Information Technology Reference
In-Depth Information
The Best Things in Life (and in IAM) are Free
If you're looking for a secure and tested product to implement the Ticketing
Server-based Single Sign-On Access Management model that we just
described, then CAS (JA-SIG's Central Authentication Service) is far and away
the simplest and least expensive.
federated
17
Likewise,
if
you're
looking
for
a
Single
Sign-On
Access
Management solution, you cannot do better than Shibboleth
18
.
Both of these are Open Source, which means there are no licence fees, but
more importantly, that there are no hidden hooks or dependencies (our
infamous “tight integration”) to lock you into the product and lock out
competing vendors' products. You will find that integration and operational
costs, more than licence costs, are the real arguments in favour of an Open
Source solution.
If you have strong Java support skills in your own organisation, then the only
ongoing cost of implementing these products is the cost of the staff
dedicated to supporting them. However, most organisations would also
prefer to back up such front-line support with some kind of commercial
support agreement (second- and third-level support). Here again, because of
the Open Source nature of these products, you are very likely to find
companies that understand and are willing to support them for a reasonable
annual fee
19
.
17
We have a rather simple and practical definition of federated identity
management as opposed to local identity management. If you provision user data
(including authentication credentials) into repositories, for your own organisation's
use, then all you need is local identity management. But if you have to grant access
to users who you do not yourself provision but rely on other organisations to vouch
for, or if other organisations need you to vouch
for users in
your
repositories who will access
their
systems, then what you need is a
federated identity system. In both these cases, one organisation trusts another to
vouch for users who are not provisioned in the first organisation's repository.
18
Why not just use Shibboleth for everything, since its capabilities are obviously a
superset of CAS's? Shibboleth is a more complex product than CAS to install, maintain
and roll out, so if you don't need federated identity, you're probably best off using
just CAS. Even if federated identity is part of your requirement, we discuss a couple
of ways in which you can keep the consequent complexity restricted to only a part of
your infrastructure.
19
An organisation used to traditional commercial software support agreements
would very likely be pleasantly surprised at the support rates they are likely to be
quoted for Open Source products.
