XML is used not only to represent the data but also as a messaging protocol called SOAP; and (6) Portal Integration is another popular integration methodology in use today. It doesn't involve expensive and time consuming technologies and processes that EAI and data warehousing require. Also, it is the most customer-facing of all the methods described in this section. This means that it can be highly personalized and customized to the customer's requirements. In future, portals will present their functionality as web services so that multiple portals from different vendors can be integrated.
Architecture of Portals
The portal, when speaking technically, is "a framework that enables developers to plug various software components called portlets, and then deliver the aggregated content to multi-devices." (Mohan, 2003) Integration may be accomplished through using HRML, JSP, Java Beans, Java servlets, XSL that transforms XML through XSL transformation or even CGI. Sun Microsystems' Java Community Process is present reviewing Java Service request, JSR 168 in order to "define a set of API for aggregation, personalization, presentation and security. The specification will be based on the specification for Java Servlet. According to Mohan: "once the standard is in place, there could be a new third party portlet industry that could mushroom as portals will be able to integrate any portlet based on the standards using the Java architecture." (2003) Mohan additionally states that: "Taking the portlet even further is a standard called Web Services for Remote Portals (WSRP) from Organization for Advancement of Structured Information Standards (OASIS). This standard defines interfaces and behaviors to encapsulate portlets as web services so that any portal based on WSRP standard could bind to the portlets. This means that the local portal will only have the WSRP portlet proxy while the actually portlet will run on the remote server. The portal developers will be able to locate WSRP portlets in a public or private UDDI (universal description, discovery and integration) registry. WSRP will also interoperate with portlets developed using Microsoft.NET architecture." (2003)
Identity management works with infrastructure building in order to centralize both management of users and their privileges within the system. Centralizations of users have the benefits of: (1) Better control over security applications and servers through consolidation of the authentical and authorization; (2) reduction of the number of user accounts within the organization; (3) ease of managing a user life-cycle; (4) control auditing of user actions over the network; and (5) ability to integrate of federate with external networks using similar standards for identity management. (Mohan, 2003) the Lightweight Directory Access Protocol (LDAP) is the most predominantly used standard in managing identities.
Single Sign on (SSO)
The work of Mohan (2003) relates that a single sign on architecture is inclusive of a "centralized authentication hub that is used by all the users of the portal. Once the SSO server authenticates a user, the user is free to access all the applications available to the portal without having to login again. Also, when a user signs off, single sing off ensures that the user is logged off all the participation applications. The following figure illustrates how a SSO works.
Single Sign on (SSO)
Source: Mohan (2003)
The single sign on works on each application or webpage that needs authentication. When the client browser attempts to access the page the web server checks to see if the site has the proper cookie set or not and in cases it does not the browser is then redirected to the SSO service or the provider of identity. At this point the browser "will then receive one or more 'tokens' and will set a cookie. The web browser will once again be redirected to the web server but this time the URL has identifying information encoded in it." (Mohan, 2003) Mohan relates that there are presently two predominant SSO architectures:
1) Microsoft's NET Passport; and 2) Liberty Alliance's Liberty 1.1 specification with the largest being the Microsoft NET passport, which claims 200 million user accounts. (Mohan, 2003)
The primary difference between these two is the "SSO implementations of both the groups in how the tokens are generated. "Microsoft uses 3 DES-encrypted identifiers in a proprietary format. However, this makes the Passport network proprietary. Hence, Microsoft has committed to upgrading to Kerberos tickets. However, Liberty rejects Kerberos because of the overhead of the Kerberos ticket server and its inability to distinguish between authentication and authorization. Liberty Alliance has instead proposed an XML-based standard for exchanging authentication and authorization data called Security Assertion Markup language (SAML). The SAML data is embedded in the HTTP responses. Microsoft has also collaborated with IBM and VeriSign to enable passing authentication and authorization data in the SOAP header as a part of the WS-Security specification.
The work entitled: "Building a Portal? Vive La Difference" relates that portal servers are becoming more popular in providing users with "ready access to the information they need, when they need it through Web browsers. An intuitive jumping off point to content and applications from a variety of internal and external sources, portals consolidate access to information that used to require multiple interfaces. Businesses in every industry are turning to portals for faster, more efficient business-to-business and business-to-consumer communication. They see these tools as the key to delivering content that's timely and relevant to individual's roles and to promoting collaboration across geographic boundaries." (InformationWeek, 2001) a portal has the power to ": enhance knowledge sharing and improve productivity, and provide a unified and consistent view of the business to customers, suppliers, investors partners, and visitors. And it can reduce the costs of distributing and sharing content and applications."
The work of Sumner Blount, eTrust Solutions entitled: "Reducing the Costs of it Security Management" states that Identity and Access Management involve the following considerations:
Who has access to what?
What did they do?
When did they do it?
How can we prove it? (Sumner Blount, eTrust Solutions, 2006)
Upon answering these questions it is possible to "effectively align security with business goals, protect vital business assets, streamline business operations and achieve regulatory compliance." (Sumner Blount, eTrust Solutions 2006) Key capabilities for integration and identity and access management success are:
Identity Administration - Enables the creation and administration of user identities and profile information;
Provisioning - Allocates to each user the appropriate accounts and access rights to corporate resources, as well a de-provisioning them at the appropriate time (e.g. when they leave the company);
Access Management - Helps to ensure that the organization maintains the integrity of its information and applications through prevention to unauthorized access including access being controlled to all "...critical resources; web applications; enterprise applications; systems; critical system services; databases and repositories; and Monitoring/Auditing - Provides aggregation, filtering, analysis and correlation of security events across all components within the environment. Also, it provides visualization tools to facilitate analysis of this information by system administrators. (Sumner Blount, eTrust Solutions, 2006)
The following illustrates an 'integrated IAM platform'
Integrated IAM Platform
Source: Sumner Blount, eTrust Solutions (2006)
This solution results in reduction of it security costs including help desk costs. Efficiency is greatly increased through the IAM Platform. The Meta Group states findings that single sign on results in 33% reductions help desk call volume. Security often devotes much of its time to:
creation of identities or profiles for new users;
Creation of the access rights for each user;
Allocation of resources to new users;
De-allocation of resources when users are removed from the system;
Managing the identities and entitlements of external (typically partner) users;
Ensuring that each system and its critical services, databases, and files are protected from unauthorized access;
Collection and analysis of system log and auditing information; and Managing systems to ensure that the patches for all known vulnerabilities are installed in a timely manner.
Potential savings from automated provisioning will be based upon:
The number and rate of new users;
The number of accounts and applications that typically require access provisioning;
The time required to grant and create access to each of these accounts or applications (this depends heavily on the type of account being created and the system where the account resides)
The time expended in requesting, tracking, and managing the management approval process for access requests.
The cost/hour of the security administration staff
The following chart lists the cost reduction and productivity improvements with the IAM Platform.
Cost Reduction and Productivity Improvement with the IAM Platform
Mohan, Sajeev (2003) Mechanics of Oracle Portal and Identity Management. Online available at http://download.oracle.com/owsf_2003/36786_Mohan.doc
Reducing the Costs of it Security Management (2006) Sumner Blount eTrust Solutions Online available at http://i.cmpnet.com/ittransformationcenter.techweb.com/pdfs/reducing_costs_security_mgt.pdf
Building a Portal? Vive La Difference (2001) Information Week. 5 November 2001 Online available at http://www.informationweek.com/news/showArticle.jhtml?articleID=6508083
Oracle Solutions for Workforce Excellence - HR Transformation: Transform HR from an Administrative Function to a Strategic Partner. http://www.oracle.com/global/uk/hcm/9575%20Transformation-2-9-4.pdf
Mohan, Sajeev (2003) Mechanics of Oracle Portal and Identity…