WebApp Sec mailing list archives
RE: Web single sign-on
From: "Sarbjit Singh Gill" <ssgill () gilltechnologies com>
Date: Tue, 10 Dec 2002 05:36:50 +0800
Greetings, What the Novell's eDirectory. Possibly the best single sign on system and it does not require Novell server to be around Gill -----Original Message----- From: securityarchitect () hush com [mailto:securityarchitect () hush com] Sent: Tuesday, December 10, 2002 3:55 AM To: webappsec () securityfocus com Subject: Re: Web single sign-on 1. There are emerging standards for this. You should look at SAML and the upcoming WS-name standards as key contenders. There are of course several large schemes making headway into the arena, the Liberty Alliance and MS Passport (.NET passport or whatever name du jour it has). There are lots of vendors playing in this space and my advice is to look at them all, but focus on how their products will implement the emerging standards and not what they do today. Waveset sunOne Identity server Tivoli Access Manager 360 Netegrity Passport will only run on NT and is heavily tied into MS, so I would strongly suggest you look at Liberty Alliance as a strategic scheme. Its backed by Amex, CitiCorp and may other big names. 2 - You should call IBM and discuss how they might be using SAML and WS-Security in future versions of WebSphere (hint hint). You are right in your observations about scaling and integrating new applications although tens of thousands of users is relatively small by todays standards. I was interested in your comments that your application is protected by firewalls and ACLs. This is the classic webappsec mistake ;-( Take a look at the OWASP site www.owsp.org/guide for a details. On Mon, 09 Dec 2002 10:11:46 -0800 Marty <marti () videotron ca> wrote:
Hi, This was posted at Vuln-Dev, maybe it would be intersting to hear from your group too. --- Merci Marty! ******************************************Hi group, We have a big discussion going on at one of my clients as we areaboutto add an Internet portal to several applications. We are lookingatimplementing a single sign-on (SSO) solution for our web applications. This discussion is as follow: 1- Should we buy an already made up single sign-on solution orbuildone in house? We've met with the people from Tivoli and Computers associatesalready. Other suggestions? 2- What if we go for a temporary in-house solution for next yearandget stuck with it as the portal and the number of applicationsstartsgrowing? My concern here is the potential of risk being blamed by the auditorsabout an in-house development vs a well known product. The number of users of the portal will grow in the ten of thousandsbythe end of next year. Robustness of the solution should also bea mainfactor. The security of the project is taken care of by firewall, accesslist,DMZ etc. The number of different application is already up to ten and theportal is not even built yet. The deployment of the appliactions(allweb based) should start as early as march 2003. Pre-requisites : We have to work with the fact that the environmentisIBM Websphere servers and the fact that we are already using LDAPforauthentication on some applications. No comments on that partplease,we have to live with it... --- Thanks! Marty ****************************************** Pensée de la semaine : Comme pour l'esprit, rien n'est trop grand,pour la bonté, rien n'est trop petit. Martin M Samson Chef de projets,
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Web single sign-on Marty (Dec 09)
- RE: Web single sign-on Simon Cunningham (Dec 09)
- <Possible follow-ups>
- Re: Web single sign-on securityarchitect (Dec 09)
- RE: Web single sign-on Sarbjit Singh Gill (Dec 09)
- Re: Web single sign-on wbjw (Dec 09)
- Re: Web single sign-on Greg Gagnon (Dec 10)
- RE: Web single sign-on securityarchitect (Dec 09)
- FW: Web single sign-on johneder (Dec 10)
- Re: Web single sign-on Andrew Chong (Dec 11)