Blog Viewer

Non-Policy-Based SSO: A Real-World Case Study

By kumni04 posted May 02, 2017 01:48 PM


So far, my posts have covered various aspects of non-policy-based SSO. Today, I’ll share a real-world example of non-policy-based SSO in action at a CA Technologies customer, one I consider a visionary pioneer in digital transformation. One proof point for my opinion is that the company embarked on its digital transformation journey more than eight years ago, well ahead of most other organizations.


While the user experience was the cornerstone of this digital transformation, security and release management were also top of mind for the company. It all started with an idea to provide SSO for an IApp while simultaneously decoupling the IApp from SSO policy. As you know, SSO policy requires a policy enforcement point (PEP), which is typically an SSO agent. The question became how to ensure session security without a policy-based SSO and its attendant PEP.


As we developed non-policy-based SSO, we came to see that it was a blessing in disguise—and that it can be the same for other organizations. It forced everyone to think differently and beyond just user experience. Energized by cross-pollination of teams and collaboration, we knew we were onto something bigger than just SSO. We were building and living what the industry now calls digital transformation, essentially DevOps and Agile. In this case, business was the driver, and non-policy-based SSO was the transformer.


Like the pioneers of old, we transformed the company’s landscape. We set up camp by building a completely new, modern user registration and sign-on process that simplified the user experience. We accomplished this by integrating CA SSO and CA Identity Manager with the company’s IApps. SSO allows seamless, secure navigation across the company’s web applications for its consumers, partners and employees. Even minor interface design elements, such as validating authentication codes, were held to the highest user experience standards and provide the right balance to the underlying development and operations effort. To improve business availability, we eliminated dependencies between release sprints and operations for runtime deployments, with no change in security posture.


Because SSO without session security is worthless—even dangerous—the customer, CA and IBM collaborated on building a strategy to ensure session security at all integration layers. CA and IBM enhanced their products to help our customer achieve success in its business initiative. The customer’s IApp developers worked closely with CA Services to:

  • Build an in-line web session filter to validate SSO tokens.
  • Update IApp login modules that call SSO to obtain SSO tokens.
  • Ensure that an IApp server session is generated and updated based on an SSO token and the user’s type of access.


If your organization needs assistance with its digital transformation, non-policy-based SSO may be the transformer you’re seeking. With CA SSO, an enterprise infrastructure product, you can enable centralized, secure web access management, user authentication, single sign-on, policy-based authorization and identity federation. Please comment on this post if your organization is undergoing a digital transformation—or if you have any observations you’d like to make.

1 view