Re: Web single sign-on

[<wbjw () mindspring com>]

You left out one vendor: RSA, and they utilize SAML today.   (I don't work for
them, and don't use it, so I can't say if it works or if it is any good)

On Mon,  9 Dec 2002 11:54:46 -0800 securityarchitect () hush com wrote:

> 1. There are emerging standards for this. You
> should look at SAML and the upcoming WS-name
> standards as key contenders. There are of
> course several large schemes making headway
> into the arena, the Liberty Alliance and MS
> Passport (.NET passport or whatever name du
> jour it has). There are lots of vendors playing
> in this space and my advice is to look at them
> all, but focus on how their products will
> implement the emerging standards and not what
> they do today. 
>
> Waveset
> sunOne Identity server
> Tivoli Access Manager 360
> Netegrity
>
> Passport will only run on NT and is heavily
> tied into MS, so I would strongly suggest you
> look at Liberty Alliance as a strategic scheme.
> Its backed by Amex, CitiCorp and may other big
> names. 
>
> 2 - You should call IBM and discuss how they
> might be using SAML and WS-Security in future
> versions of WebSphere (hint hint). You are
> right in your observations about scaling and
> integrating new applications although tens of
> thousands of users is relatively small by
> todays standards.
>
> I was interested in your comments that your
> application is protected by firewalls and ACLs.
> This is the classic webappsec mistake ;-( Take
> a look at the OWASP site www.owsp.org/guide for
> a details.
>
>
>
> On Mon, 09 Dec 2002 10:11:46 -0800 Marty 
> wrote:
> > Hi,
> >
> > This was posted at Vuln-Dev, maybe it would be
> intersting to hear 
> > from
> > your group too.
> >
> > ---
> >
> > Merci
> >
> > Marty!
> >
> > ******************************************
> >
> >
> > > Hi group,
> > >
> > >
> > > We have a big discussion going on at one of
> my clients as we are 
> > about
> >
> > > to add an Internet portal to several
> applications. We are looking 
> > at 
> > > implementing a single sign-on (SSO) solution
> for our web applications.
> > > This discussion is as follow:
> > >
> > > 1- Should we buy an already made up single
> sign-on solution or 
> > build 
> > > one in house?
> > >
> > > We've met with the people from Tivoli and
> Computers associates 
> > > already. Other suggestions?
> > >
> > > 2- What if we go for a temporary in-house
> solution for next year 
> > and 
> > > get stuck with it as the portal and the
> number of applications 
> > starts 
> > > growing?
> > >
> > > My concern here is the potential of risk
> being blamed by the auditors 
> > > about an in-house development vs a well
> known product.
> > > The number of users of the portal will grow
> in the ten of thousands 
> > by
> >
> > > the end of next year. Robustness of the
> solution should also be 
> > a main
> >
> > > factor.
> > >
> > > The security of the project is taken care of
> by firewall, access 
> > list,
> >
> > > DMZ etc.
> > >
> > > The number of different application is
> already up to ten and the 
> > > portal is not even built yet. The deployment
> of the appliactions 
> > (all 
> > > web
> > > based) should start as early as march 2003.
> > >
> > > Pre-requisites : We have to work with the
> fact that the environment 
> > is
> >
> > > IBM Websphere servers and the fact that we
> are already using LDAP 
> > for 
> > > authentication on some applications. No
> comments on that part 
> > please, 
> > > we have to live with it...
> > >
> > >
> > >
> > > ---
> > >
> > > Thanks!
> > >
> > > Marty
> > >
> > > ******************************************
> > >
> > > Pensée de la semaine :  Comme pour l'esprit,
> rien n'est trop grand,
> > > pour la bonté, rien n'est trop petit.
> > >
> > > Martin M Samson
> > > Chef de projets,
>
>
>
> Concerned about your privacy? Follow this link
> to get
> FREE encrypted email:
> https://www.hushmail.com/?l=2 
>
> Big $$$ to be made with the HushMail Affiliate
> Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427