Re: Authentication solution

[Lars <sunberg () gmail com>]

Hi

I've been working for some time on an opensource solution to have
authentication (single/multi), to access several webapps.
Put all your web-apps under the same directory and forget about the
security in that directory.
It uses apache basic auth and/or SSL client certs to secure the secured area..

The project isnt quite ready for everyone yet, but it is possible to
install and use.
My demo site is down atm, but if you want to take  a look at some
features, see http://phpmylogin.sourceforge.net/wiki/doku.php?id=feature_list

Also, if anyone knows php/or have any ideas, and want to help me with
this project, please contact me!

Regards
  Lars

On Fri, Jul 17, 2009 at 11:35 PM, Matt Flynn<mflynn () netvision com> wrote:
> Well, it can certainly get complicated.  But, the SSO solutions are
> designed specifically to simplify these scenarios by centralizing the
> authentication.  Even if you choose to keep numerous authentication
> methods, if you want to do SSO, you'll need to update each system's
> authentication mechanism to receive the new SSO token, so I would
> seriously consider swapping the various authentication mechanisms for a
> single, centralized SSO/WAM system (Web Access Management).
>
> Each system would redirect to the WAM for authentication.  The WAM would
> pass a token to the app letting it know that the user is authenticated
> and who they are.  Additional levels of authentication can also be
> directed to the WAM and it can be setup to use strong authentication
> when required.
>
> If the app within the app is configured to use the same token, it's not
> an issue.  Again, the 2nd tier app will need to be adjusted to accept
> some new form of token if you're adding SSO for the first time.  If you
> said it already would accept a SAML token, then perhaps you could use
> federation technologies without having to incorporate it into the WAM
> system.  But, one way or another, if you want SSO, you need to do some
> work on each participating app to change the way it behaves.  Knowing
> the little that I do, my recommendation is to just incorporate all
> relevant apps into a single WAM solution based on current protocols and
> use that as the basis for new apps.
>
> The app within an app scenario is actually not uncommon for the WAM
> vendors (think portal).  I think that sometimes customer organizations
> overlook the complexity and effort when purchasing those systems, but
> they are designed to handle the problem.
>
> Matt
>
> Matthew Flynn
> Director of Marketing & Strategy
> NetVision
>
> (no current affiliation with any WAM vendors or IAM consultant firms.)
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Hellkyng () gmail com
> Sent: Thursday, July 16, 2009 4:55 PM
> To: security-basics () securityfocus com
> Subject: Re: Authentication solution
>
> Thanks for the responses so far, definitely some valuable information.
> Based on that I'd like to make the problem a bit more complicated.
>
> One of the challenges of implementing an SSO solution is that we use
> varied authentication methods. They require access to applications or
> portions of applications.
>
> So, any thoughts on how to implement a secure SSO solution when you have
> two seperate authentication methods in use?
>
> Also once you've authenticated to an app. there is a need to also access
> portions of other applications within the main app. Anyone played around
> with authenticating an application, within an application with sso?
>
> Doesn't seem like there are any security best practices for this kind of
> issue, although I'm sure alot of companies are dealing with this type of
> fun. Thanks for the responses so far!
> Mike
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide
> we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and
> how your customers can tell if a site is secure. You will find out how
> to test, purchase, install and use a thawte Digital Certificate on your
> Apache web server. Throughout, best practices for set-up are highlighted
> to help you ensure efficient ongoing management of your encryption keys
> and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
> f727d1
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------