Thomson Reuters wanted to avoid writing custom authentication code for its Treasura software-plus-services solution. The company created a standards-compliant common authentication framework that supports seamless single sign on across Treasura components and with other Thomson Reuters products, no matter what technologies they are based on, and expects to save an average of three months' development time on each new application.
Using software, hardware, and Web services, Thomson Reuters provides relevant, reliable information for businesses in financial, legal, tax and accounting, scientific, healthcare, and media markets. In these industries, leaks or loss of sensitive data can spell disaster, and customers expect excellent security; for example, one Thomson Reuters’ solution is used by banks to perform financial trading, with roughly U.S.$30 trillion a week flowing through it.
Thomson Reuters also created Treasura, a software-as-a-service treasury offering that includes optional installed, on-premises programs, to handle cash and liquidity management, forecasting, payments, and compliance. For compliance with business regulations such as the Sarbanes-Oxley Act of 2002 (SOX), Treasura provides tracking and reporting on payment workflows, and is designed to ensure that the right people in the organization have secure access to initiate or approve a payment.
To make Treasura accessible and secure across a range of users, applications, and systems, Thomson Reuters custom developed identity and access logic and connectivity processes. For identity management, multiple authentication frameworks had to be maintained and coordinated. First, Thomson Reuters managed its own repository of user profiles, created and managed using Active Directory, that included passwords and other properties. Second, customer companies applied their own authentication policies for password expiration, user access, and so on, on their networks and again by configuring Treasura. Treasurers then logged on to their Windows-based computers with user names and passwords, and authenticated again through the Windows Internet Explorer browser at the Web site where Treasura is hosted—and yet again to access any optional installed Treasura applications.
Thomson Reuters wanted to provide single sign on (SSO) access for Treasura and its installed applications through identity federation with its customers, so treasurers could log on to their computers once and navigate to the Treasura site and among Treasura applications without having to sign in again. Customers could then manage and control their own authentication and access policies just once, on their own networks. The Treasura team also wanted to provide SSO access to other Thomson Reuters products, even ones that are built using Sun OpenSSO or other third-party technologies instead of Active Directory.
In April 2009, Thomson Reuters joined a Microsoft Technology Adoption Program for the Windows Identity Foundation, an extension to the Microsoft .NET Framework. Windows Identity Foundation enables .NET developers to externalize identity logic from their applications, improving developer productivity, enhancing application security, and enabling interoperability with a single user access model based on claims. Claims group together information about a user into a security token that is used for authentication, and they work with broadly used standards, such as WS-Federation and WS-Trust, to interoperate with Microsoft and third-party security technologies.
||“Our projected future needs are diverse, so our products should interoperate with a wide variety of identity infrastructures. Being able to provide a standards-based solution opens up a lot of options for us.”
Senior Software Developer, Thomson Reuters
Thomson Reuters uses the support for standards in Windows Identity Foundation and Active Directory Federation Services 2.0 to extend single SSO functionality across applications. Active Directory Federation Services 2.0 supports federated identity and access management by more securely sharing security tokens across security, organizational, and technological boundaries.
Because Treasura has been available for about five years, Thomson Reuters had to write custom authentication code to preserve certain authentication mechanisms for backward compatibility. To do so, developers used Windows Identity Foundation with familiar tools, including Microsoft Visual Studio 2008 Professional Edition development system, Microsoft .NET 3.5, and ASP.NET. Thomson Reuters used templates in Visual Studio as the basis for building custom authentication services that will work with both on-premises, installed applications and Web-based services. Windows Identity Foundation is compatible with ASP.NET role-based security, so .NET developers can integrate claims-based access without rewriting existing code, to quickly create authentication modules for each application.
Thomson Reuters will offer these new features in the next version of Treasura, to be released in December 2009.
Thomson Reuters expects to see many benefits, including:
Developer productivity. Externalizing user access from applications via claims improves developer productivity by providing a single identity model and simplifying the construction of authentication modules. “Also, the ease of creating custom authentication services is quite valuable,” says Jason Shantz, Senior Software Developer at Thomson Reuters. “Over the lifetime of each application, we expect to save an average of three months of development time with Windows Identity Foundation.” Developers can use the same familiar tools to provide SSO without having to write custom authentication code.
Interoperable, flexible claims-based architecture. The support for standards will facilitate SSO identity federation for Treasura’s customers—and among other Thomson Reuters products—even if they do not use Microsoft technologies. “We have huge projected future needs to interoperate with a wide variety of identity infrastructures, and being able to provide a standards-based solution opens up a lot of options for us,” comments Shantz.
Enhanced application security. “Offering one shared authentication infrastructure improves security, because our developers can focus their efforts on making it the best it can be, without worrying about creating authentication silos in each application that we must manage separately,” Shantz remarks. He adds that the high quality of this infrastructure helps ensure proper identification of the people accessing Treasura, “So treasurers can securely access Treasura using installed software as well as Web services through a single user access model, for anywhere access.”
For more information about other Microsoft customer successes, please visit: