How to move away from ca site minder to open source authn
1. How to Move Away From CA SiteMinder to Open Source
Authn / Authz
So you have seen the light: open standards and open source IAM. But what if
your organization already has websites that use
SiteMinder|OAM|TAM|ClearTrust?
To liberate your organization, here is Gluu’s secret recipe.
Skate to where the puck is going: The Winner is… OAuth2
B2C identity providers–like Facebook, Google, Microsoft, and Yahoo–are moving
to OAuth2 based authentication and authorization API’s. While federation SAML
is the predominant B2B authentication API, as usual, the B2C standard will
prevail. OAuth2 provides better support for complex authorizations including the
Person, clients, websites and an ecosystem of API’s that drive today’s Internet.
Here is another simple reasons why a JSON/REST protocol is preferred over a
XML/SOAP standard: its smaller on the wire. Mobile Internet bandwidth is high
cost in many places. And similarly, more efficient data structures mean less
memory and CPU resources needed on the device and the server. Billions of
people authenticate per day, so not only does it make economic sense, but its
greener!
2. But the most important reason to move to OAuth2: Content. Put yourself in the shoes of a
web developer. It makes sense to support the large consumer IDP’s at the time of your
launch. SAML is something you add later when you sell that big customer that makes you
do it.
Don’t throw good money after bad
Make sure that new applications use OAuth2. You don’t want to create more work for
yourself in the future. Especially for “green field” applications, its less than half the cost to
do the job right the first time. In some cases, application developers may be able to deliver
new capabilities based on the new infrastructure (like two factor authorization, or central
authorization), so you need to consider opportunity costs as well.
Be reverse compatible
While expanding the old SSO deployment is undesirable, we still want it to work. For
example, through the use of a custom authentication script, OX can include retrieving one
or more SiteMinder tokens. So if a person authenticates to an OAuth2 protected
resource, and then navigates to a SiteMinder protected website, SSO would be
maintained. The same is true for SAML. As applications are EOL, or need to be
upgraded, move them to OAuth2.
3. Think about the front door
Businesses are advised to invest in the part of their facility that the customer sees. With access management
systems, this is the login experience, and the authorization experience. Frequently I remind Gluu customers to
consider the authentication triangle, the vertices are (1) security, (2) price and (3) usability. Each authentication
mechanism has its own unique triangle. Much attention lately has been focused on security. But many of the
advancements have been to enable stronger security, while at the same time improving usability. The best kind of
authentication is the one you never see! Consumer IDPs are looking at many contextual indicators to figure out if an
interactive authentication is needed. Organizations should follow suit.
Try your best, but be flexible.
If a certain application can’t use OAuth2, its ok to fallback. There might be an old version of IIS you need to support. Or
the SaaS provider just supports SAML… its ok! Don’t worry. You want to guide applications to use open standards.
SAML or even SiteMinder is a lot better than for the website to store credentials for the person.
Is SiteMinder “Dead”
Granted… “SiteMinder is Dead” is sensationalist. Old SSO protocols hang around until you disconnect the last site.
That can be some time, which is why we want the standards to be well tested. That’s why the title of the previous blog
said “Decline”, not “Dead”. If you have a sizable organization, and are looking at a green field, are you installing a
commercial IAM Suite, an IDaaS, or open source? The last two didn’t even exist until a few years ago. No matter how
you slice it, monolithic IAM Suites like CA SiteMinder are going to get a smaller percentage of the market, and
reducing prices to get a small number of new customers might not be offset by revenue loss from existing customers.
In rapidly growing markets, the price goes down, the total size of the market increases, and the initial suppliers are
challenged to make a very difficult pivot.
4. In any case, at Gluu, we think there is a bigger opportunity to provide service to the
market that doesn’t yet have a “SiteMinder”, than disrupting current monolithic IAM
customers. Most current solutions are hub and spoke: usually a big IDP and lots of
internal websites, some external SaaS services, and partner sites. How many inbound
SAML connections does your average organization support? The answer is frequently
“not many.” Big companies can afford commercial Access Management / Federation
software, but their partners usually cannot. Net-net, this means the cost of “extranet”
user management is either too high or even worse, its insecure. Organizations want
open source because there is a benefit if their partners can cost effectively upgrade their
IAM.
You can substitute “SiteMinder” with the IAM product of your choice, for example Oracle
Access Manager (OAM), RSA Cleartrust, or IBM Tivoli Access Manager (TAM). Although
some IAM products also use HTTP reverse proxies, the idea is generally the same: align
with the old until you migrate existing apps. Notice in this diagram, there are two OAuth2
Authorization Servers. OAuth2 enables federated authorization… sometimes many
parent organizations make different policies, and application developers need to ensure
all the policies are considered.
Article Source - http://www.gluu.org/blog/how-to-move-away-from-ca-siteminder-toopen-source-authn-authz/