Re: extending active directory to external (hosted) and 3rd parties

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

Agree.  Bob, I'm not sure if you are looking to authenticate users or
applications and I'm not entirely clear on your requirements but as a
general response, one of the challenges in my view is the lack of
significant market (vendor) convergence around a federated identity
management solution in their products.  They seem to think direct ldap or
radius is that solution.  This means that these projects tend not to be
turnkey and often require heavy involvment from developers and high costs
to implement.  Even so, your protocols are still limited to a handful and
if you then get a product that understand the few you support, you're
still looking at the same issue again.  Often the vendor bakes something
like ldap into their products and very little else, thus limiting your
options for federation and trust outside your organization without
introducing a significant layer of complexity to maintain reasonable
boundaries.   If you have limited human resources, you may be pushed to
the path of least resistance- and usually least security.  A great deal
depends on what you want to accomplish and what services you're courting
and what they will understand. 

D/C
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> I'd say "best practice" is a federated identity solution like Shibboleth.
> If the outside party can't or won't integrate that way, then a risk
> assessment is in order to see if the benefit of dealing with the
> organization(s) is worth the risk that would be assumed. We've so far
> chosen not to allow such access. 
>
>
> Hopefully, as vendors lose business due not not being able to comply with
> demands for state of the art identity management solutions that don't
> demand exposure of their customers' core identity management
> infrastructure, the environment will progress.
>
>
>
>
>
>
>
>
> From:  "Witmer, Robert" <[ mailto:r.witmer () SNHU EDU ]r.witmer () SNHU EDU>
> Reply-To:  The EDUCAUSE Security Constituent Group Listserv <[
> mailto:SECURITY () LISTSERV EDUCAUSE EDU ]SECURITY () LISTSERV EDUCAUSE EDU>
> Date:  Wed, 16 Mar 2011 10:05:56 -0400
> To:  <[ mailto:SECURITY () LISTSERV EDUCAUSE EDU
> ]SECURITY () LISTSERV EDUCAUSE EDU>
> Subject:  [SECURITY] extending active directory to external (hosted) and
> 3rd parties
>
>
>
>
>
>
> Our university is considering external environments/3rd party
> connectivity that leverages our internal Active Directory structure from
> internet.   I think some organizations use a meta-directory tool.  For
> example, in the MS world, employing Identity Lifecycle Management to
> create a replicated (cloned) A/D structure in the DMZ).  Others allow
> connectivity directly to their internal A/D structure (this just sounds
> wrong), but I have no experience.  Can anyone provide input on a “best
> practice” for this challenge?  What are the security concerns beyond
> the obvious.
> Thanks for your input,
> Bob
>  
>  
>
>
> Please consider the environment before printing this e-mail.
>
>
>
>
>
>
> -- 
> Gary Flynn
> Security Engineer
> James Madison University