Security Basics mailing list archives
Re: Authentication solution
From: Lars <sunberg () gmail com>
Date: Mon, 20 Jul 2009 09:31:42 +0200
Hi I've been working for some time on an opensource solution to have authentication (single/multi), to access several webapps. Put all your web-apps under the same directory and forget about the security in that directory. It uses apache basic auth and/or SSL client certs to secure the secured area.. The project isnt quite ready for everyone yet, but it is possible to install and use. My demo site is down atm, but if you want to take a look at some features, see http://phpmylogin.sourceforge.net/wiki/doku.php?id=feature_list Also, if anyone knows php/or have any ideas, and want to help me with this project, please contact me! Regards Lars On Fri, Jul 17, 2009 at 11:35 PM, Matt Flynn<mflynn () netvision com> wrote:
Well, it can certainly get complicated. But, the SSO solutions are designed specifically to simplify these scenarios by centralizing the authentication. Even if you choose to keep numerous authentication methods, if you want to do SSO, you'll need to update each system's authentication mechanism to receive the new SSO token, so I would seriously consider swapping the various authentication mechanisms for a single, centralized SSO/WAM system (Web Access Management). Each system would redirect to the WAM for authentication. The WAM would pass a token to the app letting it know that the user is authenticated and who they are. Additional levels of authentication can also be directed to the WAM and it can be setup to use strong authentication when required. If the app within the app is configured to use the same token, it's not an issue. Again, the 2nd tier app will need to be adjusted to accept some new form of token if you're adding SSO for the first time. If you said it already would accept a SAML token, then perhaps you could use federation technologies without having to incorporate it into the WAM system. But, one way or another, if you want SSO, you need to do some work on each participating app to change the way it behaves. Knowing the little that I do, my recommendation is to just incorporate all relevant apps into a single WAM solution based on current protocols and use that as the basis for new apps. The app within an app scenario is actually not uncommon for the WAM vendors (think portal). I think that sometimes customer organizations overlook the complexity and effort when purchasing those systems, but they are designed to handle the problem. Matt Matthew Flynn Director of Marketing & Strategy NetVision (no current affiliation with any WAM vendors or IAM consultant firms.) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Hellkyng () gmail com Sent: Thursday, July 16, 2009 4:55 PM To: security-basics () securityfocus com Subject: Re: Authentication solution Thanks for the responses so far, definitely some valuable information. Based on that I'd like to make the problem a bit more complicated. One of the challenges of implementing an SSO solution is that we use varied authentication methods. They require access to applications or portions of applications. So, any thoughts on how to implement a secure SSO solution when you have two seperate authentication methods in use? Also once you've authenticated to an app. there is a need to also access portions of other applications within the main app. Anyone played around with authenticating an application, within an application with sso? Doesn't seem like there are any security best practices for this kind of issue, although I'm sure alot of companies are dealing with this type of fun. Thanks for the responses so far! Mike ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442 f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Authentication solution Hellkyng (Jul 15)
- Re: Authentication solution Ali, Saqib (Jul 15)
- RE: Authentication solution Matt Flynn (Jul 16)
- Re: Authentication solution Nick Owen (Jul 16)
- RE: Authentication solution Matt Flynn (Jul 16)
- <Possible follow-ups>
- Re: Authentication solution Hellkyng (Jul 17)
- RE: Authentication solution Matt Flynn (Jul 17)
- Re: Authentication solution Lars (Jul 20)
- RE: Authentication solution Matt Flynn (Jul 17)
- Re: Authentication solution Ali, Saqib (Jul 15)