Future Tivoli Tools Extend SSO To Clouds, Analyze Services
October 10, 2011 Timothy Prickett Morgan
Password management and the security issues (mostly human) that surround it continue to be a bone in the throat of IT departments. Having established standards like Security Assertion Markup Language (SAML) and OpenID to control how users access applications within the network and behind the firewall, now app-crazed employees want to roam outside the firewall and use the same single sign-on (SSO) tools that they have for enterprise apps to get them access to the cloudy apps. The good news is this is exactly what IT departments want to have happen, too.
So IBM is starting to tell customers about some enhancements to its Tivoli security products that will allow cloudy applications like LotusLive, Salesforce.com, and Google Apps to be brought into the same access control framework as internal apps and be giving SSO capability. You log in once and all the apps and systems under the watchful eyes of Tivoli let you bounce across public and private networks.
As we learn in announcement letter 211-468, Tivoli Federated Identity Manager will use SAML, OpenID, and OAuth–that last one is the new bit–to make it so someone working from an external Web-based application can authenticate against your internal systems and share data with your site. OAuth is an authentication method created by Twitter that has been expanded and used by a number of Media 2.0 sites to allow people to share their pictures, files, and contact lists from one Web site with another without having to pass their credentials to that outside Web site.
OpenID allows for a single user name and password to provide SSO capability across two Web sites. SAML provides a mechanism for doing authentication across distinct networks without resorting to saving cookies all over the place involving establishing a trusted store of identities that is also a repository of user names and passwords. You don’t log in so much as prove to SAML who you are and then it logs you in. SAML has been around since 2002, but the problem is that most Web applications don’t support it. And so, like everyone else, Tivoli Federated Identity Manager needs the OAuth hack to do authentication and also to allow for data to be shared across two different Web apps.
The Horizon Application Manager from VMware was created to solve the same authentication issue and to also provide a means to allow end users to subscribe to apps, both inside and outside the firewall, as if they were on iTunes.
Tivoli Federated Identity Manager Business Gateway, which already supported SAML and which does auditing and compliance control for end users coming into the corporate applications from outside the firewall, will before the end of the year get expanded token support, adding to its existing SAML support.
IBM also hinted that it was working on new product called Tivoli Analytics for Service Performance, which will launch sometime in the first half of 2012. This product is brand new and will be used to analyze how services on the corporate network–by which IBM means the stuff that comprises applications–are performing so you can figure out when things are going wrong before they die. It will gather and analyze performance data from systems, their applications, and the networks that connect them and their end users together. The idea is to watch what normal behavior is on these networks and then watch and alert administrators when something don’t look quite right.