Wednesday, December 20, 2017

Federation vs Web Access Management (WAM)

This question has been asked repeatedly over the years. I came across this link while I was searching for OpenID Connect feature in CA SSO 12.7.

Federation has the following advantages: 

  • Many applications can handle federation directly out-of-the-box, such as SAP, SharePoint, WebLogic. These applications accept assertions. 
  • A direct connection to a centralized server is unnecessary. A federation request always goes through the asserting party to get the generated assertion. After a user gains access to content on one server, the user returns to the federation hub and gets redirected to the next server. Only if the user session times out at the hub does the user have to reauthenticate. 

These advantages make federated partnerships better for an environment where sites are remote, inaccessible, or under third-party control.

Single Sign-On (WAM) has the following advantages:

  • Transactions are faster because there are fewer browser redirects. 
  • Provides centralized authorization and auditing. 
  • Direct links can exist from one web server to another in a network without the user going through a centralized hub for assertion generation. 
  • Offers timeout management. 
  • Applications are independent of a remotely initiated transaction. 

These advantages make WAM single sign-on better suited to an environment with sites that are under your control, such as internal data centers.