BALTIMORE -- With the spread of Web-based intranet applications for employees and extranet applications for customers, finding a simple means of authorization and access control for all these users has become problematic.

Instead of distributing multiple passwords to each person, the ideal would be to have just one password that would grant the individual access to all authorized applications after a one-time authentication. This has often been called the "Holy Grail" of security, and T. Rowe Price is proving you can reach it on a large scale for purposes of electronic commerce.

"On our intranet, we now have 4,500 users that have a single password for use with a lot of our applications, such as human resources," says Kirk Kness, assistant vice president of application architecture. "They used to have to use a lot of passwords. But last fall we started retrofitting applications for what we call integrated sign-on, and we're building this into new applications, too."

T. Rowe Price has accomplished this using Dascom's IntraVerse server-based software. The product lets you set up a Web-based authorization proxy server called WebSeal at the Internet access point or within an intranet. After the user has authenticated once at this proxy, this information is sent to another server, called the Dascom Global Sign-On Server (GSO). The GSO controls user access to resources on the intranet based on a directory of users and privileges.

The Dascom tool kit lets you retrofit existing Web applications for single sign-on. Kness says his team found this is easiest when the application is written in an
object-oriented style, such as Java, C++, Common Object Request Broker Architecture or Distributed Component Object Model.

"With object-oriented technologies, you just have a clearer framework to see where you add security services," he says. "Some are actually easy to retrofit."

The third version of Dascom's IntraVerse will debut in October. The upgrade's technical foundation will shift from the Distributed Computing Environment (DCE) model to one based on the Lightweight Directory Access Protocol and a set of
access-control services called the Authorization APIs. According to Dascom, Intraverse 3.0 will scale up to 20 million users, as opposed to a few hundred thousand for DCE.

In March, Dascom submitted the Authorization APIs to a standards body called The Open Group. There the Authorization APIs have been backed as a proposed
access-control standard by group members J.P. Morgan, The Boeing Co.,
Hewlett-Packard and IBM, among others.

This week, The Open Group appears poised to approve this set of access-control APIs in a final ballot. Using the Authorization APIs, application servers will be able to perform access control, user entitlements, data classification and data labeling in a more uniform way. This way, corporations would have a common means to define trust relationships when crossing the threshold of another corporation's networks, whether authentication is based on passwords, digital certificates or other means.

T. Rowe Price now has about 10 intranet applications enabled for single sign-on by internal employees or international fund managers. Kness says it will use the next version of IntraVerse this fall to add single sign-on foor use at the troweprice.com business portal.

There, customers gain access to information about mutual funds, IRA accounts, brokerage and workplace retirement services.

"This time next year we'll be in the millions in terms of integrated sign-on for our retail customers," Kness claims. "They won't have to have multiple passwords."

www.nwfusion.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine