1. Self-Service Applications
Enabling customers to help themselves
Written by Bob Worner, Vice President of Product Management, OpenNetwork Technologies
Bob Worner is the principal technical engineer for OpenNetwork Technologies,Inc., responsible for
developing products designed to meet client needs. Worner has 16 years of computer systems experience
with companies such as MCI, GTE, Grumman and Lockheed. He has worked on telecommunications
projects for the state government of California, developed intelligence systems for the United States Air
Force and created support applications for the testing and launching of NASA’s Space Shuttle program.
Worner holds a BS in computer engineering from the University of Florida.
About OpenNetwork Technologies
Based in Clearwater, Fla., OpenNetwork Technologies is a leading provider of secure e-business
infrastructure software for market-leading companies. OpenNetwork Technologies’ flagship product,
DirectorySmart™, secures Web applications by managing user security policies within a flexible security
infrastructure while offering the lowest cost of ownership and the fastest time to market. For more
information about OpenNetwork Technologies and DirectorySmart, visit http://www.opennetwork.com, send
e-mail to info@opennetwork.com or call (727) 561-9500.
The Internet has presented both new economy companies and traditional service and retail organizations
with the ultimate tool to increase their business and maximize profits. While the Internet has spurred the
growth of commerce, technology has yet to be fully leveraged to bring customer service functions to the
Web. In terms of supplying instant service and information, many businesses require that customers
telephone over-extended call centers or wait for a canned response via e-mail for the information they need.
These approaches are both frustrating to the customer and expensive for the business, and represent only a
minimal strategy to handle basic customer needs.
The Internet and enterprise technology now provide companies with the tools necessary to leverage IT
resources and offer self- service solutions to their customers. Implementing self-service applications enables
users to access pertinent information about themselves and their interest with the enterprise. Through the
company’s delegation of appropriate authority to the end user, customers can access and update their own
information and receive the expediency they expect, while the businesses themselves save time and money.
Delegated authority and role-based administration are the foundation for this type of self-service application.
Delegated authority is the method by which a user within the organization is able to establish the privileges
and access controls for end users under their jurisdiction. Through the role-based security policies of the
system, company administrators can dictate exactly how much information the end users can
change about themselves. Entitlement information stored in the directory furnishes the necessary
administrative functions for defining users’ roles within the Web services while enabling delegation
of authority to perform those administrative operations.
Once this information is in the directory, it will allow end users to enjoy the simplicity of ‘single sign-on,’
whereby they must only sign on once and the system then passes the appropriate authentication and
credential information to multiple Web services. The enabled applications can leverage the directory, receive
authentication for access and feed information directly into Web applications, thereby eliminating the hassle
of end users having to re-enter their information numerous times via the Web Access Control agent.
The Middleman for Customer Service
A Web Access Control (WAC) agent operates as a plug-in for a Web server or proxy server, inspects each
request and the identity data presented by the requestor, and determines whether to grant or reject the
request. The user may request any URL protected by a WAC Agent or any customer-specific Web service. If
the WAC Agent determines that the user is not logged in, it sets the Calling_URL cookie and returns a login
form. This form is identified in the configuration file and read into memory at WAC startup and subsequently
2. streamed to the browser. The form submits login credentials to a special Uniform Resource Identifier (URI)
that the WAC Agent recognizes. When the WAC Agent receives the HTTP request at this special URI, it
extracts the login credentials from the posted form elements and attempts the login process.
The login process will search the Directory for an entry with the specified user ID and, if found, attempt to
bind as that DN with the specified password. If successful, it will generate the encrypted cookie, containing
the user’s DN and ID, the IP address of the HTTP requester, and the current time.
Ultimately, the agent redirects the user to the URL they originally requested, as stored in the Calling_URL
cookies. Through role associations, the application queries the directory and determines which Web services
are associated with the user. For each associated Web service, the application generates a link that
references the protocol, host, port and start-up path of the Web service. The link will be either an image or
text, which is also stored in the Web service’s directory entry, and the resulting HTML page is displayed to
the user. When the user clicks on a Web service link, the associated URL will direct the user’s browser to
the Web service. This flurry of activity is transparent to the end user—they simply experience their own
personalized portal showing those links and services to which they are entitled.
When the user selects a link, the WAC Agent intercepts the HTTP request for the Web service at the Web
server or proxy server and identifies to which Web service the requested URL corresponds. It then
determines the level of authorization required to grant access to that service and performs the prescribed
validation checks. With the WAC Agent running on the Web server that delivers a given Web service, or on a
proxy server in front of that Web server, it is guaranteed that the user accessing the service has indeed been
granted privileges to it.
For URLs that are not treated specially, the WAC Agent searches the directory for a defined Web Service
with which the current URL is associated. The definition of a Web service includes protocol, host, port and
path information. The startup path is the starting point for the application while the other paths are top-level
paths, beneath which are assumed to be sub-paths to various elements of the application. For example, a
URL such as "http://www.companyx.com/billing-cgi-bin/function-1/dosomething" would be associated with
that billing Web service, but a URL such as "http://www.companyx.com/dosomething" would not.
Once the Web service is identified to its corresponding URL, the WAC Agent determines the user’s access
privileges as the authorization level assigned to the Web service dictates. Possible values for determining
authorization include:
• All users—anyone may access the Web service, whether logged in via the single sign-on
service or not;
• Valid users—anyone that is logged in via the single sign-on service may access the Web
service;
• Roles—users must be logged in via the single sign-on service and have a role association that
grants access to this Web service.
Security Within the Web Application
Fine-Grained Access Control enables the infrastructure to manage access-control within the Web service,
making it possible for companies to maintain low-level security control within internal applications while
retaining the ability to set limits on what information can be accessed by end users. Therefore e-business
managers do not have to create a security framework within their own applications, as the management
framework is already built and the API already provided,
Security audit logging and reporting allows administrators to view all changes made by a given user and
configure a threshold for failed login attempts that immediately alert IT or security personnel if breached.
End-to-end support of SSL encrypts all communication with the directory using industry-standard SSL,
consequently completing system security from the client to the directory.
3. The process of implementing customer self-service requires dedicated technology efforts, yet the effort will
pay for itself many times over. By simultaneously reducing the number of calls into the customer service
center and improving customer satisfaction, expenses are lowered and profits are raised. A key goal is to
encourage an increasing number of customers to come back to the site, which will happen if they find it easy
and convenient to use, so that these business benefits can be compounded in the future.
The most effective way to establish a flexible, scalable, end-user friendly security infrastructure is through
secure directory services. Establishing a directory-based security infrastructure streamlines complex
relationships, consolidates user and policy management, and securely extends access to applications and
resources to diverse customers and partners. Self-service applications via the Web offer complete customer
self-sufficiency with the ease, convenience and expediency they require at the level dictated by the
business.
Self-management and delegated authority features provide e-business administrators with a secure,
personalized site in the fastest time to market and at the lowest cost of ownership.