Single Sign-On Service Cuts Costs, Complexity

Published: October 23, 2012

by Dan Burger

The realization of how costly it is to manage user IDs, passwords, and authentication policies can be a shocking experience. If you actually look into this, hanging a "Danger! High Voltage!" sign outside the IT department may be a good idea. Many companies are looking for places where costs can be cut with IT efficiencies, and an examination in this area might earn you some extra credit. It begins with a technology you may have heard of before: single sign-on.

You may not know it, but you already own the technology that enables single sign-on. It's built into your IBM i operating system and it can be configured to manage passwords across multiple systems, including IBM midrange servers, Windows, Unix, Linux, Mac, and others.

Single sign-on (SSO) has been part of the operating systems for 10 years. Why hasn't its use become widespread? Two things: complexity and cost. Here's one way to deal with that.

It's called SSO stat! and it's a service-based option with one-day implementation and a cost of $2,995, along with a $333 per month, two-year service contract, or $5,995 without the monthly contract. The service is available from Botz & Associates, whose owner, Pat Botz, was the lead architect for OS/400 security when single sign-on was built into the operating system in 2002. If there's anyone with more experience doing SSO implementations in IBM i shops, I'd be surprised.

Botz (sounds like "boats") says there are two reasons why cost and complexity have been barriers to SSO deployments. One is that third-party SSO software has been promoted and purchased and the resulting costs have been high and the deployment times have been lengthy. The other is that most IBM i system administrators don't have a background in authentication technologies and how they work with other domains in Windows, Unix, WebSphere, Tomcat, and Apache environments. On top of that, the third-party application side of it adds complexity and costs.

For the average IBM i administrator, that's difficult because they understand their side, but not the other domains: Windows, Unix, Linux, and even WebSphere, Tomcat and Apache side, plus the third-party application side of it. "An administrator might say, 'There's no way in hell that can be anything but expensive,'" Botz says.

Although there can be many tentacles to an implementation, a focus on return on investment should be a priority.

"The objective should be to lower the high cost of identification and authentication of authorized users to the system," he says. "A large percentage of that cost can be eliminated with a small investment.

"The term SSO leads many administrators to think of SSO as a 100 percent solution," he continues. "As soon as they find one element where SSO doesn't work as a 100 percent solution, they disregard the technology as being incomplete because the very definition of SSO is not being met. The goal is not single sign on. The goal is to reduce a very expensive process of managing user IDs, passwords, and authentication across the disparate environments."

The ROI approach takes into account an examination of the business issues before applying technology. Success of any SSO implementation, Botz says, should be based on the value it returns to the company compared to its cost. The best ROI is often a simple SSO implementation that addresses the business issues that affect the most people. It avoids the mistake of "getting mired down in the search for single sign-on nirvana," Botz says.

In many cases, SSO applied to a Windows-to-IBM i integration is the business issue that needs to be addressed. Botz expects that to be the most common fix for SSO stat! and it can be solved in a day with the base pricing structure.

Using this as an example, the service provided by Botz & Associates includes the configuration between IBM i and any Windows-based 5250 emulator for up to 500 users. Additional integration, for instance to an Apache Web server, is done with what Botz calls "expansion packs," which are designed for additional environments.

The service includes an up-front ROI evaluation, guided SSO implementation for any or all of an organization's users, technical staff training on how the system works, and on-going support to quickly remediate any issues introduced by routine software updates.

The support package, Botz points out, extends beyond the goals of the initial installation. Unlike software support that typically includes only the software and not the system it runs on, Botz says his company is prepared to help solve system problems related to SSO and assist in expanding SSO if the company decides to do that.

To find out more about SSO stat!, the company website is www.botzandassociates.com. At that site is a single sign on ROI calculator tool that can be downloaded at no cost.

RELATED STORIES

Single Sign-On: Then and Now

AS/400 i Mystery Solved--Again?

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot