The Axiomatics Extension for CA Single Sign-On® utilizes the existing CA Single Sign-On Authorization API for its integration. The integration enables CA Single Sign-On users to include XACML 3.0 conformant policy evaluation on all incoming access requests. Within weeks of the final approval of version 3.0 of the OASIS XACML standard, the capabilities of the standard are available to CA Single Sign-On users.
The end-user request is captured by a CA Single Sign-On agent which forwards the request to the CA Single Sign-On Policy Server. If the request realm or component in CA Single Sign-On Policy Server is configured to use an Active Policy that calls the Axiomatics Extension, the request is automatically forwarded to the Axiomatics Policy Server PDP where the final evaluation is made against deployed XACML policies.
To implement new dynamic authorization capabilities into CA Single Sign-On, users simply include the Axiomatics Extension for CA Single Sign-On in their active policy definitions and then load appropriate XACML policies into the Axiomatics PDP.
In comparison with writing custom Java extensions, which without the Axiomatics extension would be the alternative, the Axiomatics approach brings a number of obvious advantages:
- Speed of deployment: Adding a new dynamic policy only requires the XACML policy to be modeled based on the corresponding business rule. No code needs to be written.
- Maintenance: a change in regulatory requirements or corporate directives can be implemented via new or altered XACML policies without any change whatsoever to deployed applications or any Java custom code.
- Auditing and governance: XACML is standard-based. Axiomatics also offers the Axiomatics Policy Auditor, which can be used to verify deployed policies. For Java code embedded in custom extensions any auditing is comparatively much more difficult to achieve.
- Externalization: The Axiomatics Policy Server comes out of the box with GUI support for integration with external sources via LDAP or SQL queries. Other types of interactions with the surrounding infrastructure can easily be added as well. Naturally, custom Java code can access other data sources as well, but the standards-based way makes it faster, easier and more transparent.