RE: Web single sign-on

["Simon Cunningham" <simon.cunningham () triosec com>]

Marty

It depends upon what your SSO requirements are.  Whilst SSO aptly describes
the user experience is can mean a whole heap of different things when it
comes to implementing a solution.

Do you want SSO from the desktop ?
Are all the applications built on the same infrastructure ?
Does the portal connect to 3rd party apps with their own authentication and
authorisation schemes ?

The problem with attempting an in-house solution is that it might turn out
to be considerably more complicated than it first appears.  In-house is OK
if you go in with your eyes open and have the appropriate expertise but
temporary in-house should be avoided.  Temporary has a habit of become
permanent and then you're stuck with a something that was never designed for
scalability, flexibility and security.

If you're going to buy something then take a look at the SAML standard
(www.oasis-open.org).  There are numerous vendors involved in that project
who will be able to help out with solutions that fit with your WebSphere /
LDAP environment.

Simon

-----Original Message-----
From: Marty [mailto:marti () videotron ca]
Sent: 09 December 2002 6:12 PM
To: webappsec () securityfocus com
Subject: Web single sign-on


Hi,

This was posted at Vuln-Dev, maybe it would be intersting to hear from
your group too.

---

Merci

Marty!

******************************************


> Hi group,
>
>
> We have a big discussion going on at one of my clients as we are about

> to add an Internet portal to several applications. We are looking at
> implementing a single sign-on (SSO) solution for our web applications.
>
>
> This discussion is as follow:
>
> 1- Should we buy an already made up single sign-on solution or build
> one in house?
>
> We've met with the people from Tivoli and Computers associates
> already. Other suggestions?
>
> 2- What if we go for a temporary in-house solution for next year and
> get stuck with it as the portal and the number of applications starts
> growing?
>
> My concern here is the potential of risk being blamed by the auditors
> about an in-house development vs a well known product.
>
> The number of users of the portal will grow in the ten of thousands by

> the end of next year. Robustness of the solution should also be a main

> factor.
>
> The security of the project is taken care of by firewall, access list,

> DMZ etc.
>
> The number of different application is already up to ten and the
> portal is not even built yet. The deployment of the appliactions (all
> web
> based) should start as early as march 2003.
>
> Pre-requisites : We have to work with the fact that the environment is

> IBM Websphere servers and the fact that we are already using LDAP for
> authentication on some applications. No comments on that part please,
> we have to live with it...
>
>
>
> ---
>
> Thanks!
>
> Marty
>
> ******************************************
>
> Pensée de la semaine :  Comme pour l'esprit, rien n'est trop grand,
> pour la bonté, rien n'est trop petit.
>
> Martin M Samson
> Chef de projets,