Educause Security Discussion mailing list archives
Re: extending active directory to external (hosted) and 3rd parties
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Wed, 16 Mar 2011 14:13:52 +0000
I'd say "best practice" is a federated identity solution like Shibboleth. If the outside party can't or won't integrate that way, then a risk assessment is in order to see if the benefit of dealing with the organization(s) is worth the risk that would be assumed. We've so far chosen not to allow such access. Hopefully, as vendors lose business due not not being able to comply with demands for state of the art identity management solutions that don't demand exposure of their customers' core identity management infrastructure, the environment will progress. From: "Witmer, Robert" <r.witmer () SNHU EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Wed, 16 Mar 2011 10:05:56 -0400 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] extending active directory to external (hosted) and 3rd parties
Our university is considering external environments/3rd party connectivity that leverages our internal Active Directory structure from internet. I think some organizations use a meta-directory tool. For example, in the MS world, employing Identity Lifecycle Management to create a replicated (cloned) A/D structure in the DMZ). Others allow connectivity directly to their internal A/D structure (this just sounds wrong), but I have no experience. Can anyone provide input on a ³best practice² for this challenge? What are the security concerns beyond the obvious. Thanks for your input, Bob Please consider the environment before printing this e-mail.
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description:
Current thread:
- extending active directory to external (hosted) and 3rd parties Witmer, Robert (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Flynn, Gary - flynngn (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Dexter Caldwell (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Dr. Wole Akpose (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Flynn, Gary - flynngn (Mar 16)