The Easiest Way to Achieve Zero Trust Access Management in the Cloud
SSO/Rest provides your enterprise with a lightweight, transparent way to deploy your applications to the Cloud while still protecting them with the full power and capabilities of your existing Web Access Management (WAM) platform. Crucially, SSO/Rest delivers Zero Trust Access Management, ensuring that every request gets vetted before ever touching your applications or resources.
If your organization has yet to implement an enterprise WAM solution, is running pre-Cloud WAM, or uses Cloud IDM, then SSO/Rest provides a flexible, powerful, and vendor-independent way to fully secure your resources.
SSO/Rest is a CA Technologies TTP Validated Solution.
How It Works
SSO/Rest was built to solve the central problem plaguing enterprises that wish to extend the protection of their WAM solutions to the Cloud: that all pre-Cloud SSO products depend on agents or proxies that work poorly in the Cloud – both because of their “heaviness” and their reliance on vendor proprietary communication protocols.
Instead, lightweight, HTTP-speaking “plugins” replace bulky, resource-intensive web agents:
- Small footprint and self-contained.
- No chatty, proprietary protocols minimize latency and no new firewall holes.
- No cryptographic operations means low processor-burden and less patching.
- Can be drop-replace deployed on applications both inside and outside the enterprise perimeter.
A hardened Cloud Access API Gateway (the “SSO/Rest Gateway“) sits protected in the DMZ:
- Communicates with the plugins via REST-compliant web services.
- Securely mediates communication between the plugins and Policy Decision Points (e.g. CA SSO Policy Servers).
- Handles the resource-intensive crypto.
Together, the plugins and the SSO/Rest Gateway create a virtual perimeter, safely providing full WAM to all your critical resources, whether they reside in your data center or have been deployed to the Cloud. By extending true WAM (as opposed to the more limited functionality provided by federation), SSO/Rest provides not only authentication and Single Sign On but also:
- Session Management – both session duration control and idle session timeouts;
- Centralized Audit; and
- Zero Trust Access Management – the plugins enforce your centralized access control policies to ensure that every request gets vetted before ever touching your applications or resources.
SSO/Rest can be used in conjunction with all major enterprise WAM platforms, but can also run as a fully functional, stand-alone WAM solution.
The SSO/Rest Solution:
One Product, Four Solutions
Protect Cloud-deployed Applications with Zero Trust Access Management
SSO/Rest enables you to protect and manage your Cloud-deployed apps with your current Web Access Management platform (or alternatively as a stand-alone Access Manager) just as if they were still in your data center. And unlike federation-based approaches, SSO/Rest queries your centralized, fine-grain access control policies in real-time to ensure that every request gets vetted before ever touching your applications or resources. In other words, whether you run your own images on Amazon EC2 or Rack-space, or hot-deploy your applications directly to Microsoft Azure or Google App Engine, SSO/Rest gives you Zero Trust Access Management and every other capability that your on-premises WAM solution delivers today.
Easily Integrate Rich Browser and Mobile Applications into your Access Management Environment
SSO/Rest allows your enterprise to harness the power of your WAM infrastructure directly from all your client platforms with minimal modifications to your existing applications using an intuitive and simple REST API. Rich client integration supports AJAX, Adobe Flex, Microsoft Silverlight, mobile applications, and other rich content platforms.
Modernize your Web Access Management
The first truly modern Web Access Management product, SSO/Rest does far more than provide Cloud-enabled enterprise WAM. Incorporating powerful new management tools (e.g. admin self-service for plugin registration, web services for automated orchestration, an automated testing/self-diagnostic tool, and an Elastic Stack-driven dashboard for health and performance monitoring), SSO/Rest will both reduce your operational workload and increase your system reliability.
Ensure Safe Migrations – Move Apps One at a Time, Not in a “Big Bang”
Most IAM changes or migrations involve huge costs and man-effort, as years of integration work are updated or simply redone. Worse, all of these changes and migrations must happen simultaneously and go live in a single “Big Bang” approach.
SSO/Rest removes the need to risk this ordeal by providing a safe and simple migration path for all of those applications that you have already SSO/WAM-enabled. These apps can be migrated when you want and where you want – either to the cloud, to other IAM platforms, or both – in an orderly, stepwise fashion, with zero interruption to the quality service your customers expect.
- Enforces session management rules and timeouts across all applications, whether on-site or cloud-based.
- End-to-end identity propagation and session (re)validation.
- Plug-ins support most major web servers in today’s market, including Apache HTTP Server, Microsoft IIS, and now NGINX as well; and J2EE containers such as IBM WebSphere, Red Hat WildFly (JBoss), Apache Tomcat, and Oracle WebLogic.
- SSO/Rest employs a flexible infrastructure, using standards-based components and technologies. It can be deployed in any J2EE servlet container (Tomcat, JBoss, WebLogic, WebSphere), Java 6.0, and any JAX-RS framework.
- Built-in web application and service for plugin registration allows application teams to self-register plugins via web app or script, without involving the IAM team.
- Rich client integration supports AJAX, Adobe Flex, Microsoft Silverlight, Mobile applications, and other rich content platforms.
- Gateway component is available as a J2EE application file, a preconfigured Tomcat zip distribution, a VM appliance, or a Docker image.
- Pluggable logging framework allows configuration of logging and tracing both from within your WAM software and the externalized logging framework of your choice.
- Leverages a pluggable distributed caching technology to provide powerful tuning and global cache management.
- Endpoints support a flexible combination of plain text, JSON, and XML payloads.
- Full multi-byte support for international characters in user identifiers and attributes.
- Comprehensive OAuth and OIDC support, including wrapping vendor SSO tokens inside OAuth/OIDC tokens for tightest integration and security.
- Includes pluggable gateway logic for flexible integration with SSO solutions – currently CA SSO and Oracle Access Manager – with a standalone policy decision point based on an XACML rules engine coming in Q3.
- Fully supports most Cloud-based platforms, including Amazon AWS, Microsoft Azure and Google Cloud.
- Powerful REST API performs multiple IAM operations, including enable/disable user and user password change.
- New plugin capabilities for Gateway component allow extensible agent logic (something that most WAM out-of-the-box agents cannot provide). Now you can use your Access Management solution as a complete Web Application Firewall and dynamically react to attack heuristics.
- Web services for automated orchestration,
- An automated testing/self-diagnostic tool
- Elastic Stack-driven dashboard for health and performance monitoring