Distal

Distal authentication is the easiest way for providers of SaaS/Cloud apps to make their applications more usable for their larger customers. From the user's point of view, he only clicks on a link in his own intranet, and is brought directly into the web application as an authenticated user, without having to supply usernames and/or passwords. Distal uses current information from the customer's existing user directory to identify the user and manage his access rights.

Minimal requirements on user organisations

The only infrastructure required by a user organisation is an intranet that requires users to authenticate. As an example, Microsoft IIS using Windows domain authentication is sufficient.

If the user organisation has a user directory, like Active Directory (AD) or LDAP, it can easily be used to provide more detailed user information like name, email and cost center information. This information can be used to automate user profile and access right management in the service.

To use Distal authentication in a user organisation, only one short, clear-text script has to be copied to the intranet server. The script can easily be reviewed and approved by security officers of the customer, and deploying it on the intranet can be done by the customer himself in minutes. Distal scripts are available for all common intranet platforms.

If the user organisation has a SAML Identity Provider, Distal can use that as well.

Easy to integrate with your service

Integrating Distal with your service is quite straight-forward. It integrates with your application over http, so there are no API's to learn or any agents or proxies to install. Integration consists of the following steps:

1. Install Distal server, a Java EE application, on a server reachable with https from your customers' intranets.
2. Create a small relational database for Distal configuration data, about 50MB per 10.000 users.
3. Develop a trusted sign-on module in your application, about one days of work
4. Configure Distal to use your trusted sign-on, by setting urls, paramaters, and what information should be sent in which parameter
5. Configure Distal to receive information from customer intranets or SAML IdPs

An example of what a trusted sign-on module could look like is shown below:

if (!isTrustedRequest(request)))
sendRedirect("error");

organization = request.getParameter("organization");
firstName = request.getParameter("firstName");
lastName = request.getParameter("lastName");
email= request.getParameter("email");
roles= request.getParameter("roles");

// lookup user based on attribute(s)
user = userManager.findUser(organization, email)

if (user != null) // Update user profile (optional)
{
user.setRoles(roles);
userManager.updateUser(user);
}
else // Create new user profile (optional)
{
user = new User(organization, firstName, lastName, email, roles);
userManager.createUser(user);
}
setAuthenticatedUser(user)
sendRedirect("home");

The technology used to develop a trusted sign-on module depends on how access management is done in the application. Some of the options are:
- web page
- .Net MembershipProvider
- JAAS module
- Custom authentication provider

Very easy for your customer

• deployed in an hour
• no installation or programming
• no third parties
• existing systems
• familiar technology

Drives usage

Improves security

Automates administration