Print Page      Email Page
Back to Article List

Application Single Sign-on: Netegrity, Securant, or Evidian?
By Laura Taylor
September 6, 2001

Executive Summary
With the proliferation of web-based technologies, single sign-on has emerged as an important and central architecture solution for enterprise applications. As security breaches become increasingly more frequent, minimizing user access to back-end systems and web applications without impacting legitimate usage is more important than ever before. As more web-based applications are deployed, enterprise single sign-on (SSO) solutions that have the capabilities to provide authentication, management, access control, and logging across the complete front- and back-end e-business chain will become increasingly more important to Information Technology (IT) decision makers. Relevant Technologies has reviewed three leading portal single sign-on products to see which comes out on top.

Virtually every viable business, non-profit or public sector organization today has a web site connected via the Internet that links them with customers, prospects, constituents, employees, partners and other groups. Some online only businesses would not exist without the web and the Internet.

Advancements in web-related technologies have spawned portals, which act as gateways to individual web sites. No matter what you're looking for, the portal will try to give it to you. In that sense, portals go way beyond intranets and extranets because of their community appeal and structure. Some portals share a common content or theme, such as e-marketplaces, while others try to be all things to all people (news, weather, entertainment, finance, etc.). Typically most portals offer either a business-to-business (B2B) or business-to-consumer (B2C) focus.

Portals provide access to large amounts of information within their own managed servers but, importantly, also provide access to other sites beyond their own direct control. Accessing portal information has created new security challenges, and responding to these challenges is the impetus for this report. Specifically, Relevant Technologies has researched to what extent Netegrity, Securant and Evidian succeed in providing a high level of access control without making the experience too burdensome for end users. The challenge is how to mask the complexity of authentication, authorization and administration (3As) to users while empowering portal administrators to provide end-user single sign-on (SSO) access to pages not only within the portal but to external sites selected by the users themselves. Portals who respond to this balancing act efficiently retain tight security controls and still provide real value and convenience. By improving the user experience, web site stickiness is created -- the process by which user loyalty is created and future return visits to the portal are increased.

Technology and Market Genesis
Initially, web security products protected only URLs, creating passwords to be passed via Secure Sockets Layer (SSL), an encryption protocol built for web browsers. In the beginning, during the Web's earliest stages, this was sufficient, since a large array of web-enabled enterprise applications did not exist. With the momentum of the web, web-enabled applications have become ubiquitous, and today, are the norm. Each application typically requires its own authorization process, and if numerous applications are built into your portal point-of-presence, numerous authentication processes are required. Without a single sign-on solution, a user may have to identify themselves through a password logon scenario as many as half a dozen times on one web site. Single sign-on creates an improved user experience, allowing a user to authenticate themselves once on a web site, and continue to use as many applications on that site that are available for their usage.

A properly implemented single sign-on solution will write the front-end authentication through to a central SSO management console on the back-end, and is able to share this authentication for the extent of the user session. By improving the user authentication experience without compromising security, web-sites can retain user stickiness, and expect an increase in return visitors, page views, and hits.

As an added benefit, some single sign-on solutions obscure the links and information that users are not allowed to access, and by doing so, reduce the risk of unauthorized access, since unauthorized users and hackers are not able to see what they are not allowed to access, at least through the website's front-end. This process of hiding the true location of pages and network resources access is known as URL Mapping. It should be noted though that URL mapping makes no distinction between authorized or unauthorized access, so the initial authentication and authorization process is again of paramount importance (see below).

Integration with partner websites, and supply chain management (SCM) vendors, can more easily be obtained through single sign-on, since it allows the host web-site to create authentication access policies that are transparent and unique user groups as well as individual users.

IT decision makers should expect to pay no more than $20 per user (in volume) for a single sign-on implementation. Price above $20 per user is not price competitive and signifies an engineering and development process that has lacked adequate control over operational expenses.

Technology Fundamentals
Portal single sign-on has three key areas that are important for full integration and interoperability into an enterprise environment:
  • Authentication verifies that users are in fact who they claim to be, and strong authentication also provides non-repudiation. Non-repudiation is the ability to prevent a user from refuting their self-identity or transaction.
  • Authorization, also known as access control, is based on user roles or privileges, and allows administrators to specify which users can access which applications, data, or functions.
  • Administration consists of the tools and centralized management system that exists in order to administer and distribute (if necessary) user data and the security policy. Administration also includes logging and auditing capabilities that provide time-tracked archived records of who did what during their session.
Authentication and authorization are of critical importance, as they affect performance and end user satisfaction. Administration capabilities are secondary, since they affect only one centralized position.

The authentication mechanism is central to the success of a single sign-on product. All enterprise single sign-on products should adhere to industry standards, and support of the Lightweight Director Access Protocol (LDAP) is paramount to gaining wide acceptance on the market. LDAP is an alternative to the X.500 Directory Access Protocol (DAP) and defines standards for user schema, authentication schema, strings, search queries, and URLs. LDAP has become such a key component in today's and tomorrow's IT structures that any portal security product that is not full LDAP-compliant will rapidly be relegated to trailing-edge status.

LDAP's users schema requires that objects have a Common Name, an Organizational Unit, and a Domain Component. Windows 2000 and its Active Directory services are LDAP compliant, and in order for seamless integration into a Windows 2000 environment, single sign-on products designed for enterprise deployment must be LDAP enabled.

Enterprise-class single sign-on solutions must be flexible and have the ability to register and revoke sharing credentials across disparate user populations, and new and legacy applications. Advanced single sign-on solutions can interoperate with two-factor authentication mechanisms, such as biometrics and time-based token IDs.

Table 1. Product Information
Product Names : Evidian PortalXpert, Netegrity SiteMinder, xSecurant ClearTrust
Product Scope : Portal security, web security, authentication, xpasswords
Industry Focus : Application security, online access, web usage
Key Features : Authentication, access control, management, xlogging

Product Leaders
Netegrity's SiteMinder, Securant's ClearTrust, and Evidian's PortalXpert are the single sign-on product leaders for securing extranet- and intranet-based web applications. Significant competitors to the market leaders include Entegrity's AssureAccess, Entrust's GetAccess, and Oblix' NetPoint products.

Leading portal single sign-on products must be LDAP compliant, easy to deploy, price competitive, and be server based. Products that eliminate the use of cookies are more secure, and offer a greater user experience than cookie-based agent services.

Single Sign-On Challenges
One of the challenges in implementing single sign-on portal security is adherence to the LDAP standards. LDAP has numerous extensions, and many vendors implement only parts of LDAP, often just enough to justify calling their product "LDAP compliant." A weak LDAP implementation will create scalability and performance issues, and as a company's web environment becomes more sophisticated, without strong LDAP support, it may not be able to take advantage of the various capabilities that LDAP allows.

Various Public Key Infrastructure (PKI) solutions are being marketed as alternatives to single sign-on solutions. PKI offers equally strong authentication capabilities, and may mitigate the risk of security exposures to an even greater degree than single sign-on solutions. However, PKI solutions are more difficult to deploy, and the general IT public has not accepted PKI solutions as much as the market originally anticipated.

Firewalls and VPNs offer important security protections, but they have not been optimized for customer, partner, and reseller utilization on the extranet. Firewall protection and authentication services are geared towards employee usage scenarios and, in order to create comparable extranet user sign-on privileges, require individual set-up by the firewall administrator for each user or user group. As important as firewalls and VPNs are, however, they do not address SSO and 3A capabilities, so cannot be considered as user-friendly portal security solutions by themselves.

Recommendations for Vendors
Netegrity, Securant, and Evidian all offer single sign-on solutions that are LDAP compliant. In this regard, they are all equal contenders, and this is one of the reasons that these three products are considered the industry leaders.

Though Netegrity and Securant offer solutions that work, they are agent-based products that require additional software on all web servers plus cookies on end user desktops. Added resources required by these solutions clearly increases the time-to-deploy and overall price of the entire implementation, and requires that on-going administration be done on all target systems and user devices. Additional work on the part of the administrator, and potential interruption to the user for agent deployment, demonstrates that these products are not seamless, and their cost of ownership goes far beyond the initial licensing fees. The time it takes to deploy SiteMinder and ClearTrust are both equally a factor of how many servers will be supported by the single sign-on technology. Systems administrators can expect to spend two hours per server supported. On a web farm of 10 servers, implementations of SiteMinder and ClearTrust would take 20 hours each compared to a 2 hour implemenation time with PortalXpert. Vendors looking to take their portal SSO products to the next level need to understand how to migrate their products to a central administrative console that does not require server- or client-side intervention.

Netegrity and Securant both require the use of cookies to manage their user and password processes. In order to mitigate the security risks associated with cookies, both vendors should work towards eliminating the need for cookies. Due to security holes in both Netscape and Microsoft web-browsers, cookies can inadvertently be emailed out without using HTML email, without a user's knowledge. Since cookies often hold password and user information, this represents a potential security exposure. By using cookies for authentication, a malicious hacker can capture the entire user session using Java applets or protocol analyzers. Evidian's product requires no additional software on web servers and target systems. In addition, it does not require the use of cookies, and users who have cookie management in their browser turned off will not be affected.

There are some vendors, such as BMC and Symantec, that offer single sign-on like capabilities but, in actuality, what they are offering is password synchronization services to enterprise applications. In order to take advantage of Control-SA from BMC and PassGo from Symantec, password synchronizations must be distributed to all target enterprise application servers to replicate identical credentials across the enterprise. These solutions are not optimal, since they require more extensive resources and require secure distribution channels across wide-area networks. Password synchronization is not the same as single sign-on, and these solutions cannot provide URL mapping or a unique user welcome page.

Evidian's PortalXpert, Securant's ClearTurst, and Netegrity's SiteMinder all through through a combination of rules and role-based configurations. Using a rules-based approach is considered more scalable and flexible than using roles because rules can be applied to not just people, but to networks, domains, and IP addresses. Using roles implies a list-based practice, and when a user's role changes, say, moving to another department, it requires file edits and administrative changes. If setup properly, using a rules-based approach typically takes less administrative resources than using a roles-based approach. To be a market leader today, a single sign-on portal product needs to support both rules and roles. The fact that all these vendors support both rules and roles is one of the reasons that PortalXpert, ClearTrust, and SiteMinder are all technology leaders in the single sign-on market today.

Evidian's PortalXpert is a newer product than SiteMinder or ClearTrust, and has not yet proven itself on the market. There is always a risk in the implementation of a new product. Evidian has already shown sufficient technical aptitude with its other security management products, indicating that its success in the secure portal management market is likely to follow suit. For example, its AccessMaster enterprise security management software has garnered "Best Access ControlĒ product honors from SC Magazine for the last two consecutive years.

For any enterprise product, scalability is an on-going concern. According to the vendors, Evidianís PortalXpert and Netegrity's SiteMinder can accommodate up to 100,000 users, while Securant's ClearTrust can accommodate up to 1,000,000 users. However, since vendors donít use the same standard to define scalability, it is unclear if this refers to simultaneously connected users or just the number that can be accommodated by the LDAP directory. The vendors do not indicate how many servers are necessary to support the number of maximum users, and statistics on what that means to application performance is difficult to quantify. For example, 10,000 users might be able to be accommodated with "instant" response, 40,000 users might be able to be accommodated with a 3-4 second response time, and 100,000 users might be able to be accommodated with a 4-6 second response time. Given that Netegrity and Securant have a longer track record with their products than Evidian has, it is not clear that Evidian's PortalXpert can scale to the same magnitude that Netegrity's SiteMinder or Securant's ClearTrust can.

Recommendations for Users
As the first company to come out with a proxy based enterprise-class single sign-on solution that does not require additional server or client-side software or cookies, Evidian is the most visionary of the three market leaders. Because all administrative capabilities are done on a central management console and not on the application servers, Relevant Technologies recommends PortalXpert as the choice for IT decision makers looking to minimize total cost of ownership and administrative overhead. Due to the elimination of server-side software, judicious IT managers deploying PortalXpert can expect to reduce their implementation time for new single sign-on applications by 80% over the other leading agent-based products.

Evidian brings more than 10 years of information technology capabilities and base of more than 600 customers worldwide. The company is particularly strong in security-intensive industries, such as banking/finance and government organizations. It also is well positioned in the global telecom and service provider industries, which has rapidly expanding needs for web as well as legacy security solutions. With revenues of nearly $50million and an employee resource base of about 375, Evidian will be around for the long-haul, and we expect them to continue to anticipate new market requirements as online transactions become even more sophisticated.

With supply chain management (SCM) and customer relationship management (CRM) applications becoming ever more prevalent, the single sign-on solution market will continue to grow and become a necessary requirement for any vendor putting in place an enterprise capable SCM or customer relationship management CRM implementation.

At $15 per user in volume, Evidian's product is more cost competitive than Netegrity's or Securant's, which both sell for $20 per user. With a 1,000-user implementation, IT decision makers can save $5,000 by selecting Evidian's PortalXpert over Netegrity SiteMinder or Securant ClearTrust.

Table 2. Weighted scores of single sign-on portal products
Weight x Score = Value
(1-5) 5 is best
(1-5) 5 is best
(1-5) 5 is best
30 Ease of deployment
(30x5=150 possible points)
4 (120 points) 3 (90 points) 5 (150 points)
20 LDAP-compliant
(20x5=100 possible points)
4 (80 points) 5 (100 points) 5 (100 points)
10 Scalability
(10x5=50 possible points)
4 (40 points) 5 (50 points) 3 (30 points)
10 Rules based
(10x5=50 possible points)
5 (50 points) 5 (50 points) 5 (50 points)
10 Roles based
(10x5=50 possible points)
5 (50 points) 5 (50 points) 5 (50 points)
5 URL mapping
(5x5=25 possible points)
3 (15 points) 4 (20 points) 5 (25 points)
5 Legacy Interoperability
(5x5=25 possible points)
0 5 (25 points) 5 (25 points)
5 Elimination of Cookies
(5x5=25 possible points)
0 0 5 (25 points)
5 Competitive pricing
(5x5=25 possible points)
4 (20 points) 4 (20 points) 5 (25 points)
100% Total Value of Possible Points: 500 375 points, 75% 405 points, 81% 480 points, 96%

DHTML Menu By Milonic JavaScript