RE: Web single sign-on

["Sarbjit Singh Gill" <ssgill () gilltechnologies com>]

Greetings,

What the Novell's eDirectory. Possibly the best single sign on system and it
does not require  Novell server to be around

Gill

-----Original Message-----
From: securityarchitect () hush com [mailto:securityarchitect () hush com]
Sent: Tuesday, December 10, 2002 3:55 AM
To: webappsec () securityfocus com
Subject: Re: Web single sign-on



1. There are emerging standards for this. You should look at SAML and the
upcoming WS-name standards as key contenders. There are of course several
large schemes making headway into the arena, the Liberty Alliance and MS
Passport (.NET passport or whatever name du jour it has). There are lots of
vendors playing in this space and my advice is to look at them all, but
focus on how their products will implement the emerging standards and not
what they do today.

Waveset
sunOne Identity server
Tivoli Access Manager 360
Netegrity

Passport will only run on NT and is heavily tied into MS, so I would
strongly suggest you look at Liberty Alliance as a strategic scheme. Its
backed by Amex, CitiCorp and may other big names.

2 - You should call IBM and discuss how they might be using SAML and
WS-Security in future versions of WebSphere (hint hint). You are right in
your observations about scaling and integrating new applications although
tens of thousands of users is relatively small by todays standards.

I was interested in your comments that your application is protected by
firewalls and ACLs. This is the classic webappsec mistake ;-( Take a look at
the OWASP site www.owsp.org/guide for a details.



On Mon, 09 Dec 2002 10:11:46 -0800 Marty <marti () videotron ca> wrote:
> Hi,
>
> This was posted at Vuln-Dev, maybe it would be intersting to hear
> from
> your group too.
>
> ---
>
> Merci
>
> Marty!
>
> ******************************************
>
>
> > Hi group,
> >
> >
> > We have a big discussion going on at one of my clients as we are
> about
>
> > to add an Internet portal to several applications. We are looking
> at
> > implementing a single sign-on (SSO) solution for our web applications.
> >
> >
> > This discussion is as follow:
> >
> > 1- Should we buy an already made up single sign-on solution or
> build
> > one in house?
> >
> > We've met with the people from Tivoli and Computers associates
>
> > already. Other suggestions?
> >
> > 2- What if we go for a temporary in-house solution for next year
> and
> > get stuck with it as the portal and the number of applications
> starts
> > growing?
> >
> > My concern here is the potential of risk being blamed by the auditors
>
> > about an in-house development vs a well known product.
> >
> > The number of users of the portal will grow in the ten of thousands
> by
>
> > the end of next year. Robustness of the solution should also be
> a main
>
> > factor.
> >
> > The security of the project is taken care of by firewall, access
> list,
>
> > DMZ etc.
> >
> > The number of different application is already up to ten and the
>
> > portal is not even built yet. The deployment of the appliactions
> (all
> > web
> > based) should start as early as march 2003.
> >
> > Pre-requisites : We have to work with the fact that the environment
> is
>
> > IBM Websphere servers and the fact that we are already using LDAP
> for
> > authentication on some applications. No comments on that part
> please,
> > we have to live with it...
> >
> >
> >
> > ---
> >
> > Thanks!
> >
> > Marty
> >
> > ******************************************
> >
> > Pensée de la semaine :  Comme pour l'esprit, rien n'est trop grand,
>
> > pour la bonté, rien n'est trop petit.
> >
> > Martin M Samson
> > Chef de projets,



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427