsoft’s Active Directory and Sun ONE directory, as well as Oblix’s CoreID. A specific user is configured in the directory, and given binding privileges. Then the ShareID server is configured to locate and bind to the local LDAP directory at the OU (organizational unit) level and given information about a destination site, including a certificate.
Once all the certificates have been generated and shared, a link can be constructed that passes an application URL to the ShareID server. After a user has authenticated to the ShareID server, and thus the local directory, the server permits the user access via a portal to applications without requiring the user to log in again. ShareID encrypts all communication through the server via SSL and x.509 certificates.
On Your Mark, Get Set, Share
ShareID source-side configuration isn’t complex, but it does lack some polish, requiring manual modification of some XML and properties files. For simple installations, Oblix provides a Web-based setup wizard. Following initial installation, I defined variables in the Web console for the local site LDAP services. I then created an assertion profile that defined local identities to the destination server.
Beyond the cooperative aspects of the solution, such as certificate generation and exchange between entities, ShareID is quite simple to install and use at a source site. In fact, it’s possible to build a ShareID server, configure and test it, then ship it to a source site for nearly plug-and-play integration. This approach requires knowledge of the source-site directory structure and will need to be carefully planned with the source-site administrators, but it eases integration time significantly.