Simplicity and Security with SSO and Pre-Authenticationby Greg, August 31st, 2017
Don’t just Authenticate users on your web or application servers. Find out who they are before hand.
Why – Would you invite someone into your house (who you had no idea who they were) , sit them down on your sofa and then ask them for ID?
Authenticate them as close to the edge as possible then again at the application
We’re all familiar with so-called ‘password fatigue’ in our private and professional lives. We have a seemingly ever growing number of user name and password combinations to manage and remember. We’re encouraged to use stronger passwords that contain characters and numbers, longer passwords that don’t contain English words and a mix of upper and lower case too. Just when you might be getting on top of it all (if you’re lucky), you’re forced to change them. Wasn’t computing supposed to make our lives easier?
This challenge is often dealt with by users in a number of ways. At home, most will use their browser or phone app(s) to store passwords for them. Physical access to the device and perhaps a PIN code is all that’s required to gain access to most, if not all, of the owner’s online accounts and sensitive information. A large number of users will also use the same password for multiple accounts; some will even write them down.
None of this is ideal and it certainly isn’t secure, particularly in a work place context. Of course, no-one goes to work to expose their employer to the risk of a security breach but those bad habits very often follow users into the office. Convenience and usability often trump rational thought and compliance. Perhaps there’s something we can do to help our users and improve our security posture. Sounds like a winner!
Previously the preserve of large and wealthy enterprises, Single Sign-On (SSO) is now available as a feature for edgeNEXUS Load Balancer v4.2.0 in the form of our Authentication module. It’s pretty simple; you pre-authenticate your users against a central system and, once authenticated, provide access to any number of onward services, sites and applications as you see fit, with no further password entry required. This is a very rare example of security and convenience coming together without compromise, rather than trading one for the other.
At the same time you can also make use of a wealth of other ALB-X security and performance features such as NAT, proxying, caching and compression, packet filtering, high availability, flightPATH traffic management rules and much more. If you haven’t already deployed a load balancer to serve your critical business sites and services; you and your users are missing out a great deal as it is.
If you’re using the discontinued Microsoft ForeFront TMG (Threat Management Gateway) it’s never been so easy to quickly replace your aging infrastructure. We’re a Microsoft Gold Partner and have jetPACKs available for fast and simple configuration of application delivery features for popular Microsoft products such as Exchange, RDP and Lync – all of which will benefit from this new module. You can run edgeNEXUS in the cloud on Azure too.
Aside from happy users and less stressed IT staff, it’s worth going over a few of the other benefits and opportunities;
• Reduced help-desk costs with fewer of those endless password reset calls
• Faster logins and a simpler interface for users
• Centralised user management (via an existing user database/store – fewer things to manage)
• Centralised logging and auditing of user activity (fewer places to look)
• A uniform password policy
• Greater compliance and better passwords built upon higher user engagement and cooperation
• Ditto for a stronger password policy; your users will be happier with one if there are fewer to remember
Of course, our Authentication module doesn’t have to be used to provide SSO. It still provides benefits in securing and protecting any application or service. There’s now no need for your developers to write authentication code for your sites, they can simply offload it to the load balancer (along with SSL/TLS, compression and all the rest). Authentication can also look and work the same across any number of systems, with everything controlled, managed and configured in one place. The swiss army knife of the data centre just gained a new tool.
Programmatic flightPATH rules, as they were designed to, introduce a ridiculous amount of further flexibility. They allow you to apply complex business logic and security policy to your authentication system. You can selectively challenge users based on defined criteria such as country of origin (see our geolocation blog, destination URL, IP address and more. Or perhaps you want to use a different method of authentication for some set of users. It’s all possible and, as ever with edgeNEXUS, simple yet powerful.
The module supports LDAP authentication servers, with or without SSL (LDAPS) and with or without MD5 password hashing. Popular client authentication methods in common use today, including custom in-line web page and HTTP Basic, are fully supported. We’ll be adding many more client and server-side options in the near future. A re-authentication timeout can also be set, where it’s supported by the protocol used.
We’ve had a huge number of requests for this module and its functionality and this is a shining example of how we respond to customer needs. The module is available as a Feature Pack on the new edgeNEXUS App Store – For details on how to use it, visit the user guide here.