SSO and Zero-Trust made simple using the Datawiza Access Broker (DAB)

September 13, 2020
Rahul Toppur

The benefits of a Zero Trust Architecture are numerous — we can implement Single Sign On (SSO) policies, authentication with an Identity Provider (IdP), and authorization with a policy. Many applications support SAML and OIDC libraries that aid with this integration process. For example, if we wanted to implement simple user registration and login using Okta within a Flask application, we would use the Flask OpenID Connect library to manage our authorization and authentication for us.

This involves creating configuration settings within our Flask app:

Image for post

Configuring our client_secrets.json file:

Image for post

And checking to make sure our user is logged in via OpenID Connect to fetch the user object using Okta’s API:

Image for post

With the addition of more applications being paired with different Identity Providers, integration starts to become a problem. Each new IdP comes with its own set of SDKs which will need to be used within our applications (separate for Azure Active Directory, Okta, PingIdentity, etc). Integration can further be complicated by apps being written in different languages (e.g. Python, Java, Golang, .Net). Johnson Controls recently began an initiative to enable authentication to their legacy apps using Azure AD. The initial plan to rewrite the entire authentication model to support Azure AD was simply not feasible, and it wasn’t possible to apply a single approach to solve all of their authentication needs.¹

With the Datawiza Access Broker (DAB), time spent on SSO integration for applications with multiple IdPs is reduced from months down to hours. The DAB makes it possible to provide uniform access control to a myriad of services distributed between multiple cloud-providers (or on-premise) in a simple, consistent manner. Developers no longer need to write integration code for their applications. Instead, they can follow these steps:

  1. Create an Application Registration with Identity Providers (e.g., Azure AD, Okta)
  2. Configure Application Settings on the Datawiza Cloud Management Console (DCMC)
  3. Deploy the DAB (using either Docker or Kubernetes)

In this example, we have two Identity Providers (Azure Active Directory and Okta) configured to handle SSO for a Header-Based app.

Visit Datawiza Access Broker: Overview to learn more about the architecture and policy configurations that are made possible by the Access Broker and the Cloud Management Console.

[1] Johnson Controls simplifies remote access to legacy, on-prem apps with Azure AD and F5 BIG-IP APM