The Easiest Way to Extend Web Access Management to the Cloud

SSO/Rest provides your enterprise with a minimally-invasive way to push your applications into the Cloud while seamlessly protecting them with the full power and capabilities of your Web Access Management (WAM) platform – as if they were still in their own data center.

How It Works

SSO/Rest delivers full, Cloud-friendly Web Access Management through a simple HTTP-based RESTful interface that has been hardened and secured to safely provide enterprise SSO, authentication, session management, and access management over the public cloud. SSO/Rest utilizes lightweight, drop-in replacements for agents (the SSO/Rest Plugins). Because of the plugins’ small footprint and HTTP-based communication (which means no new firewall ports!), enterprises can deploy them on applications both inside and outside the enterprise perimeter, thereby creating a virtual perimeter to encompass any cloud-based services the organization wishes to secure. The hardened SSO/Rest Gateway sits protected in the enterprise DMZ, securely mediating communication between the plugins and Policy Decision Points (PDPs, such as CA SSO Policy Servers).

The SSO/Rest Solution

With its lightweight, HTTP-based plugins, SSO/Rest solves the central problem plaguing enterprises that wish to extend their WAM solutions to the Cloud: that all pre-Cloud SSO products depend on agents or proxies that simply won’t work in the Cloud – both because of their “heaviness” and their reliance on non-standard communication protocols.

SSO/Rest’s plugins allow your enterprise to bypass the onerous implementation pitfalls which result from trying to work around this fundamental shortcoming, such as network latency, new firewall rules, VPN tunnels, or even vendor-lock. Self-contained (requiring no external code libraries), the plugins can be installed at either the server level or bundled directly into applications. And since they don’t perform any processor-consuming cryptographic operations or token validations they are resistant to zero-day vulnerabilities, which means that patching is infrequently required.

Crucially, by extending true WAM (as opposed to the more limited functionality provided by federation), SSO/Rest fills four major security gaps that typically plague WAM in the Cloud: no centralized audit capability, the lack of direct access control enforcement, the inability to control session duration, and no way to timeout idle sessions.

One Product, Five solutions

Protect Cloud Applications with Full Access Management

SSO/Rest cloud-enables your applications and protects them with your current Access Management platform just as if they were in your data center. Whether you run your own images on Amazon EC2 or Rack-space, or hot-deploy your applications directly to Microsoft Azure or Google App Engine, SSO/Rest allows you to protect and manage them as if they were local.

Easily Integrate Rich Browser and Mobile Applications into Your Access Management Environment

SSO/Rest allows your enterprise to harness the power of your WAM infrastructure directly from all your client platforms with minimal modifications to your existing applications using an intuitive and simple REST API

Tighter Integration, Better Services for Your Internal Applications

SSO/Rest provides a rich integration interface for server-side integrations, enabling them to further leverage the power of your WAM infrastructure. Because the interface is REST-based, no vendor-specific SDK is ever needed inside your applications.

Go Agentless!

SSO/Rest consolidates your WAM agents to within the SSO/ Rest Gateway. Migrating from thousands of heavy, vendor-proprietary agents to SSO/Rest’s lightweight plug-ins will significantly lower the cost and burden of maintaining your SSO infrastructure.

Deploy Web Access Management as a Service

Service providers can now provide the full power of traditional WAM solutions as a Software-as-a-Service offering


  • Enforces session management rules and timeouts across all applications, whether on-site or cloud-based.
  • End-to-end identity propagation and session (re)validation.
  • Plug-ins support most major web servers in today’s market, including Apache HTTP Server, Microsoft IIS, and now NGINX as well; and J2EE containers such as IBM WebSphere, Red Hat Wildfly (JBoss), Apache Tomcat, and Oracle WebLogic.
  • Built-in web application and service for plugin registration allows application teams to self-register plugins via web app or script, without involving the IAM team.
  • Rich client integration supports AJAX, Adobe Flex, Microsoft Silverlight, Mobile applications, and other rich content platforms.
  • Gateway component is available as a J2EE application file, a preconfigured Tomcat zip distribution, a VM appliance, or a Docker image.
  • Pluggable logging framework allows configuration of logging and tracing both from within your WAM software and the externalized logging framework of your choice.
  • Leverages a pluggable distributed caching technology to provide powerful tuning and global cache management.
  • Endpoints support a flexible combination of plain text, JSON, and XML payloads.
  • Full multi-byte support for international characters in user identifiers and attributes.
  • Comprehensive OAuth and OIDC support, including wrapping vendor SSO tokens inside OAuth/OIDC tokens for tightest integration and security.
  • Includes pluggable gateway logic for flexible integration with SSO solutions – currently CA SSO and Oracle Access Manager – with a standalone policy decision point based on an XACML rules engine coming in Q3.
  • Fully supports most cloud-based platforms, including Amazon AWS, Microsoft Azure and Google Cloud.
  • Powerful REST API performs multiple IAM operations, including enable/disable user and user password change.
  • New plugin capabilities for Gateway component allow extensible agent logic (something that most WAM out-of-the-box agents cannot provide). Now you can use your Access Management solution as a complete Web Application Firewall and dynamically react to attack heuristics.

Validated and Integrated Cloud Technology

  • SSO/Rest supports AJAX, Adobe Flex, Microsoft Silverlight, and other browser-based rich content engines. It supports plain text, JSON, and XML payloads.
  • SSO/Rest employs a flexible infrastructure, using standards-based components and technologies. It can be deployed in any J2EE servlet container (Tomcat, JBoss, WebLogic, Websphere), Java 6.0, and any JAX-RS framework.
  • SSO/Rest supports the most recent versions of CA Single Sign-On, Oracle AM, as well as a standalone XACML-based policy engine (to be released Q3).
  • SSO/Rest is a CA Technologies TTP Validated Solution.

Contact Us for Assistance