Self-Service ApplicationsEnabling customers to help themselves

Written by Bob Worner, Vice President of Product Management, OpenNetwork Technologies

Bob Worner is the principal technical engineer for OpenNetwork Technologies,Inc., responsible for developing products designed to meet client needs. Worner has 16 years of computer systems experience with companies such as MCI, GTE, Grumman and Lockheed. He has worked on telecommunications projects for the state government of California, developed intelligence systems for the United States Air Force and created support applications for the testing and launching of NASA’s Space Shuttle program. Worner holds a BS in computer engineering from the University of Florida.

About OpenNetwork TechnologiesBased in Clearwater, Fla., OpenNetwork Technologies is a leading provider of secure e-business infrastructure software for market-leading companies. OpenNetwork Technologies’ flagship product, DirectorySmart™, secures Web applications by managing user security policies within a flexible security infrastructure while offering the lowest cost of ownership and the fastest time to market. For more information about OpenNetwork Technologies and DirectorySmart, visit http://www.opennetwork.com, send e-mail to info@opennetwork.com or call (727) 561-9500.

The Internet has presented both new economy companies and traditional service and retail organizations with the ultimate tool to increase their business and maximize profits. While the Internet has spurred the growth of commerce, technology has yet to be fully leveraged to bring customer service functions to the Web. In terms of supplying instant service and information, many businesses require that customers telephone over-extended call centers or wait for a canned response via e-mail for the information they need. These approaches are both frustrating to the customer and expensive for the business, and represent only a minimal strategy to handle basic customer needs.

The Internet and enterprise technology now provide companies with the tools necessary to leverage IT resources and offer self- service solutions to their customers. Implementing self-service applications enables users to access pertinent information about themselves and their interest with the enterprise. Through the company’s delegation of appropriate authority to the end user, customers can access and update their own information and receive the expediency they expect, while the businesses themselves save time and money.

Delegated authority and role-based administration are the foundation for this type of self-service application. Delegated authority is the method by which a user within the organization is able to establish the privileges and access controls for end users under their jurisdiction. Through the role-based security policies of the system, company administrators can dictate exactly how much information the end users can change about themselves. Entitlement information stored in the directory furnishes the necessary administrative functions for defining users’ roles within the Web services while enabling delegation of authority to perform those administrative operations.

Once this information is in the directory, it will allow end users to enjoy the simplicity of ‘single sign-on,’ whereby they must only sign on once and the system then passes the appropriate authentication and credential information to multiple Web services. The enabled applications can leverage the directory, receive authentication for access and feed information directly into Web applications, thereby eliminating the hassle of end users having to re-enter their information numerous times via the Web Access Control agent.

The Middleman for Customer ServiceA Web Access Control (WAC) agent operates as a plug-in for a Web server or proxy server, inspects each request and the identity data presented by the requestor, and determines whether to grant or reject the request. The user may request any URL protected by a WAC Agent or any customer-specific Web service. If the WAC Agent determines that the user is not logged in, it sets the Calling_URL cookie and returns a login form. This form is identified in the configuration file and read into memory at WAC startup and subsequently

streamed to the browser. The form submits login credentials to a special Uniform Resource Identifier (URI) that the WAC Agent recognizes. When the WAC Agent receives the HTTP request at this special URI, it extracts the login credentials from the posted form elements and attempts the login process.

The login process will search the Directory for an entry with the specified user ID and, if found, attempt to bind as that DN with the specified password. If successful, it will generate the encrypted cookie, containing the user’s DN and ID, the IP address of the HTTP requester, and the current time.

Ultimately, the agent redirects the user to the URL they originally requested, as stored in the Calling_URL cookies. Through role associations, the application queries the directory and determines which Web services are associated with the user. For each associated Web service, the application generates a link that references the protocol, host, port and start-up path of the Web service. The link will be either an image or text, which is also stored in the Web service’s directory entry, and the resulting HTML page is displayed to the user. When the user clicks on a Web service link, the associated URL will direct the user’s browser to the Web service. This flurry of activity is transparent to the end user—they simply experience their own personalized portal showing those links and services to which they are entitled.

When the user selects a link, the WAC Agent intercepts the HTTP request for the Web service at the Web server or proxy server and identifies to which Web service the requested URL corresponds. It then determines the level of authorization required to grant access to that service and performs the prescribed validation checks. With the WAC Agent running on the Web server that delivers a given Web service, or on a proxy server in front of that Web server, it is guaranteed that the user accessing the service has indeed been granted privileges to it.

For URLs that are not treated specially, the WAC Agent searches the directory for a defined Web Service with which the current URL is associated. The definition of a Web service includes protocol, host, port and path information. The startup path is the starting point for the application while the other paths are top-level paths, beneath which are assumed to be sub-paths to various elements of the application. For example, a URL such as "http://www.companyx.com/billing-cgi-bin/function-1/dosomething" would be associated with that billing Web service, but a URL such as "http://www.companyx.com/dosomething" would not.

Once the Web service is identified to its corresponding URL, the WAC Agent determines the user’s access privileges as the authorization level assigned to the Web service dictates. Possible values for determining authorization include:

All users—anyone may access the Web service, whether logged in via the single sign-on service or not;

Valid users—anyone that is logged in via the single sign-on service may access the Web service;

Roles—users must be logged in via the single sign-on service and have a role association that grants access to this Web service.

Security Within the Web Application

Fine-Grained Access Control enables the infrastructure to manage access-control within the Web service, making it possible for companies to maintain low-level security control within internal applications while retaining the ability to set limits on what information can be accessed by end users. Therefore e-business managers do not have to create a security framework within their own applications, as the management framework is already built and the API already provided,

Security audit logging and reporting allows administrators to view all changes made by a given user and configure a threshold for failed login attempts that immediately alert IT or security personnel if breached. End-to-end support of SSL encrypts all communication with the directory using industry-standard SSL, consequently completing system security from the client to the directory.

The process of implementing customer self-service requires dedicated technology efforts, yet the effort will pay for itself many times over. By simultaneously reducing the number of calls into the customer service

center and improving customer satisfaction, expenses are lowered and profits are raised. A key goal is to encourage an increasing number of customers to come back to the site, which will happen if they find it easy and convenient to use, so that these business benefits can be compounded in the future.

The most effective way to establish a flexible, scalable, end-user friendly security infrastructure is through secure directory services. Establishing a directory-based security infrastructure streamlines complex relationships, consolidates user and policy management, and securely extends access to applications and resources to diverse customers and partners. Self-service applications via the Web offer complete customer self-sufficiency with the ease, convenience and expediency they require at the level dictated by the business.

Self-management and delegated authority features provide e-business administrators with a secure, personalized site in the fastest time to market and at the lowest cost of ownership.