![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
Re: Web single sign-on
From: <wbjw () mindspring com>
Date: Mon, 09 Dec 2002 16:06:03 -0500
You left out one vendor: RSA, and they utilize SAML today. (I don't work for them, and don't use it, so I can't say if it works or if it is any good) On Mon, 9 Dec 2002 11:54:46 -0800 securityarchitect () hush com wrote:
1. There are emerging standards for this. You should look at SAML and the upcoming WS-name standards as key contenders. There are of course several large schemes making headway into the arena, the Liberty Alliance and MS Passport (.NET passport or whatever name du jour it has). There are lots of vendors playing in this space and my advice is to look at them all, but focus on how their products will implement the emerging standards and not what they do today. Waveset sunOne Identity server Tivoli Access Manager 360 Netegrity Passport will only run on NT and is heavily tied into MS, so I would strongly suggest you look at Liberty Alliance as a strategic scheme. Its backed by Amex, CitiCorp and may other big names. 2 - You should call IBM and discuss how they might be using SAML and WS-Security in future versions of WebSphere (hint hint). You are right in your observations about scaling and integrating new applications although tens of thousands of users is relatively small by todays standards. I was interested in your comments that your application is protected by firewalls and ACLs. This is the classic webappsec mistake ;-( Take a look at the OWASP site www.owsp.org/guide for a details. On Mon, 09 Dec 2002 10:11:46 -0800 Marty wrote:Hi, This was posted at Vuln-Dev, maybe it would beintersting to hearfrom your group too. --- Merci Marty! ******************************************Hi group, We have a big discussion going on at one ofmy clients as we areaboutto add an Internet portal to severalapplications. We are lookingatimplementing a single sign-on (SSO) solutionfor our web applications.This discussion is as follow: 1- Should we buy an already made up singlesign-on solution orbuildone in house? We've met with the people from Tivoli andComputers associatesalready. Other suggestions? 2- What if we go for a temporary in-housesolution for next yearandget stuck with it as the portal and thenumber of applicationsstartsgrowing? My concern here is the potential of riskbeing blamed by the auditorsabout an in-house development vs a wellknown product.The number of users of the portal will growin the ten of thousandsbythe end of next year. Robustness of thesolution should also bea mainfactor. The security of the project is taken care ofby firewall, accesslist,DMZ etc. The number of different application isalready up to ten and theportal is not even built yet. The deploymentof the appliactions(allweb based) should start as early as march 2003. Pre-requisites : We have to work with thefact that the environmentisIBM Websphere servers and the fact that weare already using LDAPforauthentication on some applications. Nocomments on that partplease,we have to live with it... --- Thanks! Marty ****************************************** Pensée de la semaine : Comme pour l'esprit,rien n'est trop grand,pour la bonté, rien n'est trop petit. Martin M Samson Chef de projets,Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Web single sign-on Marty (Dec 09)
- RE: Web single sign-on Simon Cunningham (Dec 09)
- <Possible follow-ups>
- Re: Web single sign-on securityarchitect (Dec 09)
- RE: Web single sign-on Sarbjit Singh Gill (Dec 09)
- Re: Web single sign-on wbjw (Dec 09)
- Re: Web single sign-on Greg Gagnon (Dec 10)
- RE: Web single sign-on securityarchitect (Dec 09)
- FW: Web single sign-on johneder (Dec 10)
- Re: Web single sign-on Andrew Chong (Dec 11)