In the tip,Dan Kern (IBM) explains how SmartCloud for Social Business uses Security Assertion Markup Language (SAML) for SSO and how the architecture of a federated identity works using SAML.
2. 22
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole
discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be
relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains at our sole
discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment.
The actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve
results similar to those stated here.
Please Note
3. 10
Transparent Authentication
Users have too many passwords
Password prompts are annoying
Many “different” passwords leads to lower security
Users shouldn't know or care who provides their services or from where
Password management is annoying – by using cryptographic mechanisms instead of
passwords, we can help keep the problem from getting worse, and maybe even help
improve the situation.
SmartCloud for Social Business uses Security Assertion Markup Language (SAML)
– Public standard from OASIS
– Based on the strength of PKI – SAML uses signed XML identity assertions
– Many implementations available from IBM and third party providers
●
Including open source implementations
– Many organizations currently use SAML for web SSO
– Did I mention that SAML is a public standard yet?
4. 11
Federated Identity
Use your existing web passwords for SmartCloud for Social Business web resources
Keep your passwords behind your corporate firewall
Manage your own password requirements
Manage your own change intervals
Manage your own re-use requirements
Never send a password over the 'net to SCSB!
– Also prevents crackers from guessing your passwords against SCSB
Because SAML is a public standard, you can use any SAML 1.1 or SAML 2.0 compliant
identity provider
– Microsoft's ADFS 2.0 for Active Directory integration
– IBM's own Tivoli Federated Identity Manager (TFIM)
– OpenSAML
IdP initiated SAML flows support a “web portal” user experience
5. 12
Federated Identity
Web browser SAML Identity Provider
TAM/WebSEAL
TFIM
(SAML SP)
Customer Site
Internet
SCSB
SC Web App
443 (https)
8. 15
Federated Identity
Web browser SAML Identity Provider
TAM/WebSEAL
TFIM
(SAML SP)
Customer Site
Internet
SCSB
SC Web App
HTTP(s) POST with SAML assertion
9. 16
Federated Identity
Web browser SAML Identity Provider
TAM/WebSEAL
TFIM
(SAML SP)
Customer Site
Internet
SCSB
SC Web App
HTTP(s) GET with session cookie
10. 17
Integrated login across SmartCloud for Social
Business services
Users directly authenticate once (and only once) to SCSB
Transparently authenticate to SCSB services around the world
Your users shouldn't care about our back end topology
– Different data centers, different cages, different servers – no problem
The advantages of centralized authentication and distributed processing power at the
same time
– Can help simplify integration of new services and partners
– Can help make expansion easier to accomodate
Password data storage and checking minimized