Educause Security Discussion mailing list archives
Re: extending active directory to external (hosted) and 3rd parties
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Wed, 16 Mar 2011 11:17:40 -0400
Agree. Bob, I'm not sure if you are looking to authenticate users or applications and I'm not entirely clear on your requirements but as a general response, one of the challenges in my view is the lack of significant market (vendor) convergence around a federated identity management solution in their products. They seem to think direct ldap or radius is that solution. This means that these projects tend not to be turnkey and often require heavy involvment from developers and high costs to implement. Even so, your protocols are still limited to a handful and if you then get a product that understand the few you support, you're still looking at the same issue again. Often the vendor bakes something like ldap into their products and very little else, thus limiting your options for federation and trust outside your organization without introducing a significant layer of complexity to maintain reasonable boundaries. If you have limited human resources, you may be pushed to the path of least resistance- and usually least security. A great deal depends on what you want to accomplish and what services you're courting and what they will understand. D/C The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:
I'd say "best practice" is a federated identity solution like Shibboleth. If the outside party can't or won't integrate that way, then a risk assessment is in order to see if the benefit of dealing with the organization(s) is worth the risk that would be assumed. We've so far chosen not to allow such access. Hopefully, as vendors lose business due not not being able to comply with demands for state of the art identity management solutions that don't demand exposure of their customers' core identity management infrastructure, the environment will progress. From: "Witmer, Robert" <[ mailto:r.witmer () SNHU EDU ]r.witmer () SNHU EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <[ mailto:SECURITY () LISTSERV EDUCAUSE EDU ]SECURITY () LISTSERV EDUCAUSE EDU> Date: Wed, 16 Mar 2011 10:05:56 -0400 To: <[ mailto:SECURITY () LISTSERV EDUCAUSE EDU ]SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] extending active directory to external (hosted) and 3rd parties Our university is considering external environments/3rd party connectivity that leverages our internal Active Directory structure from internet. I think some organizations use a meta-directory tool. For example, in the MS world, employing Identity Lifecycle Management to create a replicated (cloned) A/D structure in the DMZ). Others allow connectivity directly to their internal A/D structure (this just sounds wrong), but I have no experience. Can anyone provide input on a “best practice” for this challenge? What are the security concerns beyond the obvious. Thanks for your input, Bob Please consider the environment before printing this e-mail. -- Gary Flynn Security Engineer James Madison University
Current thread:
- extending active directory to external (hosted) and 3rd parties Witmer, Robert (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Flynn, Gary - flynngn (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Dexter Caldwell (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Dr. Wole Akpose (Mar 16)
- Re: extending active directory to external (hosted) and 3rd parties Flynn, Gary - flynngn (Mar 16)