Does this math problem sound familiar? You're managing multiple resource locations (cloud, enterprise, partner) and developing applications using new protocols, all while managing multiple access channels (browser, mobile, service) from any number of locations. If so, you have a tricky equation on your hands.
Maybe you've also figured out that trying to lock down these applications using legacy web access management (WAM) products and XML/SOAP API gateways is a lot like using an abacus to do algebra--neither is the right tool for the complexity of the job. What you really need is a modern solution designed for today's identity security needs.
Combining identity federation, modern web and API access security and multi-factor authentication (MFA), FAM enables the right people to access the right things, seamlessly and securely.
Our FAM solution relies on the PingAccess server for web and API application management. And the recently updated version 4.0 allows you to enable access from any client to any application. No other access management solution does this.
Legacy WAM + Today's Apps = Problems
Application developers are rarely creating pure server-side web apps any more. Today's applications are a mashup of components and protocols, combining APIs, server-generated and static web content, and client-side functionality in the browser or a mobile app.
For in-browser applications, the WebSocket protocol remains a popular choice. WebSockets are designed to support the bidirectional communications required for low-latency client and server-side applications. However, the protocol itself doesn't provide authentication or authorization. This is a critical deficiency as identities come into play, and that legacy WAM product from 1999 can't efficiently solve the problem.
WAM is constrained by rigid "Browser: GET, POST, PUT" rule sets to provide security for additional protocols and client-to-application interactions. As a workaround, a WAM vendor might recommend bolting on a heavyweight API gateway infrastructure or custom developing security for the APIs themselves. But both approaches require the application developer to think like a security architect--not to mention saddling your security team with more infrastructure to maintain.
URI fragments are also being used for in-browser applications, particularly single page applications (SPAs) to preserve the state or view of an application. But adding fragments to legacy WAM products equals more problems. Bookmark or session timeouts can result, causing the user to lose their work or see an unexpected state of the application they're accessing.
To sum it up, legacy WAM products aren't designed for today's challenges. But there is a modern-day solution. Much like Texas Instruments changed the world of mathematics with its electronic calculator, rendering the abacus all but useless, Ping Identity has reimagined application management with our PingAccess server 4.0.
PingAccess + WebSockets = Superior Application Security
The PingAccess server 4.0 uses the WebSocket protocol for both proxy and agent architectures. It allows WebSocket tunnels, web applications and web APIs to share the same security infrastructure centrally managed by the IAM team.
As you'll see in Figure 1, PingAccess can require users to sign on to a valid web session for a web-based chat application. Working over WebSockets, it can also limit the chat protocol itself to a sub-protocol like XMPP.
Together or separately, these capabilities will relieve the application from some basic, common identity security features. They also provide more control over and visibility into how the application is used.
Figure 1: Using the PingAccess server 4.0, administrators can control which sub-protocols the WebSocket enabled application is permitted to negotiate, plus control access on the stream of WebSocket traffic.
PingAccess + URI Fragments = Better User Experience
The PingAccess server 4.0 uses client-side HTML5 session storage to preserve URI fragment information throughout a sign-on process (See Figure 2). This improves compatibility with modern applications. It also ensures bookmarks or external links behave properly through the sign-on process, significantly improving the user experience.
Figure 2: The PingAccess server 4.0 maintains the URI fragment info from initial request through sign-on to final granting of access.
Does your equation include more traditional web apps? If so, the PingAccess server 4.0 has you covered with web sessions and a powerful access control engine. Mobile apps? No problem. OAuth is here to secure your APIs.
Add up all the benefits of FAM and the PingAccess server 4.0, and the solution is clear. You can efficiently and cost effectively regain control of your applications. And you can dramatically simplify application now and into the future.
Want to learn more about how FAM addresses today's security access requirements and strategies for migrating away from your existing WAM? Download the white paper