SSO/Rest

The Easiest Way to Achieve Zero Trust Access Management in the Cloud

SSO/Rest provides your enterprise with a lightweight, transparent way to deploy your applications to the Cloud while still protecting them with the full power and capabilities of your existing Web Access Management (WAM) platform. Crucially, SSO/Rest delivers Zero Trust Access Management, ensuring that every request gets vetted before ever touching your applications or resources.

If your organization has yet to implement an enterprise WAM solution, is running pre-Cloud WAM, or uses Cloud IDM, then SSO/Rest provides a flexible, powerful, and vendor-independent way to fully secure your resources.

SSO/Rest is a CA Technologies TTP Validated Solution.

Read more: SSO/Rest – One Product, Four Solutions

How It Works

SSO/Rest was built to solve the central problem plaguing enterprises that wish to extend the protection of their WAM solutions to the Cloud: that all pre-Cloud SSO products depend on agents or proxies that work poorly in the Cloud – both because of their “heaviness” and their reliance on vendor proprietary communication protocols.

Instead, lightweight, HTTP-speaking “plugins” replace bulky, resource-intensive web agents:
  • Small footprint and self-contained.
  • No chatty, proprietary protocols minimize latency and no new firewall holes.
  • No cryptographic operations means low processor-burden and less patching.
  • Can be drop-replace deployed on applications both inside and outside the enterprise perimeter.
A hardened Cloud Access API Gateway (the “SSO/Rest Gateway“) sits protected in the DMZ:
  • Communicates with the plugins via REST-compliant web services.
  • Securely mediates communication between the plugins and Policy Decision Points (e.g. CA SSO Policy Servers).
  • Handles the resource-intensive crypto.
Full Access Management vs Federation Only
Authentication Management
Access Control Enforcement
A crucial element of Zero Trust, every request for access is checked against fine-grained access control policies by a policy decision point (PDP). The policy is then enforced by the SSO/Rest Plugin.
Single
Sign On
Although both federation and SSO/Rest provide single sign-on, SSO/Rest provides SSO without sacrificing real-time enforcement, in accordance with the principle of Zero Trust.
Idle Session Timeout
SSO/Rest gives you the ability to close an idle session in real-time, while federation-based idle sessions simply persist until the session token expires. This greatly reduces your vulnerability to session hijacking attacks.
Control Session Duration
The more applications you have, the more difficult it is to enforce a maximum session duration across them. Since SSO/Rest sessions are centrally managed in real time, it becomes trivial to control session duration.
Centralized Audit
SSO/Rest allows you to easily and naturally generate centralized audit trails. While theoretically also possible via federation, the difficulty of coordinating end-to-end logs across many applications makes audit centralization very difficult, if not impossible.
Web Access Management

Together, the plugins and the SSO/Rest Gateway create a virtual perimeter, safely providing full WAM to all your critical resources, whether they reside in your data center or have been deployed to the Cloud. By extending true WAM (as opposed to the more limited functionality provided by federation), SSO/Rest provides not only authentication and Single Sign On but also:

  • Session Management – both session duration control and idle session timeouts;
  • Centralized Audit; and
  • Zero Trust Access Management – the plugins enforce your centralized access control policies to ensure that every request gets vetted before ever touching your applications or resources.

SSO/Rest can be used in conjunction with all major enterprise WAM platforms, but can also run as a fully functional, stand-alone WAM solution.

Where SSO/Rest resides

Client-side
AJAX, mobile clients
SSO/Rest Plugins
Applications that have our plugins in front of, or baked into, the application itself to do enforcement and SSO
Server-side
Applications performing server-side login, session revalidation, etc.
Browser
 
SSO/Rest Plugin
Cloud App
SSO/Rest Gateway
Policy Decision Point
Corporate Network

SSO/Rest Plugin Architecture

Cloud
Corporate Network
Browser
 
SSO/Rest Plugin
Cloud Apps
SSO/Rest Gateway
Policy Decision Point
Browser call to cloud application
⬅ Response (with updated SESSION cookies)
SSO/Rest session validation request
⬅ JSON reply from SSO/Rest
PEP-to-PDP traffic
⬅ Policy Decision Response

SSO/Rest Plugin Architecture

Flexible infrastructure, using standards-based components and technologies

Enforces session management rules and timeouts across all applications, whether on-site or cloud-based

End-to-end identity propagation and session (re)validation

Powerful logging, monitoring, tuning and global cache management

Kibana-powered dashboard for OOTB health and performance monitoring

General

Web servers: Apache HTTP Server, Microsoft IIS, NGINX

J2EE containers: IBM WebSphere, Red Hat WildFly (JBoss), Apache Tomcat, and Oracle WebLogic

Cloud platforms: Amazon AWS, Microsoft Azure and Google Cloud

Deployment: a preconfigured Tomcat zip distribution, a VM appliance, or a Docker image

Use with: AJAX, Mobile or native applications

Access policies: XACML-based policy engine or within your existing legacy SSO solution

Platforms

Pluggable gateway logic for flexible integration with legacy SSO solutions such as CA SSO and Oracle Access Manager

Use your Access Management solution as a complete Web Application Firewall and dynamically react to attack heuristics

Built-in web application and services for automated plugin registration allows application teams to self-register plugins

Integrations



Contact Us for Assistance