RE: Authentication solution

["Matt Flynn" <mflynn () netvision com>]

Mike,

You described a perfect fit scenario for a WebSSO solution - it would
sit as the authentication on your web domain and provide SSO to multiple
apps.  There is some configuration required on each app that you want to
include, but overall these solutions work very well.  You can also
leverage your AD for authenticating internal users and some other source
for external users.  You'll also need a way to create accounts for
external users, but some of the SSO solutions include that capability.
And they give you the ability to manage which external users get access
to each application.

Good solutions are available from CA, Oracle, RSA, IBM and others.  I
can also recommend service providers if you're looking for consultative
help.

BTW - if you have a strategic relationship with another company and want
to authenticate their users based on their own authentication, then
you're looking for a solution that supports "federation", which is
essentially web sso across domains.


Matthew Flynn
Director of Marketing & Strategy
NetVision



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Hellkyng () gmail com
Sent: Wednesday, July 15, 2009 12:19 PM
To: security-basics () securityfocus com
Subject: Authentication solution

Everyone,
I've got an issue where I need to authenticate an external
client/customer to multiple applications through our website. Ideally we
want the client to only have to login once, but have access to all of
the other applications as necessary. 

Are there any security best practices available for this type of
problem? 

A single sign on solution has been discussed as a possible solution. Has
anyone had any experience using single sign on with external clients on
a publicly available website?

What problems (security or otherwise) did you encounter?

What other solutions are available?

Please poke holes in my ideas/problem, thanks!
Mike

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------