Author Archive

How Well Do Your Vendors Really Know You?

May 21, 2012 1 comment

How well do our vendors know us?  I mean, how well do they really know us?  And how much do they care?

They collect countless data points about us through direct or indirect activity.  They spend a lot of money buying lists containing all sorts of information about “people like us”, but what are they actually doing with all that information?  Are they using it to create products geared towards our needs?  Are they using it to make our shopping experience any better? Are they using it to make us feel special?

Are they even using it at all?

Based on one experience, It seems like some companies (some big name companies) just aren’t getting it.

Here’s my story…

You might consider me a coffee fanatic – the stronger and the hotter the better.  I will wake up first thing in the morning and make a 12 cup pot of Cuban  coffee (one of my favorites) with the intention of drinking every last drop.  But, as with the best laid schemes of mice and men, I typically throw some of that coffee away (I know, sacrilegious).  So, when a few years back vendors started producing one cup coffee makers with the pods, I figured what the heck, it is still cheaper and easier than Starbucks.  So I figured I would make the switch; but which one?

I researched, I asked friends, I tested, I priced, I researched some more and I ended up with a Tassimo brewer from Bosch (a division of Kraft Foods).  This coffee maker was reasonably priced and it did so much more than the competition. Expresso, cappuccino, latte, hot chocolate, tea – I could make it all with this little gem.  I just knew I had made the best choice and my coffee wasting days were behind me.  I was so satisfied with the product that I became the Tassimo poster child.  I registered my system on the Tassimo Web site and gave Bosch my personal information (something I rarely do).  I told all my K-Cupping friends about my state of the art coffee making mecca.  I celebrated the Tassimo robot commercials on TV.  Heck, I became a one man Tassimo advertisement.  You could consider me the epitome of a loyal Tassimo customer.

Unfortunately, over the past year or so I found that Tassimo coffees are getting harder and harder to find in retail outlets.  Apparently Keurig made better agreements with coffee manufacturers like Starbucks than Kraft did and the availability of my dream coffee started waning.  But I was not to be deterred, Tassimo had a Web site, right?  So, I started ordering my coffee direct.  This satisfied my need for awhile, at least until the choices became fewer and everything started being put on back order (especially my wife’s favorite, caramel macchiato).  But I stuck with them – still believing in my choice of brewers.

I mention this because I have put more into my Tassimo relationship than Bosch has.  So, when I received the following email from Bosch telling me that they appreciated my business and were inviting me to a “Customer Appreciation Event”, I felt that they finally started recognizing my investment.

Based on the email, I could save $10, $15 or $25 – depending on how much additional loyalty I was willing to demonstrate .  Apparently “loyalty” is measured by the number of dollars I am willing to spend now, not what I have already spent in the past. Nor is it measured by the fact that I have continued to stick with them even though half the time the items I want are on back order or that I continue to shop with them even though their merchandise has mysteriously disappeared from retail shelves.  I didn’t respond right away, but the email did make me feel somewhat “special”.

Three days later I received an email with the subject of:


LAST DAY to Shop and Save $10, $15 or $25


Apparently Bosch appreciated me, but only during the three days of the sales event, itself.  Is that appreciation?  Hardly.

But, being the price conscious person that I am, I bit. I went to the web site and put in my order for over $100 dollars of merchandise to get the maximum discount (of which $75 worth of product was back ordered).  Sigh….

Did Bosch consult their records of my buying history to help me make my purchase?  Did they steer me towards those products that I have faithfully purchased in the past?  Did they give me a whole-hearted apology for my products being on back order (for the umpteenth-millionth time)?  Did they in any way make me feel “appreciated” in this transaction?  Hardly.  In fact, the whole experience has had the opposite effect.  Instead of feeling appreciated, I feel like I was being used to help Bosch reach a sales quota.

Unfortunately, the sales process has become a contentious relationship between the customer and the vendor.  Customers are wary of being taken advantage of by vendors who are only out to sell (caveat emptor, right?).  They feel that vendors are only out to take advantage of them, so they will do whatever they can to take advantage of the situation first.  Unfortunately vendors who actually do care about their customers are all too often lumped into the same category as predatory ones (have you been to a used car lot lately).

The trust between the customer and the vendor is all but gone.

The fact of the matter is that it doesn’t have to be that way.  Customers can be fiercely loyal to brands (just ask Apple, Levis, or Budweiser) and all that it takes is for the vendor to show an ounce of loyalty back.  It doesn’t take much, just enough to make customers feel like they are valued.  Just enough to make them feel like they have a say in the sales conversation, just enough to make them feel like they are truly ‘special’.

Is that too much to ask for?

A word of advice to vendors, ‘they don’t care how much you know until they know how much you care’.

How much do you really care about us?

Facebook’s Initial Public Offering Disaster

May 19, 2012 1 comment

 Facebook’s IPO was a relative disaster.

While it brought billions into Facebook’s coffers, one could hardly call the first day of trading a success. They opened at $38/share and ended up the day at $38.27 (a gain of less than 1%).

The only reason why their stock didn’t dip below the opening price was because they were being propped up by bankers who poured in millions every time the stock threatened to go below $38/share. In fact, the stock price was a flat $38/share a mere 30 seconds before the closing bell before the bankers once again jumped in to help save “Face”. (See “How Facebook’s Bankers Saved an IPO, Kept Shares Above $38” for more information.)

They say that people vote with their pocket books. Based on first day of trading, Facebook is ready to be voted out of office. Is this indicative of social media sites, in general or are people getting tired of Facebook?

My daughter said something quite profound when I told her about what happened. She said, “Dad, it’s just a web site. People get tired of it and they go elsewhere.” Wow, so Facebook may be subject to the same fate suffered by mega-giant portals like AOL, Yahoo, and Netscape? Maybe that’s why sites like Pinterest are trending upwards while Facebook is trending down.

Is it possible that people are getting tired of Facebook not adding anything more to their life than just a time-suck?

The Most Complete History of Directory Services You Will Ever Find

April 13, 2012 19 comments
I started working with Directory Servers back in 1997 when Netscape was but a fledging company. Over the past 20 years a lot has changed. Companies have come and gone and code has changed hands more times than I care to remember. But one thing remains the same – that little effort started by Tim Howes, Mark Smith, and Gordon Good at the University of Michigan is as important today as it was two decades ago.
I thought it might be worthwhile to take a look back at the various companies that have carried the LDAP mantle for stand-alone directory servers and see where we are today. As such, I have created a table of pertinent events (see below) as well as a graphical timeline (see graphic).
I offer you the industry’s most most complete history of directory services that you will ever find – well, at least until the next one comes along.

Directory Services Timeline

The Most Complete History of Directory Services You Will Ever Find

(Until the next one comes along)




1969First Arpanet node comes online; first RFC published.


1973Ethernet invented by Xerox PARC researchers.


1982TCP/IP replaces older Arpanet protocols on the Internet.


1982First distributed computing research paper on Grapevine published by Xerox PARC researchers.


1984Internet DNS comes online.


1986IETF formally chartered.


1989Quipu (X.500 software package) released.


1990Estimated number of Internet hosts exceeds 250,000.


1990First version of the X.500 standard published.


1991A team at CERN headed by Tim Berners-Lee releases the first World Wide Web software.


1992University of Michigan developers release the first LDAP software.


1993NDS debuts in Netware 4.0.


July 1993LDAP specification first published as RFC 1487.


December 1995First standalone LDAP server (SLAPD) ships as part of U-M LDAP 3.2 release.


April 1996Consortium of more than 40 leading software vendors endorses LDAP as the Internet directory service protocol of choice.


1996Netscape Hires Tim Howes, Mark Smith, and Gordon Good from University of Michigan.  Howes serves as a directory server architect.


September 1997Sun Microsystems releases Sun Directory Services 1.0, derived from U-M LDAP 3.2


November 1997LDAPv3 named the winner of the PC Magazine Award for Technical Excellence.


December 1997LDAPv3 approved as a proposed Internet Standard.


1998The OpenLDAP Project was started by Kurt Zeilenga.  The project started by cloning the LDAP reference source from the University Of Michigan.


January 1998Netscape ships the first commercial LDAPv3 directory server.


March 1998Innosoft acquires Mark Walh’s Critical Angle company, relesases LDAP directory server product 4.1 one month later.


July 1998Sun Microsystems ships Sun Directory Server 3.1, implementing LDAPv3 standards


July 1998Estimated number of Internet hosts exceeds 36 million.


1999AOL acquires Netscape and forms the iPlanet Alliance with Sun Microsystems.


March 1999Innosoft team, led by Mark Wahl, releases Innosoft Distributed Directory Server 5.0


March 2000Sun Microsystems acquires Innosoft, merges Innosoft directory code with iPlanet.  This forms the foundation for the iPlanet Directory Access Router.


October 2001The iPlanet Alliance ends and Sun and Netscape fork the codebase.


October 2004Apache Directory Server Top Level Project is formed after 1 year in incubation


December 2004RedHat Purchases Netscape Server products


2005Sun Microsystems initiates the OpenDS project.  An open source directory server based on the Java platform.


June 2005RedHat Releases Fedora Directory Server


October 2006Apache Directory Server 1.0 is released


2007UnboundID releases its directory server


2008AOL Stops Supporting Netscape Products


April 2009Oracle purchases Sun Microsystems


May 2009RedHat changes the Fedora Directory Server to 389 Directory Server


Feb 1, 2010ForgeRock is founded


Dec 2010ForgeRock releases OpenDJ


July 2011Oracle releases Oracle Unified Directory



(1) Understanding and Deploying LDAP Directory Services; Second Edition; Timothy A. Howes, Ph.D., Mark C. Smith, and Gordon S. Good.
(2) 389 Directory Server; History (
(3) Email exchange with Ludovic Poitou (ForgeRock).
(4) Press Release, March 16th, 1998; “Innosoft Acquires LDAP Technology Leader Critical Angle Inc. (
(5) OpenLDAP; Wikipedia (
(6) iPlanet; Wikipedia (
(7) OpenDS; Wikipedia (
(8) Netscape; Wikipedia (
(9) Press Release, April 20th, 2000; “Oracle Buys Sun” (
(10) 389 Directory Server; 389 Change FAQ (
(11) OpenDJ; Wikipedia (
(12)  Email exchange with Nick Crown (UnboundID).
(13) Press Release, July 20th, 2011; “Oracle Announces Oracle Unified Directory 11g” (

Trust in Me

April 10, 2012 4 comments

Trust in me, I’m the social media vendor providing this FREE service because I want to make you happy.  I know that all of this infrastructure and the thousands of employees I have working for me are costing a small fortune, but I do this because I care …. I care about YOU!

Trust in me, I’m the software development company who develops these FREE applications because we are looking out for you.  We know that you need something entertaining to do or something informative to occupy your time.  We ask you questions about your preferences so that we can customize the software for YOU.  That’s the only reason, trust us.

Trust in me, I’m a one man developer operating out of my house creating these FREE applications so that you don’t have to pay for the premium ones.  I have no visions of grandeur for myself.  I have no dreams of making money for myself, I am doing this for you!

REALLY?  No catches at all?  Awesome, where do I sign up?

I learned a long time ago that there is no such thing as a free lunch, yet people continue to be duped into believing lies to the contrary.  Let me be clear,

Privacy is an illusion in our current social media landscape.  Period. 

If you think that these FREE services are free then think again; they are anything but.  In fact, social media companies and application developers are making money off of the very things that are most precious to you – they are making money by selling information about you and your loved ones.  Whether they are selling this information directly or indirectly through advertising, these entities are collecting thousands of pages of information about you – enough to fill volumes of books.  Don’t believe me, read Kim Cameron’s article, 24 Year Old Student Lights Match:  Europe Versus Facebook.

Your preferences, your habits, your activity – essentially your life – is meticulously tracked by social media sites and used to predict your behavior.  With this information in hand, they seek out those who are looking to target those with this behavior or are willing to pay to gain access to these people.  It is a well-known fact that social media sites may know more about you than your own family members do, but social media is not the only culprit.  “Real world” businesses have been tracking your behavior for years and are just as savvy as social media sites (see How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did).  The amount and types of data associated with social media sites is much greater than that obtained in brick and mortar stores as it is more plentiful, easier to gather, easier to store, and easier to analyze.

In George Orwell’s book, 1984, we were worried about a Big Brother that we feel never came.  In reality, however, he came and brought his whole family with him and they are all watching us.  Get used to it, or take the steps necessary to protect your information assets the same way you protect the money in your bank or your legal documents.

Last month, I wrote a blog entry entitled Which Line Do You Want To Be In? in which I stated that people are

willing to trade important things in life for short term gain

Unfortunately when convenience and privacy are at odds with each other, people tend to throw privacy out the window in trade for convenience.  Are these people oblivious or do they simply feel that they have no choice.  Have they made a conscious decision or are they simply uneducated to the risks associated with privacy breaches?  I tend to believe that most people are too trusting and do not know (or simply do not understand) what information is collected about them and what happens when their information is inadvertently shared.  You can classify these people based on age and/or knowledge of technology as follows:

  • Typical Kids – who do not yet understand privacy implications
  • Typical Adults – who may understand privacy, but don’t understand technology and how it can affect their privacy
  • Tech-Savvy Adults – who understand privacy AND take an active role in protecting themselves on social media sites

For those of you who fall in the third category, I know that I am preaching to the choir here, but unfortunately the vast majority of people do not attend the church where this message is being preached.  There are still many people who have never heard the message or if they have, they simply choose to ignore it.  Is it because they disagree that information is being tracked?  Or is it maybe that privacy policies on most social media web sites are simply too difficult to read and/or understand and it is simply easier just to “click through” to get to the site that we want.

I once heard that marketing agencies build their message so that a person with a 7th Grade education can understand it.  That is an unfortunate statement to the intelligence of the average American.  Unfortunately, it is also a statement that many companies rely on when crafting their legal documents.

Suffice to say, if the price is FREE, it may be costing you dearly.

Categories: Personal, Privacy, Trust

It Happened One Night

April 6, 2012 Leave a comment

I used to be on the road quite a bit teaching classes or consulting with customers. While the cities were many and the customers diverse, the one thing that was always the same was my music collection – it went with me wherever I went (and continues to do so today).

I was in California on one such event doing work for Sun Microsystems. While listening to my Eagles playlist one particular morning, I was inspired to write this little diddy. The words just flowed and I finished before the first student arrived. I hope you enjoy reading it as much as I did writing it.

(Words are mine, songs are from one of the greatest bands of all time – The Eagles.)

So, I left the customer site last night and headed back to my hotel. You know, my HOTEL CALIFORNIA. It was late in the evening (as usual) and as luck would have it, I came face to face with an OUTLAW MAN in Sun’s parking lot (damn security). He asked me to hand over all my money, but as luck would have it, I had already been robbed that day – by my wife – the WITCHY WOMAN.

I told him to TAKE IT EASY as I reached for the few coins that I had in my pocket. He asked me IS IT TRUE that this is all I had? I responded, yes, there are TOO MANY HANDS in my pocket and he would just have to GET OVER IT. Thank goodness that he felt sorry for me (being the NEW KID IN TOWN and all) and felt that any further effort would simply be WASTED TIME.

When I finally reached the hotel, I found two PRETTY MAIDS ALL IN A ROW (my wife and daughter) and one lone DESPERADO – (my son) who was in trouble because of his LYIN’ EYES (I am glad that he is only three, otherwise he would have landed in a TEENAGE JAIL). My wife relayed her story to me and I to her. Her story paled in comparison to mine and she questioned, IS IT TRUE? (You see, she had caught me in the past CHUGing ALL NIGHT with the GIRL FROM YESTERDAY and she doubted my story)? To which I responded, I CAN’T TELL YOU WHYIN THE CITY – there’s a HEARTACHE TONIGHT, but that’s what you get when you live LIFE IN THE FASTLANE.

As I look back over the whole event, and look at all the things on this earth that are OUT OF CONTROL, I had to laugh. Because in THE LONG RUN, LIFE’S BEEN GOOD, and even when you TAKE IT TO THE LIMIT, it is still just a GOOD DAY IN HELL so you might as well get that PEACEFUL EASY FEELING and LEARN TO BE STILL.


(Links added for your listening pleasure; not all songs available on MP3.)

Categories: Personal

The Road Back to Eden

March 28, 2012 1 comment

We oftentimes view new technologies as providing us with the path back to Eden – that which returns us to leisure and care free living.  Yet with each new technological improvement, our lives do not become easier, they are simply changed.

The widespread availability of electricity and electric appliances in the early 1900s, promised to transform the home from places of labor (cleaning, cooking, etc.) to places of ease.  But ironically,
the number of hours spent working in the home remained relatively unchanged; the only thing that did change was the nature of the work.  Instead of beating the rugs twice a year or ironing clothes for special occasions (tasks that used to take all day to complete), it was expected that our rugs would always be clean and our shirts would always be ironed.  Hence the amount of time spent on these activities was not really reduced, it was simply spread out over different times and expected to be completed more often.

Pagers were introduced in the 1970s and cell phones started becoming more common in the early 1980s.  Both of these technological breakthroughs promised to free us from the office and allow us to spend more time with our families and friends.  The reality, however, was much different from the from the promise.  Instead of spending time with our loved ones, these electronic leashes simply changed where and how our work was to be performed.  We were now expected to be available at anytime and oftentimes at a moments notice.  With the advent of remote connectivity and mobile computing devices, we are expected to perform our work from anywhere – just as if we were in the office.  Once again the nature of our work has changed as our homes (or even the road) have become our second offices and our availability is not our own.

In the late 1960s the Internet was envisioned as a “cybernetic meadow” where humans and machines could live together in harmony.  A poem by Richard Brautigan described a future where

we are free of our labors
and joined back to nature…

where deer stroll peacefully
past computers
as if they were flowers
with spinning blossoms.

…and all watched over
by machines of loving grace.

(“All Watched Over By Machines Of Loving Grace“, Richard Brautigan)

The reality of what the Internet has become is very different from the original idealistic vision but as with the introduction of other technologies, the Internet is wondrous indeed.  The Internet has become a vast “computer in the cloud” as described by Google’s former CEO, Eric Schmidt, and with that computer you are able to access almost any type of application and/or information at the touch of a button.  This can be demonstrated in a commercial for telecommunications carrier, Qwest Communications.  A weary traveler walks into a cheap hotel in the middle of nowhere.  As expected, the amenities are sparse, but when he asks about in-room entertainment, the clerk responds, “all rooms have every movie ever made in any language anytime, day or night.”

Is this amazing?  Yes.

Does this allow us to do things previously unimagined?  Yes.

Does this move us closer to leisure and Eden, itself?  No.

In fact, we are becoming deluged with data as not only do we have access to almost any type of information, but we do so at any time of day and from almost any device.  Facebook status, Twitter feeds, unending SMS messages are filling our lives with information; like Pavlov’s dog, we are forced to respond every time we hear the bell ring.  As humans we have a natural tendency to explore, but it is not possible to explore everything on the Internet.  As humans we have a natural tendency to socialize, but its not possible to keep up to date with all our friends who we are now connected with 24 hours a day.  But that does not stop us from trying.

It is a natural response to view new technologies in an optimistic way, but we must be careful not to look to technology as the ultimate savior or it could end up hastening our ultimate demise.  Norbert Wiener, the Father of Cybernetics explored the relationship between technology and humans in his ground-breaking book, Cybernetics: Or, Control and Communication in the Animal and the Machine. While he hoped that machines would augment people’s lives and free them towards more creative pursuits, he warned that humans would look to technology as a panacea and ultimately lead to our downfall.

“The simple faith in progress is not a conviction belonging to strength, but one belong to acquiescence and hence to weakness.”

While technology can be amazing and allow us to do wondrous things, technology in and of itself is not the answer.  It is simply a means to an end.  As with any other tool, you need to manage the tool and not allow it to manage you.  You need to periodically set technology aside and focus on those things that truly matter – your God, your family, your friends, and yourself.

That is the only way you will truly get back to Eden.

Facebook Photo Hack Bypasses Privacy Settings

March 7, 2012 3 comments

Do you use Facebook?  Since over 700 million people do, the odds are pretty high that you fall in this category.  Are you concerned with your privacy and want control over who sees your content?  Have you taken all the steps necessary to keep your private information private and feel pretty good about yourself?  Well think again.  While you may be taking every precaution to keep your data private, some items (such as your photos) are totally open.  Still feel good about yourself?  Keep reading.

Let’s say that you are on vacation and decide to take a few pictures to memorialize the trip.

You want to share your pictures, but you only want to do so with some of your closest friends (you don’t want these photos to be public).  So, you select the upload photo option, point to the picture on your local computer, make sure that the Friends option is selected, and click Post.

The picture appears on your wall where only you and your friends can see it.  You verify this by viewing the audience for the picture as follows:

Your friends comment and you all get a big laugh from the picture.  But one of your not so close friends thinks it would be funny to show the picture to someone else – outside of your friends community – without your permission.  Now, they could download the picture to their local computer and upload it somewhere else, but that takes too many steps – Facebook makes it much easier for you to be compromised.

Simply click on the image to open Facebook’s photo viewer.

Now right-click on the photo and select “Copy Image URL” from the browser menu that opens.  You will have copied something like this:

If you look at the URL, you can see that this image is not hosted on Facebook’s site.  Instead, it is hosted on Akamai’s site (a place where your privacy settings do not apply).  By simply knowing this photo’s URL, anyone in the world can see this picture.  All your “friend” has to do is share out this URL and all the time and efforts that you have taken to be private are now out the window.

Don’t believe me?  Try this for yourself.  Or simply click on the link above to see a picture that I have supposedly made private in Facebook.

Which Line Do You Want To Be In?

March 3, 2012 1 comment

I stumbled across the following image the other day and thought it was too good not to share.

Consider the information that you share with social networking sites on a daily basis.  Are you guilty of giving up your privacy in return for things that are transient?  I think to some degree we all are.  We have become a society that is willing to trade the important things in life for short term gain.

But it is time to ask yourself, which line do you want to be in?

Disjointed Identity

March 3, 2012 Leave a comment

Having my identity located in so many different databases is like wearing multiple watches

You never really know what time it is!


Single Sign-On Explained

December 17, 2011 3 comments


So what is SSO and why do I care?


SSO is an acronym for “Single Sign-On”.  There are various forms of single sign-on with the most common being Enterprise Single Sign-On (ESSO) and Web Single Sign-On (WSSO).

Each method utilizes different technologies to reduce the number of times a user has to enter their username/password in order to gain access to protected resources.


Note: There are various offshoots from WSSO implementations – most notably utilizing proxies or portal servers to act as a central point of authentication and authorization.


Enterprise Single Sign-On


In ESSO deployments, software typically resides on the user’s desktop; the desktop is most commonly Microsoft.  The software detects when a user launches an application that contains the username and password fields.  The software “grabs” a previously saved username/password from either a local file or remote storage (i.e. a special entry in Active Directory), enters these values into the username and password fields on behalf of the application, and submits the form on behalf of the user.  This process is followed for every new application that is launched that contains a username and password field.  It can be used for fat clients (i.e. Microsoft Outlook), thin clients (i.e. Citrix), or Web-based applications (i.e. Web Forms) and in most cases the applications themselves are not even aware that the organization has implemented an ESSO solution.  There are definite advantages to implementing an ESSO solution in terms of flexibility.  The drawback to ESSO solutions, however, is that software needs to be distributed, installed, and maintained on each desktop where applications are launched.  Additionally, because the software resides on the desktop, there is no central location in which to determine if the user is allowed access to the application (authorization or AuthZ). As such, each application must maintain its own set of security policies.

The following diagram provides an overview of the steps performed in ESSO environments.


A user launches an application on their desktop.   An agent running in the background detects a login screen from a previously defined template.  If this is the first time the user has attempted to access this application, they are prompted to provide their credentials.  Once a successful login has been performed, the credentials are stored in a credentials database.  This database can be a locally encrypted database or a remote server (such as Active Directory).  Subsequent login attempts do not prompt the user for their credentials.  Instead, the data is simply retrieved from the credentials database and submitted on behalf of the user.

Container-Based Single Sign-On


Session information (such as authenticated credentials) can be shared between Web applications deployed to the same application server.  This is single sign-on in its most basic and limited fashion as it can only be used across applications in the same container.

The following diagram provides a high level overview of the steps performed in container-based single sign-on environments.


A user accesses a Web application through a standard Web browser.  They are prompted for their credentials which can be basic (such as username and password) or can utilize other forms of authentication (such as multi-factor, X.509 certificates, or biometric).  Once the user has authenticated to the application server, they are able to access other applications installed in the same J2EE container without having to re-authenticate (that is, if the other applications have been configured to permit this).

Traditional Web Single Sign-On


In contrast, WSSO deployments only apply to the Web environment and Web-based applications.  They do not work with fat clients or thin clients.  Software is not installed on the user’s desktop, but instead resides centrally within the Web container or J2EE container of the Web application being protected.  The software is often times called a “policy agent” and its purpose is to manage both authentication and authorization tasks.

The following diagram provides a high level overview of traditional Web Single Sign-On.


A user first attempts to access a Web resource (such as ADP) through a Web browser.  They are not authenticated to the domain so they are directed to the central authentication server where they provide their credentials.  Once validated, they receive a cookie indicating that they are authenticated to the domain.  They are then redirected back to the original Web resource where they present the cookie.  The Web resource consults the authentication server to determine if the cookie is valid and that the session is still active.  They also determine if this user is allowed access to the Web resource.  If so, they are granted access.  If the user were to attempt to access another Web resource in the same domain (i.e. Oracle eBusiness Suite), they would present the cookie as proof that they are authenticated to the domain.  The Web resource consults the authentication server to determine the validity of the cookie, session, and access rights.  This process continues for any server in the domain that is protected by WSSO.


Portal or Proxy-Based Single Sign-On


Portal and proxy-based single sign-on solutions are similar to Standard Web Single Sign-On except that all traffic is directed through the central server.


Portal Based Single Sign-On


Target-based policy agents can be avoided by using Portal Servers such as LifeRay or SharePoint.  In such cases the policy agent is installed in the Portal Server.  In turn, the Portal Server acts as a proxy for the target applications and may use technologies such as SAML or auto-form submission.  Portal Servers may be customized to dynamically provide access to target systems based on various factors.  This includes the user’s role or group, originating IP address, time of day, etc.  Portal-based single sign-on (PSSO) serves as the foundation for most vendors who are providing cloud-based WSSO products.  When implementing PSSO solutions, direct access to target systems is still permitted.  This allows users to bypass the Portal but in so doing, they need to remember their application specific credentials.  You can disallow direct access by creating container-specific rules that only allow traffic from the Portal to the application.

Single Sign-On Involving Proxy Servers


Proxy servers are similar to PSSO implementations in that they provide a central point of access.  They differ, however, in that they do not provide a graphical user interface.  Instead, users are directed to the proxy through various methods (i.e. DNS, load balancers, Portal Servers, etc.).  Policy agents are installed in the proxy environment (which may be an appliance) and users are granted or denied access to target resources based on whether they have the appropriate credentials and permission for the target resource.

The following diagram provides a high level overview of centralized single sign-on using Portal or Proxy Servers.




Federation is designed to enable Single Sign-On and Single Logout between trusted partners across a heterogeneous environment (i.e. different domains).  Companies that wish to offer services to their customers or employees enter into a federated agreement with trusted partners who in turn provide the services themselves.  Federation enables this partnership by defining a set of open protocols that are used between partners to communicate identity information within a Circle of Trust.  Protocols include SAML, Liberty ID-FF, and WS-Federation.

Implementation of federated environments requires coordination between each of its members.  Companies have roles to play as some entities act as identity providers (IDP – where users authenticate and credentials are verified) and service providers (SP – where the content and/or service originate).  Similar to standard Web Single Sign-On, an unauthenticated user attempting to access content on a SP is redirected to an appropriate IDP where their identity is verified.  Once the user has successfully authenticated, the IDP creates an XML document called an assertion in which it asserts certain information about the user.  The assertion can contain any information that the IDP wishes to share with the SP, but is typically limited to the context of the authentication.  Assertions are presented to SPs but are not taken at face value.  The manner in which assertions are validated vary between the type of federation being employed and may range from dereferencing artifacts (which are similar to cookies) or by verifying digital signatures associated with an IDP’s signed assertion.

The interaction between the entities involved in a federated environment (user, SP and IDP) is similar to the Web Single Sign-On environment except that authentication is permitted across different domains.

A major difference between federated and WSSO environments involves the type of information generated by the authenticating entity to vouch for the user and how it is determined that that vouch is valid and had not been altered in any way.

The following table provides a feature comparison between Web SSO and Enterprise SSO.

Features WSSO / PSSO / Proxy ESSO
Applications Supported: Web Only Web Applications and Fat Clients
“Agent” Location: Target System User Desktop
Technologies: SAML, Form Submission, Cookies Form Submission
Internal Users? Yes Yes (through portal)
External Users? Yes No
Central Authentication? Yes No
Central Authorization? Yes No
Central Session Logoff? Yes No
Global Account Deactivation? Yes (through password change) No