F5 Friday: Application Access Control - Code, Agent, or Proxy?

How about some integration, instead? A combined Oracle Access Manager and F5 BIG-IP Access Policy Manager solution is more scalable, more reliable, and easier to manage than any of the traditional three solutions.

 

In the course of deploying applications it becomes necessary to ensure that only authenticated and authorized users have access to that application. Over time several solutions have been used to provide this capability, but each one comes with its own set of challenges. There is a fourth option, however, that’s arisen from understanding the limitations (and advantages) of each of the previous three options. That fourth option is more scalable, more reliable, and definitely easier to manage than previous incarnations.

APPLICATION ACCESS CONTROL: CODE

In the beginning, developers created web applications. And the users saw that it was good. But then it was decided that only certain people should have have access to those applications and developers had to figure out how to “authenticate” those people to the application. Oh, at first web applications used simple techniques like HTTP Basic Authentication, but the costs associated with managing both an internal directory of users and a second application access control store for each application got to be too much. So they found a way to use existing corporate identity stores to authenticate access through the applications. They wrote code specifically for the identity store right in the app. This, of course, eventually caused a great deal of consternation the first time an organization attempted to change identity store vendors. It also wasn’t very pleasant to contemplate an upgrade in the libraries that enabled that integration as they often deprecated or simply removed functions that caused the application to break or worse – to be completely without any kind of authentication whatsoever. It also didn’t lend itself well to single-sign on capabilities, which over time was becoming an increasingly heated demand from users. 

APPLICATION ACCESS CONTROL: AGENT

So next came agents on servers. These little daemons were deployed on every web or application server and enabled applications to directly talk to existing corporate application access control directories, which meant eliminating a lot of waste (and code) used to enable the “code in the app” solution. Generally these agents were deployed at the application server level and managed “above” the application, so every application deployed in that container could take advantage of the solution without hard-wiring the solution into the code. The problem was you still had something to manage on every server on which the application was deployed, and as more and more solutions picked up the “agent-based” model there began to be conflicts between them. If you weren’t careful about managing and synchronizing the access control configuration, you could also run into some real fun when you tried to scale out the solution.

APPLICATION ACCESS CONTROL: PROXY 

So it was that specialized proxies came into existence. These solutions were deployed in front of web and application servers, inline, and intercepted all requests as a means to apply application access control in a centralized manner. These worked much better than their distributed predecessors, and offered the attractive lower cost of maintenance but at a price: they were not cheap. That became evident when such solutions attempted to scale out. Because they didn’t scale out well – they were, after all, a solution focused on providing application access control, not scalability or high-performance – you needed many more of them to keep up with application and user growth.

But what else is there?

THE FOURTH OPTION

The fourth option is one we’re now beginning to see emerge in the market: unified application delivery enabled with application access control capabilities and integrated with existing enterprise identity and access management stores, such as Oracle Access Manager, via open, standards-based APIs.

Oracle Access Manager allows users of your applications or IT systems to log in once and gain access to a broad range of IT resources. Oracle Access Manager provides an identity management and access control system that is shared by all your applications. The result is a centralized and automated single sign-on (SSO) solution for managing who has access to what information across your entire IT infrastructure. Oracle Access Manager is available as a stand-alone product or as part of Oracle's award-winning Oracle Identity & Access Management Suite.

-- Oracle

The fourth option is an evolutionary step that combines the benefits of a traditional proxy with those of a more scalable, high-performance application delivery platform that mitigates the challenges that came with pure specialized proxy solutions. By enabling a unified application delivery controller, F5 BIG-IP, with the ability to apply application access policies inline the solution resolves neatly the problems that have previously plagued the integration of application security and applications since the first centralized identity management store was introduced.

A combined F5-Oracle solution works seamlessly because BIG-IP Access Policy Manager is fully integrated via BIG-IP’s open, standards based API, iControl. It allows what is an existing strategic point of control – the component responsible for scaling and delivering applications – to extend its performance and reliability to application access control, enabling not only OAM Single Sign-On (SSO) functionality for end-users but also providing the ability to apply other application delivery network functionality such as web application security and acceleration simultaneously on a single, unified platform. This reduces management costs and eases scalability concerns as applications can be easily virtualized and scaled without sacrificing security, access control, or performance. All application delivery functions become the responsibility of BIG-IP which leverages the granular, application access security provided by Oracle Access Manager.

Unlike a specialized proxy, this solution also enables scalability of Oracle Access Manager, which makes it easy to scale your application access control solution along with your applications. You get scalability, security, and centralized management in a single, integrated solution.

For more information on the F5-Oracle solution for fast, scalable, flexible application access control, you can check out these resources:

 Solution Overview

 Deployment Guide

 DevCentral Video

 

THE ORACLE-F5 CONNECTION

F5 and Oracle have been partners for a long time and work jointly not only on integration between products but to provide best practices for deploying F5 and Oracle solutions together. You may have heard of a little trade show called Oracle OpenWorld 2010? F5 will be in attendance and we’ve got some new solutions to show you specifically around scaling a product you might also have heard of about: Oracle Database. So if you’re attending, stop by the booth (#1427, Moscone South) and check it out.

Related blogs & articles: All F5 Friday Posts on DevCentral PeopleSoft with F5's BIG-IP Web Acceleration & WAN Optimization [video] Oracle OpenWorld - A RAC Connection Management Solution [video] F5 DevCentral > Community > Group Details - Oracle / F5 Solutions Oracle Data Guard sync over the WAN with F5 BIG-IP F5's BIG-IP with Oracle® Access Manager to enhance SSO and Access ... Oracle RMAN Replication with F5's BIG-IP WOM Oracle Fusion Middleware Deployment Guides Oracle Enterprise Manager Grid Control Plug-in for BIG-IP LTM Beta Monitoring Oracle Forms Services with BIGIP - DevCentral - F5 ... Oracle 10g SSL Offload - JInitiator:X509CertChainInvalidErr error ... F5 Big IP for App Failover between Oracle Data Guarded Clusters ...