E-business web sites can easily be protected using SSO-52. To protect an existing site, the contents are put behind the access gateway. This immediately provides coverage so that only registered users can access the protected pages.
For more elaborate integration with the site, for example personalisation for the user, SSO-52 provides the elements for easy integration into existing or new applications. This approach simplifies application development and support by eliminating the need for custom database integration for each application.
When a user tries to access a protected resource, the SSO-52 agent first checks to see if the user is Authenticated (logged in). Non-Authenticated user will be redirected to the login server used in common by all the sites under the SSO-52 security umbrella.
The authentication method is determined by the resource that is being protected. If the resource being protected is more critical, a stronger level of authentication can be used (smart cards or certificates) or a combination of methods. SSO-52 is designed so that it is simple to add new Authentication methods if they are required. The user supplies their authentication credentials and the login server passes these to the Authentication server for verification against details stored in the backend data store.
In the event where Authentication fails, the system can be configured to display customised pages or perform customised actions. When the user has successfully authenticated, a strongly encrypted cookie is generated by the AuthServer and passed to the users browser. No sensitive information is contained in the cookie. This enables it to be sent over HTTP protocol. The cookie contains the users name information as well as other characteristics of the log in (for example the session will time out with 10 minutes of no activity). The cookie is encrypted to provide security and privacy.
When a user has been successfully authenticated, the cookie that has
been passed back to the browser allows the user single sign on access to
all the sites that are being managed by the SSO-52 server that issued the
cookie. This can be in the same domain, or ANY domain.
When a user has been Authenticated, SSO-52 then determines what access they have to the requested resource. The policy server consults the policies associated with the requested resource to determine how the request will be handled. Policies are constructed for group type operations. This could be "all bank customers", "Sales force" or any other grouping.
Policies are constructed to control access to resources on a group basis. A group is any association attribute of users. One such grouping is "All users with Netscape version 4.7". The grouping can be constructed of any information held in the directory servers. This feature gives administrators a high degree of flexibility in how a service is constructed.
If a user is not Authorised for the requested resource, then the site can display customized error pages to the user about what has happened. Of course when Authorisation succeeds, the user has access to the requested resource.
When an application is accessed that is protected by SSO-52, it can receive various pieces of user information. Most of this information would normally be stored in the directory server. Examples of the types of information that can be passed to the application are phone number, credit card number, or the time of the last log in. The data can be either static or dynamic.
The information that is passed to the application is used to personalize
and customize their experience of the site. SSO-52 simplifies
development of web applications by eliminating the need for developers
to construct complex directory or database code for entitlement information
about the user.