BT has lowered the costs of deploying new applications, with a user authentication tool.

The telecoms company has been using SiteMinder, a centralised internet access management system from CA Technologies, to manage authentication and enable single sign-on for its end users since 2003. In the last 12 months, it conducted a successful trial to extend the infrastructure of the system to enable faster deployment of new applications.

Speaking at CA Technologies' CA World conference in Las Vegas, Alec Cartwright, identity services architect at BT said that the company originally started using SiteMinder 6, which it hopes to upgrade to SiteMinder 12 later this year, to improve user experience.

The company has just over 200 applications using the system, which is availble to 150,000 employees. The employees log into the SiteMinder system at least once a day, and the system allows them to securely log into their desktop and the system with simultaneously via a Windows Challenge/Response (NTLM) authentication protocol.

“It is underlying Microsoft technology, but CA and SiteMinder have leveraged it to link the two together,” said Cartwright.

CIO 100 ranked BT has an authentication server based on Apache 2.2, with a standard SiteMinder agent. To extend the SiteMinder infrastructure, the company then deployed an Integrated Windows Authentication (IWA) server with Internet Information Services (IIS) switched on.

“The authentication server looks at the user coming in and works out from the parameters from the browser whether or not it can support it. When it works out the user can use IWA, it will send them to the IIS server to log them in,” Cartwright explained.

“Otherwise the user will be directed to the standard login page. Once it works out the user can do IWA, it will install a cookie so the PC doesn’t need to always do a check.”

However, Cartwright warned that IIS authentication does not work all the time. For example, if the user accesses the system via HTTP proxy, or if users use certain web browsers.

“Not all browsers are compatible,” he said. “You really must be on at least Internet Explorer 6, though it will work with IE5, and works with Firefox.”

Nonetheless, BT said that it now has more than 100,000 people using the service, and discovered a fringe benefit - allowed the company to protect sites it would not normally consider put a login on, such as the employee news service.

“It meant that we could start a strategy to remove firewalls,” said Cartwright. “Deploying IWA frees us up from having to protect everything, and employees having to type in passwords on systems that they’re not used to doing.”

Meanwhile, BT has used the SiteMinder system to apply authorisation limits so that users can access and upgrade application agents within set security parameters.

Cartwright said: “Every time you do a new integration of a new application, there is building policies and installing agents involved. This is an ongoing activity, upgrading existing agents, installing new web servers and adding new agents.

“A good agent upgrade takes one and a half hours, so there is a big cost there in terms of doing upgrades. We needed to upgrade all our agents – 1,000 agents in production.”

However, Cartwright said that adding capabilities to SiteMinder has helped BT reduce the amount of manpower involved with integration application by 70 percent. The company does an average 50 integrations each quarter, which includes upgrades to applications, changing existing deployments and adding new agents.

“There is less involvement from the integration team and simplified agent install means that developers do not need to call a SiteMinder expert to help them,” he said.

Cartwright added: “The work [upgrading agents] is now spread across several hundred people. What we have saved is we don’t have to have three or four people centrally to do it, who would normally be installing agents permanently. It’s now part of the operational people’s daily work.”

Last week, BT unveiled plans to roll out an internal social networking site to its employees, having developed the site on early versions of the new Microsoft Sharepoint 2010.