Home page logo

basics logo Security Basics mailing list archives

Re: Extranet SSO Security
From: "Yousef Syed" <yousef.syed () gmail com>
Date: Fri, 17 Aug 2007 22:51:41 +0200

You could just use the AD/LDAP to Authenticate the users and then use
the individual apps to authorise the users access separately.
This is an easy win to start with. as you say, you already have and
AD/LDAP with most of the users in it.
You can buy other tools to help you with this - Oracle Access Manager
is the one that I know about, but I'm sure there are others out there.

After you've completed the above, you can go all the way and use a
full-blown IDM solution to provision the users while maintaining all
the roles and policies and groups inside the IDM - very big, time
consuming and expensive project...
Personally, I wouldn't recommend going for the IDM unless you were
doing a very large corporate wide project. Just to manage a few web
apps, it would be serious overkill.

Hope that helps,

On 17 Aug 2007 14:37:40 -0000, aackley () epmgpc com <aackley () epmgpc com> wrote:
I'm having trouble finding the documentation or studies to make a decision on a project we're starting.

Basically, we've been adding a series of veritcal apps that are accessible via the web.  Each of which uses its own 
authentication system.

What we want to do, is to implement a single authentication system for all of these.

The problem comes in to how to determine the best method of doing this.

We've narrowed it down to 2 possible solutions. (I'm open to others)

1) AD/LDAP - we currently have an AD environment with many users stored here.  But this lacks some of the custome 
roles/properties that are in some of the vertical apps.  So we would have to create these properties for each user 
and pump them in.

2) Pick one of the vertical apps and add all the users to this.  One app has all the roles currently needed but not 
all the users.  On top of that, it uses standard sql tables to store user names and passwords.

If we assume that the internal network communication is secure. (big assumption I know but let's go with it).  So 
that we only need to worry about communication between the client's web browser and the authentication system.

The authentication form would be SSL encrypted.

Which would you go with and why?


Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]