A Closer Look at Centrify DirectControl's Web SSO Solution

Core Features


At a high-level, the DirectControl for web/Java agent provides the following five key features:


* SPNEGO Support for Application Servers: the DirectControl for web/Java agent natively extends the security layer of each application server to implement the SPNEGO protocol for Kerberos and NTLM authentication and single sign-on. Per Wikipedia: "SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports...SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory."


In effect DirectControl is extending the "secret handshake" that Microsoft provides between IE and IIS. Which means that now with DirectControl you can use IE or any other browser that supports SPNEGO and have that SSO experience to not only IIS but to non-Microsoft web servers such as Apache, JBoss, WebLogic and WebSphere (running on either the Windows or UNIX/Linux platforms).
* Kerberos Support for web/Java Applications: Kerberos is the mature approach that Microsoft uses for single sign-on in an all-Microsoft environment. While Kerberos is available for non-Microsoft platforms, like UNIX and Linux, it can be difficult for a non-expert to deploy and manage a Kerberos stack for use in single sign-on. DirectControl for web/Java, in cooperation with DirectControl for Systems, automatically deploys, configures and manages the entire Kerberos stack for the application server and OS that your custom application is installed on.


Optionally, NTLM can also be used for authentication in an environment or system where Kerberos is not functional or appropriate. NTLM is an older technology provided by Microsoft for authentication.
* Authorization based on Active Directory Groups: Using J2EE standards, DirectControl for web/Java can populate the proper J2EE roles based on Active Directory Groups. Additionally, custom user attribute can be passed to the application from Active Directory. This allows a custom web application to provide role-based access and personalization based on a centrally managed identity in Active Directory, regardless of the platform the application server runs on.
* Active Directory Federation Services (ADFS) Support: ADFS, based on industry standards such as the WS-* web services specifications, provides a platform for single sign-on across multiple applications during a single browsing session. Additionally, ADFS provides services that allow authentication and authorization to happen across security, organizational and domain boundaries. These services are included in Windows Server 2003 R2 and 2008. Follow this link for more information on our ADFS web SSO agents for non-Microsoft web servers.
* Support for SSO to the underlying operating systems: Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac, web and database platforms with Microsoft Active Directory. DirectControl effectively turns a non-Microsoft system into an Active Directory client, enabling you to secure that system using the same operating system-level authentication, authorization and Group Policy services currently deployed for your Windows systems.

This means by packaging the DirectControl agent for the operating system and application server, along with installation and configuration documentation and support and services of the DirectControl for web/Java products into a single comprehensive solution, Centrify can help provide a true single sign-on solution at both the OS and application layer that better interoperates with your enterprise.

More Here


Courtesy:http://www.centrify.com/blogs/tomkemp/centrify_active_directory_integration_with_web_java.asp