The Modern Web Access Management Platform – from on-premises to the CloudSingle Sign On, Access Controls, Session Management and how to use Access Management to protect applications both on premises and in the Cloud

2www.idfconnect.com

Why Web Access Management?Ensure EVERY request is vetted before ever

touching your application(Use a “Zero Trust” Architecture)

Central enforcement and audit of access policies and activity

Single Sign On and Session Management across all apps EVERYWHERE

3www.idfconnect.com

The Situation

50+ applications protected by current SSO/WAM solution

Multiple user directories

Multiple Password policies

Multiple authentication mechanisms including 2FA

A Common Quandary!

Constraints

NO new firewall ports

NO cloud-to-data center VPNs

NO syncing/pushing employee credentials to the cloud

Key Question How do we leverage our existing WAM infrastructure to handle platforms & applications in the public cloud?

SSO

WAM

4www.idfconnect.com

Server-side Application Integration

AJAX / Mobile / Thick Client Application Integration

Applications in the Cloud

WAM-as-a-Service

"Agent-less" Infrastructure

5 SSO/Rest Use Cases

SSO/Rest Solves 5 Major Challenges

5www.idfconnect.com

Authentication Management

Access Control Enforcement

Single Sign On

Idle Session Timeout

Control Session

Duration

Centralized Audit

Web Access Management

06 01

02

0304

05

A Complete Web Access Management Solution

6www.idfconnect.com

Centralized Audit

Centralized Audit

Common Access Management Gaps in the Cloud

Authentication Management

Access Control Enforcement

Single Sign On

Idle Session Timeout

Session Maximum

Time-to-Live

01

03

06

Control Session

Duration

Idle Session Timeout

Access Control Enforcement

02Web Access Management(Gaps in the

Cloud)

04

05

7www.idfconnect.com

The SSO/Rest Solution

A

B

C

D

SSO/Rest combines existing

and emerging technologies to

extend the perimeter of your

IAM solution safely and

securely into your public Cloud

platforms

SSO/Rest!

Rest based- lightweight

No firewall holes - secure

Easy to use, handles latency, transparent….

Engineered to solve this problem

8www.idfconnect.com

Where SSO/Rest resides

9www.idfconnect.com

SSO/Rest Plugin Architecture

Browser SSO/Rest Plugin SSO/Rest Gateway Policy Decision Point(XACML, CA SSO, etc.)

Lege

nd

Browser HTTP traffic SSO/Rest HTTP traffic PEP-to-PDP traffic

Corporate Network

Cloud Apps

Browser call to cloud application

SSO/Rest session validation request PEP-to-PDP traffic

Response (with updated SESSION cookie[s])

Policy Decision Response

JSON reply from SSO/Rest

Cloud

10www.idfconnect.com

But… is this just Federation?

NO!

Unlike Federation, SSO/Rest supports every access management security feature you have come to trust and depend on, EVEN IN THE CLOUD

In our demonstration you will see that SSO/Rest provides perimeter defense and strong access control to all resources and also enforces those requiring elevated privileges

11www.idfconnect.com

“Look Mom! No VPN!”

SSO/Rest Engine

Login

Update Session

Validate Session

isProtected

Gateway

Enable / Disable

Change Password

isAuthorized

Some of SSO/Rest’s Web Service Endpoints

12www.idfconnect.com

LIVE DEMONSTRATION

• Build sample .Net app• App contains privileged URL• Include SSO/Rest Plugin for .Net in the app• Deploy directly to Microsoft Azure application container• Create CA SSO Policies or XACML policies – business as usual• Plugin self-registration and configuration• App deployment and integration is complete

• The app is in the cloud…• …but is secured just as if it were in your data center!

13www.idfconnect.com

Remember: Federation is NOT the Same as Web Access Management

Federation Web Access Management (WAM)

One-time handoff from partner IDP

Limited logout capabilityPerimeter Defense

Audit

Access control

www.your website.com

future business

Policy Enforcement Point (PEP)

Policy Decision Point (PDP)

www.your website.com

future business

Authentication

Session lifecycle management

14www.idfconnect.com

IIS

HTML5

XML

Cloud

CSS3

Customer Success Stories

Seamless and Secure IntegrationFortune 50 retail company makes an acquisition, and has seamlessly and securely integrated the new web apps with its eCommerce portal, without having to bring the apps in-house or creating a VPN to the new company

Successfully Moving .Net applications to Microsoft AzureFortune 50 finance company successfully moves its .Netapplications to Microsoft Azure while preserving all of its SSO integrations, authentication and access policies, and audit capabilities

js

PHP

Acquired Company Existing Web Apps

.NET

.Net Applications Microsoft Azure

C#

eCommerce Portal

ASP.NET

15www.idfconnect.com

You should be interested in this technology if…

• You have CA SSO and are moving applications to the Cloud • You want or need the assurance that every request is vetted before ever touching

your application• You require fine grained access controls and centralized policy management• You require a complete audit trail of end-user activity within a given session• You need a web access management solution that is modern and leverages today’s

tools and capabilities (e.g. ELK, Docker, Kubernetes)• You are interesting in offering Web Access Management as a managed service• You have an API Gateway and want a modern Policy Decision Point for its auth/az

requirements• You are building rich applications (mobile, AJAX) and require web services for all

manner of seamless access management integrations

16www.idfconnect.com

Platform support

Web Servers:

App Servers:

Web services for all manner of integrationsApp Platforms:

…and other thick clients!

17www.idfconnect.com

SSO/Rest now supports NGINX with an NGINX+ Certified Module

Our native, single library plugin integrates NGINX and NGINX+

into your access management solution, allowing you to use the

full capabilities of SSO/Rest with NGINX

18www.idfconnect.com

Highlights from our latest release, SSO/Rest 3.0:

• Pluggable logic for custom request handling:• Create your own plugin configuration parameters with our

annotation-driven API

• Plugin self-registration• Give app teams the self-service capability to register

plugins, or orchestrate provisioning of new app instances

• Extended Realm Configuration• Apply plugin configuration parameters at the realm level

19www.idfconnect.com

More highlights from our latest release:

• Management console• Metrics measurements with Elastisearch

• Swagger User Interface

• Fine-grain logging and tracing

• Automated testing and Self Diagnostic tool

T H A N K YO U !For More Information, Please Visit

IDF Connect, Inc.2207 Concord Pike #359Wilmington, DE 19803Phone: (888) 765-1611Fax: (888) 765-7284

www.idfconnect.com

www.linkedin.com/in/rsand

@IDFConnect

www.facebook.com/IDFConnect

@rsand2

Turn SSO/Rest into your Enterprise 2-Factor Auth Solution with SSO/MobileKey. For more details visit www.idfconnect.com/products/sso-mobilekey/

Also check out our other products: www.idfconnect.com/products