WebApp Sec mailing list archives
FW: Web single sign-on
From: johneder () hushmail com
Date: Tue, 10 Dec 2002 09:06:06 -0800
-----BEGIN PGP SIGNED MESSAGE----- A bit dated... http://www.nwfusion.com/reviews/2001/0528rev.html - -JE - -----Original Message----- From: securityarchitect () hush com [mailto:securityarchitect () hush com] Sent: Monday, December 09, 2002 1:43 PM To: webappsec () securityfocus com; ssgill () gilltechnologies com Subject: RE: Web single sign-on Actually I guess there are lots we have left out. Oblix, RSA etc etc Does anyone know of a good comparison report to point to of SSO products ? On Mon, 09 Dec 2002 13:36:50 -0800 Sarbjit Singh Gill <ssgill () gilltechnologies com> wrote:
Greetings, What the Novell's eDirectory. Possibly the best single sign on system and it does not require Novell server to be around Gill -----Original Message----- From: securityarchitect () hush com [mailto:securityarchitect () hush com] Sent: Tuesday, December 10, 2002 3:55 AM To: webappsec () securityfocus com Subject: Re: Web single sign-on 1. There are emerging standards for this. You should look at SAML and the upcoming WS-name standards as key contenders. There are of course several large schemes making headway into the arena, the Liberty Alliance and MS Passport (.NET passport or whatever name du jour it has). There are lots of vendors playing in this space and my advice is to look at them all, but focus on how their products will implement the emerging standards and not what they do today. Waveset sunOne Identity server Tivoli Access Manager 360 Netegrity Passport will only run on NT and is heavily tied into MS, so I would strongly suggest you look at Liberty Alliance as a strategic scheme. Its backed by Amex, CitiCorp and may other big names. 2 - You should call IBM and discuss how they might be using SAML and WS-Security in future versions of WebSphere (hint hint). You are right in your observations about scaling and integrating new applications although tens of thousands of users is relatively small by todays standards. I was interested in your comments that your application is protected by firewalls and ACLs. This is the classic webappsec mistake ;-( Take a look at the OWASP site www.owsp.org/guide for a details. On Mon, 09 Dec 2002 10:11:46 -0800 Marty <marti () videotron ca> wrote:Hi, This was posted at Vuln-Dev, maybe it would be intersting to hear from your group too. --- Merci Marty! ******************************************Hi group, We have a big discussion going on at one of my clients as weareaboutto add an Internet portal to several applications. We are lookingatimplementing a single sign-on (SSO) solution for our web applications. This discussion is as follow: 1- Should we buy an already made up single sign-on solution orbuildone in house? We've met with the people from Tivoli and Computers associatesalready. Other suggestions? 2- What if we go for a temporary in-house solution for next yearandget stuck with it as the portal and the number of applicationsstartsgrowing? My concern here is the potential of risk being blamed by theauditorsabout an in-house development vs a well known product. The number of users of the portal will grow in the ten of thousandsbythe end of next year. Robustness of the solution should alsobea mainfactor. The security of the project is taken care of by firewall, accesslist,DMZ etc. The number of different application is already up to ten andtheportal is not even built yet. The deployment of the appliactions(allweb based) should start as early as march 2003. Pre-requisites : We have to work with the fact that the environmentisIBM Websphere servers and the fact that we are already usingLDAPforauthentication on some applications. No comments on that partplease,we have to live with it... --- Thanks! Marty ****************************************** Pensée de la semaine : Comme pour l'esprit, rien n'est tropgrand,pour la bonté, rien n'est trop petit. Martin M Samson Chef de projets,Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl0EARECAB0FAj32Hv4WHGpvaG5lZGVyQGh1c2htYWlsLmNvbQAKCRD6iP9xUJ2/UPTI AJ4/8zPOzutP5N0A91v+0F8hqZAHOwCdEYvpknMCmipYLixBYL2ByLSor2s= =ml1l -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Web single sign-on Marty (Dec 09)
- RE: Web single sign-on Simon Cunningham (Dec 09)
- <Possible follow-ups>
- Re: Web single sign-on securityarchitect (Dec 09)
- RE: Web single sign-on Sarbjit Singh Gill (Dec 09)
- Re: Web single sign-on wbjw (Dec 09)
- Re: Web single sign-on Greg Gagnon (Dec 10)
- RE: Web single sign-on securityarchitect (Dec 09)
- FW: Web single sign-on johneder (Dec 10)
- Re: Web single sign-on Andrew Chong (Dec 11)