TMW: SSO Catalyst simple on the outside

DALLAS--Single Sign on. It sounds so simple. And in networks that have been multivendor for quite sometime it sounds like something that most assuredly has been addressed before. Not so. Not in a standard way. So the SSO Catalyst Project at TeleManagement World this week demonstrated that it is not only possible, but also preferable to secure one’s network management domains before regulators feel the need to step in and do it for them.

Sponsored by Telefonica Moviles Espana and the TMF’s Co-operative OSS Project (CO-OP)--a group of network equipment providers formed to address architecture specifications, verification and testing of mobile network management systems--the project demonstrates that better security and greater efficiencies can be gained by adopting open standards in the area of domain management and using the Single Sign On process outlined in the TMF spec TMF058, specifically Appendix E TMF 058 Supporting Document Single Sign-on Overview and Architecture. The Catalyst project will validate the spec.

The group said that if current ad-hoc methods continue, it would undermine the viability of the industry. Other members of the group include Alcatel, Ericsson, Huawei, Lucent, Motorola, Nokia, Nortel, Samsung, Siemens and Wipro.

The project touches on security, but does not lay claim to being a comprehensive security architecture. It uses an open architecture set by the OASIS SAML technical Committee on Identity-based control and the Liberty Alliance. SAML 2.0 allows for the design of interoperable security systems. The principle is that a trusted identity provider vouches for the authenticity of users of the various domain managers. That means each system involved has to trust the other systems. In a CO-OP identity-based system, the most important aspect is that the OSS trusts the Identity Provider.

Users employ a simple initial program or Web browser to log into the overall system, which in turn gives them access to different management systems without being challenged for new credentials.

In Telefonica’s network, the number of new systems to be integrated is increasing every day, and they have to take security into account, said José Antonio Polaino Izquierdo from Telefonica. “[We] see the Single Sign On and user management Catalyst project as a way to get standardization of this management [function],” he said. “There is also a [total cost of ownership reduction strategy].”

Although the project addresses security, Izquierdo said his company needs standard solutions to real problems. In this case they are trying to solve both OSS security and management issues as well as user provisioning and management inside a security environment.

“We agree with the objectives of this Catalyst,” said Marta Liminianabernat, from Telefonica. “We support SSO because we feel there are important benefits for all of us, for vendors and for a service providers like us who wants to standardize and bring interoperability between domain managers.”

She said that the benefits were not all security related. “The main objective is efficiency,” Liminianabernat said. “We’d like to be secure, but efficiency is most important.”

Pierre-Henri Gross, director of the Mobile OSS strategy at Alcatel, said there definitely a lack of standards in this area and that this project is a little outside of the participants’ daily work. “But it is good to have this to implement as a standardized solution that can be adopted by vendors and service providers to create a solution that makes life easier for all of us. The proof is in this demo. And these solutions are real,” he said.

The SSO project leader and editor of part of the CO-OP’s TMF058 specifications, Gunther Walther from Nokia, said rather than being purely a technical problem, solving Single Sign On also is a segmentation problem. “The issue is how do you get critical mass to adopt something in the network management space. So far, nobody has adopted any sort of standard. We need to be in more control on the risk and it is better to find common solutions in the TMF rather than everyone trying to do it themselves,” he said.

One of the goals Walther said is to get a centrally federated user database so users are appropriately modeled and are given the proper authorization. “That capability is not there yet. From an integration point of view it is difficult to do. But the benefit is really enabling the end user to log onto another application. It makes the system more secure and the whole password problem for each system goes away,” Walther said.

Telefonica’s Izquierdo said, as a sponsor the company was satisfied with the project. “Besides, the group is already thinking about the next steps. Among them, TME is very interested in user management. This topic is more and more important every day in the operator world.”

Although the project is working with vendor-based management systems, Walther said that it is important to note that there are a lot of in-house management systems within service provider networks that also would benefit from this type of standards solution.