WebApp Sec mailing list archives
RE: Web single sign-on
From: "Simon Cunningham" <simon.cunningham () triosec com>
Date: Mon, 9 Dec 2002 20:26:38 -0000
Marty It depends upon what your SSO requirements are. Whilst SSO aptly describes the user experience is can mean a whole heap of different things when it comes to implementing a solution. Do you want SSO from the desktop ? Are all the applications built on the same infrastructure ? Does the portal connect to 3rd party apps with their own authentication and authorisation schemes ? The problem with attempting an in-house solution is that it might turn out to be considerably more complicated than it first appears. In-house is OK if you go in with your eyes open and have the appropriate expertise but temporary in-house should be avoided. Temporary has a habit of become permanent and then you're stuck with a something that was never designed for scalability, flexibility and security. If you're going to buy something then take a look at the SAML standard (www.oasis-open.org). There are numerous vendors involved in that project who will be able to help out with solutions that fit with your WebSphere / LDAP environment. Simon -----Original Message----- From: Marty [mailto:marti () videotron ca] Sent: 09 December 2002 6:12 PM To: webappsec () securityfocus com Subject: Web single sign-on Hi, This was posted at Vuln-Dev, maybe it would be intersting to hear from your group too. --- Merci Marty! ******************************************
Hi group, We have a big discussion going on at one of my clients as we are about
to add an Internet portal to several applications. We are looking at implementing a single sign-on (SSO) solution for our web applications. This discussion is as follow: 1- Should we buy an already made up single sign-on solution or build one in house? We've met with the people from Tivoli and Computers associates already. Other suggestions? 2- What if we go for a temporary in-house solution for next year and get stuck with it as the portal and the number of applications starts growing? My concern here is the potential of risk being blamed by the auditors about an in-house development vs a well known product. The number of users of the portal will grow in the ten of thousands by
the end of next year. Robustness of the solution should also be a main
factor. The security of the project is taken care of by firewall, access list,
DMZ etc. The number of different application is already up to ten and the portal is not even built yet. The deployment of the appliactions (all web based) should start as early as march 2003. Pre-requisites : We have to work with the fact that the environment is
IBM Websphere servers and the fact that we are already using LDAP for authentication on some applications. No comments on that part please, we have to live with it... --- Thanks! Marty ****************************************** Pensée de la semaine : Comme pour l'esprit, rien n'est trop grand, pour la bonté, rien n'est trop petit. Martin M Samson Chef de projets,
Current thread:
- Web single sign-on Marty (Dec 09)
- RE: Web single sign-on Simon Cunningham (Dec 09)
- <Possible follow-ups>
- Re: Web single sign-on securityarchitect (Dec 09)
- RE: Web single sign-on Sarbjit Singh Gill (Dec 09)
- Re: Web single sign-on wbjw (Dec 09)
- Re: Web single sign-on Greg Gagnon (Dec 10)
- RE: Web single sign-on securityarchitect (Dec 09)
- FW: Web single sign-on johneder (Dec 10)
- Re: Web single sign-on Andrew Chong (Dec 11)