Re: extending active directory to external (hosted) and 3rd parties

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

I'd say "best practice" is a federated identity solution like Shibboleth. If
the outside party can't or won't integrate that way, then a risk assessment
is in order to see if the benefit of dealing with the organization(s) is
worth the risk that would be assumed. We've so far chosen not to allow such
access. 

Hopefully, as vendors lose business due not not being able to comply with
demands for state of the art identity management solutions that don't demand
exposure of their customers' core identity management infrastructure, the
environment will progress.




From:  "Witmer, Robert" <r.witmer () SNHU EDU>
Reply-To:  The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date:  Wed, 16 Mar 2011 10:05:56 -0400
To:  <SECURITY () LISTSERV EDUCAUSE EDU>
Subject:  [SECURITY] extending active directory to external (hosted) and 3rd
parties

> Our university is considering external environments/3rd party connectivity
> that leverages our internal Active Directory structure from internet.   I
> think some organizations use a meta-directory tool.  For example, in the MS
> world, employing Identity Lifecycle Management to create a replicated (cloned)
> A/D structure in the DMZ).  Others allow connectivity directly to their
> internal A/D structure (this just sounds wrong), but I have no experience.
> Can anyone provide input on a ³best practice² for this challenge?  What are
> the security concerns beyond the obvious.
> Thanks for your input,
> Bob
>  
>  
>
> Please consider the environment before printing this e-mail.


-- 
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: