Juniper SSL VPN aims to offer single sign-on

I often mention Security Assertion Markup Language, or SAML, in this newsletter (28 times in the last 80 or so issues), usually in conjunction with one or another of the various federation protocols such as Liberty Alliance, WS-Federation or Shiboleth. Generally, when some product is announced as “SAML-enabled,” it’s by an existing identity management vendor.

In a recent article for Network World (link below), my colleague Jim Kobielus, a senior analyst with Burton Group, refers to “SAML-enabled Web access management tools from vendors such as Computer Associates, Entrust, Entegrity, HP, IBM Tivoli, Netegrity, Novell, Oblix, OpenNetwork, RSA Security and Sun.” Every single one of those vendors has an identity management practice and most support their own directory service.

So I tend to quickly glance over announcements of new SAML implementations unless they break new ground. One announcement I heard a couple of weeks ago definitely qualifies for more than a glance.

Juniper Networks is usually talked about in the “service provider” section of Network World. It’s a major competitor to Cisco for the big router market, with impressive sales to the likes of AOL, the U.S. Department of Defense and Verizon. But it also made some moves this year to dive deeper into the enterprise market, especially with the acquisition of NetScreen Technologies early this year. That followed NetScreen’s acquisition of Neoteris late last year. Neoteris first came to our attention a couple of years ago (see “Single Sign-on Outside the Firewall,” https://www.nwfusion.com/newsletters/dir/2002/01560827.html) with its Instant Virtual Extranet (IVE). Now those same people are shipping Juniper’s SecureAccess line of Secure Sockets Layer (SSL) VPN devices as SAML-enabled.

Why would Juniper want to do this? Its reasoning, as propounded by the marketing folks, is that by using SAML:

“Juniper’s SSL VPN gateways are able to communicate with Identity and Access Management (IAM) products, such as those from Oblix, RSA, IBM, and Netegrity, in a standards-based manner.  Juniper’s SSL VPN devices enable Web Single Sign-On and centrally enforce authorization.  Juniper’s SSL VPN also eliminates the need for distributed software agents that in the absence of Juniper’s SSL VPN are required to perform these tasks.  The cost associated with distributing and updating those agents, as well as the required server hardening, substantially adds to the total cost and complexity of IAM products.  By removing the need for those agents, Juniper makes existing IAM investments less expensive to maintain and brings IAM solutions within the reach of customers who would choose not to deploy them otherwise (i.e. medium, large enterprises).”

In a nutshell, “the combined Juniper SSL VPN and SAML-enabled IAM product represent a significant lower total cost of ownership for customers vs. deploying IAM products stand-alone.” I couldn’t have said it better myself – Web-based single sign-on, lower cost, higher security. Isn’t that really what we’re all looking for? You may not need Juniper’s SSL VPN products yourself, but I bet you do know someone who could use them. Check https://www.juniper.net/products/ssl/ for the details and send them on to someone who could benefit (such as, for example, your own telecoms department).