What to Consider When Integrating Authentication? (Part 3)

To WAM or not to WAM, that is the question! (Part 3)

Whether tis nobler in the mind to suffer the slings and arrows of custom code or take time to deploy a web access management solution... Ok, my deepest apologizes to Shakespeare and all that speak the queen's English.  In the past two blogs we've talked about the different federation methods and questions to ask your self when trying to choose between them.  In this post we'll talk about what to ask yourself when deciding if you should implement federation as a stand-alone technology or as part of a larger web access management system.

The first question is, what IS a web access manager (or WAM)?  A WAM is a system that is designed to let you externalize the authentication and some authorizations from your web applications.  They've been around for quite some time.  The first large player in WAM technology was Oblix (now owned by Oracle) and later Netegrity (now owned by CA Technologies).  Using these systems you can separate out your initial security process from your application or application server. 

This layered approach offers several advantages over direct integration:

• Changes to the identity infrastructure don't need to be coded into your applications
• Applications are coded to a single standard (often the standard in their language)
• A layered approach provides an additional security layer between your application and threats
• A WAM can create an additional “logic” layer that can be used to direct users to specific content based on their memberships

So with all these great advantages, why wouldn't you want to use a WAM?  With all the power a WAM has to offer, it can be complex.  A WAM requires a larger up-front investment in infrastructure, setup and training.  WAMs typically require additional databases or directories to be setup to store policy information, web servers to act as reverse proxies and management infrastructure.  Standalone federation systems are generally much simpler to stand up.

The return on investment on a WAM based solution depends on the complexity of your applications, number of applications and maturity of your IT infrastructure.  The below graph shows the difference in costs between a stand-alone federation system and a WAM.  The WAM has a higher initial cost but over the course of time the costs flatten out as new applications are much quicker to integrate.  A stand-alone system will not require as high of an upfront cost, but since each application has to be integrated the costs are generally more of a straight line.
 

The last option is  to use a phased approach where for your first one or two applications use a stand-alone federation system and then move to a WAM once value is shown.  Most stand-alone federation systems will integrate with a WAM, but not all.  Check with your vendor for their WAM strategy.

I hope you enjoyed my three part series, look for more posts from me soon.  The area if identity, federation and becoming more-and-more connected is an exciting area.  Please feel free to drop me a line or comment.  I'd love to hear what you think and anything you'd like me to blog about!