2023 State of Authorization Report offers guidance on critical issues impacting authorization Learn more  

Extending CA Single Sign-On with XACML Capabilities


Watch the webinar

Axiomatics CA Validated extension for CA Single Sign-On leverages Single Sign-On’s existing authorization capabilities and allows users to implement risk-intelligent policies that adapt with an organization’s changing IT environment. When used in combination, the solutions enable organizations to implement data governance with standards-based policies that control SOA and WAM.

The CA Single Sign-On product is a market leader in Web Access Management (WAM). Compared to the first version from 1997, today’s CA Single Sign-On r12 platform is an extremely powerful and versatile tool for access control in web applications.

Yet, the basic concepts and product capabilities remain: to provide centralized administration for authentication and authorization to web applications.

The one area which in recent years has evolved is Authorization and this is primarily where WAM tools such as CA Single Sign-On may need to be extended.

Today, dynamic and Attribute Based Access Control (ABAC) is increasingly being used to meet requirements on more precise data governance, regulatory compliance and risk-aware access controls. Governance domains may, for instance, demand that financial risks are considered (SOX, Basel, Insolvency, Money laundry legislations etc.) or that access is conditioned based on the relation between the user and the data subject identified by data retrieved (for instance regulations in health care, such as HIPAA, law enforcement and eGovernment sectors). Such use cases can often not be managed with traditional access control models. This is where the XACML standard becomes increasingly important.

The Axiomatics Extension for CA Single Sign-On does this: it injects a Policy Enforcement Point (PEP) into the CA Single Sign-On Policy Server via the Single Sign-On Authorization API. The CA Single Sign-On infrastructure, with its various web agents, directory chaining, single sign-on and federation capabilities, can be used to achieve fine-grained and dynamic attribute based access control based on the XACML standard.