Re: 3rd party want to authenticate our users

[Greg Vickers <g.vickers () QUT EDU AU>]

Hi Oscar,

Oscar Knight wrote:
> We have 3rd parties that have fully hosted remote applications.  The
> applications are hosted on servers for which we have no administrative
> access, control, or audit capabilities.
>
> The 3rd parties wish to perform the initial authentication, ie the part
> that requires our unified username and raw password?  Note, the
> "unified" username/password is the username and password our users use
> to get to EVERYTHING, in some cases statutorily protected data.
> Of course the 3rd party will use some method to connect to some database
> at our site to perform the authentication.  But the crux of the matter
> is that the 3rd party has access to the raw password.

Disclaimer:  I work at the Queensland University of Technology and ESOE
development was started (I think) at QUT, it is now an open source project.

Not sure if it is applicable in this instance, but the Enterprise Sign
On Engine (ESOE) might suit your needs in this case.  It is only
suitable for web applications and QUT has adopted ESOE as the primary
form of authentication for any web-based services that QUT provides.

http://esoeproject.org/

Text from front page:


The Enterprise Sign On Engine (ESOE) is an advanced system which allows
an enterprise to meet it's individual goals for integrated identity
management, single sign on, authorization, federation and accountability
for resource access in a very extensible manner.

The ESOE is built using the OASIS SAML 2.0 specification, and the ESOE's
powerful authorization engine is built around a reduced version of the
OASIS XACML 2.0 standard which we have called Lightweight eXtensible
Authorization Control Markup Language or "LXACML".

The ESOE can integrate identity from unlimited repositories,
automatically create sessions for users whom are logged into Active
Directory (true single sign on), provide for centralized authorization
policy management and natively federate with technologies such as
Shibboleth and OpenID.

We hope you'll find the ESOE a good choice for your needs amongst the
wide variety of SSO solutions that are available, both from commercial
providers and other open source projects. Of course if you're already
using an SSO solution, there is a pretty good chance the ESOE can
interact with it, allowing you to use the enhanced capabilities of the
ESOE without needing to replace everything you already have.

Being heavily standards based, all your existing identity infrastructure
such as LDAP compliant directories, databases and even flat files are
only a plugin away. The ESOE is designed to fit around your environment,
not have your environment change to fit it.


Cheers,
--
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J