[Fwd: NetworkWorld: Boeing using SAML to SSO to 1,000 Apps]

["Eve L. Maler" <eve.maler@sun.com>]

Passed along on behalf of Edwin DeSouza...

-------- Original Message --------
Subject: 	NetworkWorld: Boeing using SAML to SSO to 1,000 Apps
Date: 	Wed, 16 Jul 2003 17:18:34 -0400
From: 	DeSouza, Edwin <edesouza@jamcracker.com>

http://www.nwfusion.com/news/2003/0714boeing.html



   Boeing lets single sign-on project fly

By John Fontana <http://www.nwfusion.com/Home/jfontana.html>
Network World, 07/14/03

SAN FRANCISCO - Boeing last week made public the first phase of a
*standards-based identity management project that could serve as an
industry model for integrating single sign-on access controls across
business partners' networks. *

At the Burton Group Catalyst conference, the airplane maker unveiled the
deployment of a project with Southwest Airlines that provides the
carrier's mechanics access to electronic repair manuals on Boeing's
internal networks based on the mechanics' regular logon to Southwest's
network.

Boeing described the deployment as the beginning of a "seamless business
Web" that will simplify business-to-business relationships and validate
the integration power of Web services.

The seamless relationship means that *Southwest employees need only
their single corporate logon to access data they need from their
employer network and from corporate-partner Boeing. *

And it provides Boeing with a centralized, scalable, extensible and
secure standards-based mechanism it can reuse among business partners to
control Web-based access to its internal applications and data.

The deployment is significant not only for the efficiencies and cost
savings it provides, but because it is the marquee rollout of a single
sign-on system that's based on the Security Assertion Markup Language
(SAML <http://www.nwfusion.com/links/Encyclopedia/S/539.html>), an
XML-based standard protocol for exchanging user authentication and
authorization data across corporate systems.

OASIS says it hopes to make available on its Web site details of
Boeing's SAML deployment as a reference architecture.

"If we can deliver services to our customers that they can integrate
into their environments then we become indispensable," says Mike Beach,
associate technical fellow for security and directory services at
Boeing. *"We think SAML is huge." *


       How they do it

Boeing uses SAML to streamline access to its MyBoeingFleet Web portal,
which provides customers access to data required to operate and maintain
Boeing aircraft. Single sign-on lets Boeing make the data directly
available in a maintenance hangar without having to provide and maintain
a set of user credentials for Southwest employees. Southwest mechanics
use notebook computers to display electronic manuals right at their work
sites.

Using customized Web access management software from Oblix
<http://www.oblix.com/>, *Boeing created a single sign-on environment
that supports thousands of users at Southwest*. The airline operates 350
Boeing 737s in 58 cities.

*The mechanics access the Southwest site using their corporate logon. In
the background, the user is passed a Southwest SAML-enabled encrypted
cookie*. From a portal application, the users can see their daily work
responsibilities, including which airplanes they are assigned to repair
and links to the manuals they will need.

When the user clicks on the SAML-enabled links to the Boeing manuals,
the system initiates the exchange of SAML credentials. Southwest's site
generates a digitally signed SAML assertion, which contains information
on the user and his access rights. The signed assertion is returned to
the mechanic's browser, and the browser delivers the assertion to the
Boeing SAML service, which sits on the edge of the Boeing network and
outside its firewall. The Boeing SAML service verifies the Southwest
assertion and links it to an entry for that user stored in a Boeing
access server.

*Independent of the SAML system, Boeing provides Southwest a Web service
to upload its users' identities to the access server. *

The access server provides a Boeing encrypted cookie that is passed back
to the user's browser at Southwest. The Southwest employee is then
redirected to the URL for the MyBoeingFleet application on the Boeing
network. The user is authenticated using the Boeing SAML-enabled cookie
and given access to the MyBoeingFleet Web site behind the Boeing firewall.

Boeing's Beach says the system is an extension of a Web single sign-on
project that went into production internally at Boeing in December 2001.
By February of this year, *the system was handling 100,000 logons per
day to more than 100 applications.* Integration of external users from
Southwest began in May and went into production last month. The company
plans to *add role-based access controls later this year* and expects to
complete integration of single sign-on with more than *1,000
applications by the end of 2004.*

The work to integrate Southwest, however, was *not without massive
customization to the Oblix NetPoint application, and Boeing continues to
address lingering issues*.

For instance, the browser cookies are not secure on the Web, and Boeing
had to add better encryption and support for SSL.

"We want the industry to figure out how to make cookies secure," Beach
says. Boeing also needed to *fill in holes in the SAML* specification,
including establishing a *global log-out* mechanism and *session
management*. Both had to be added through customizations. Boeing also
had to create customizations to close vulnerabilities presented by the
bookmark feature in the browser software. And it had to set up
authentication policies within Oblix to give the system the ability to
provide specific information about users.

"It was hard, and it was expensive, but a lot of that was our fault,"
Beach says. *"We took on the world; we encompassed legacy systems and
did third-party integrations."*

He says Boeing also has discovered that it is difficult to manage a
large number of access policies and that the system puts a heavy load on
its directory services. He says it was also hard to manage expectations
of end users."But the good news is that it works and we've got some
subsidiaries that want us to provide them the same SAML-based
authentication to our systems. Our executives are really excited about
this project," he says.



-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Technologies and Standards               eve.maler @ sun.com