Boeing lets single sign-on project fly

SAN FRANCISCO – Boeing last week made public the first phase of a standards-based identity management project that could serve as an industry model for integrating single sign-on access controls across business partners’ networks.

At the Burton Group Catalyst conference, the airplane maker unveiled the deployment of a project with Southwest Airlines that provides the carrier’s mechanics access to electronic repair manuals on Boeing’s internal networks based on the mechanics’ regular logon to Southwest’s network.

Boeing described the deployment as the beginning of a “seamless business Web” that will simplify business-to-business relationships and validate the integration power of Web services.

The seamless relationship means that Southwest employees need only their single corporate logon to access data they need from their employer network and from corporate-partner Boeing.

And it provides Boeing with a centralized, scalable, extensible and secure standards-based mechanism it can reuse among business partners to control Web-based access to its internal applications and data.

The deployment is significant not only for the efficiencies and cost savings it provides, but because it is the marquee rollout of a single sign-on system that’s based on the Security Assertion Markup Language (SAML), an XML-based standard protocol for exchanging user authentication and authorization data across corporate systems.

SAML was developed by the Organization for the Advancement of Structured Information Standards (OASIS) and has gained favor mostly through support in Web access management products and the Liberty Alliance, a consortium developing a federated identity framework. OASIS says it hopes to make available on its Web site details of Boeing’s SAML deployment as a reference architecture.

“If we can deliver services to our customers that they can integrate into their environments then we become indispensable,” says Mike Beach, associate technical fellow for security and directory services at Boeing. “We think SAML is huge.”

How they do it

Boeing uses SAML to streamline access to its MyBoeingFleet Web portal, which provides customers access to data required to operate and maintain Boeing aircraft. Single sign-on lets Boeing make the data directly available in a maintenance hangar without having to provide and maintain a set of user credentials for Southwest employees. Southwest mechanics use notebook computers to display electronic manuals right at their work sites.

Using customized Web access management software from Oblix, Boeing created a single sign-on environment that supports thousands of users at Southwest. The airline operates 350 Boeing 737s in 58 cities.

The mechanics access the Southwest site using their corporate logon. In the background, the user is passed a Southwest SAML-enabled encrypted cookie. From a portal application, the users can see their daily work responsibilities, including which airplanes they are assigned to repair and links to the manuals they will need.

When the user clicks on the SAML-enabled links to the Boeing manuals, the system initiates the exchange of SAML credentials. Southwest’s site generates a digitally signed SAML assertion, which contains information on the user and his access rights. The signed assertion is returned to the mechanic’s browser, and the browser delivers the assertion to the Boeing SAML service, which sits on the edge of the Boeing network and outside its firewall. The Boeing SAML service verifies the Southwest assertion and links it to an entry for that user stored in a Boeing access server. Independent of the SAML system, Boeing provides Southwest a Web service to upload its users’ identities to the access server.

The access server provides a Boeing encrypted cookie that is passed back to the user’s browser at Southwest. The Southwest employee is then redirected to the URL for the MyBoeingFleet application on the Boeing network. The user is authenticated using the Boeing SAML-enabled cookie and given access to the MyBoeingFleet Web site behind the Boeing firewall.

Boeing’s Beach says the system is an extension of a Web single sign-on project that went into production internally at Boeing in December 2001. By February of this year, the system was handling 100,000 logons per day to more than 100 applications. Integration of external users from Southwest began in May and went into production last month. The company plans to add role-based access controls later this year and expects to complete integration of single sign-on with more than 1,000 applications by the end of 2004.

The work to integrate Southwest, however, was not without massive customization to the Oblix NetPoint application, and Boeing continues to address lingering issues.

For instance, the browser cookies are not secure on the Web, and Boeing had to add better encryption and support for Secure Sockets Layer.

“We want the industry to figure out how to make cookies secure,” Beach says. Boeing also needed to fill in holes in the SAML specification, including establishing a global log-out mechanism and session management. Both had to be added through customizations. Boeing also had to create customizations to close vulnerabilities presented by the bookmark feature in the browser software. And it had to set up authentication policies within Oblix to give the system the ability to provide specific information about users.

“It was hard, and it was expensive, but a lot of that was our fault,” Beach says. “We took on the world; we encompassed legacy systems and did third-party integrations.”

He says Boeing also has discovered that it is difficult to manage a large number of access policies and that the system puts a heavy load on its directory services. He says it was also hard to manage expectations of end users.”But the good news is that it works and we’ve got some subsidiaries that want us to provide them the same SAML-based authentication to our systems. Our executives are really excited about this project,” he says.