You left out one vendor: RSA,
and they utilize SAML today.
(I don't work for them, and
don't use it, so I can't say if it
works or if it is any good)
On Mon, 9 Dec 2002 11:54:46
-0800
securityarchitect () hush com
wrote:
1. There are emerging
standards for this. You
should look at SAML and the
upcoming WS-name
standards as key
contenders. There are of
course several large
schemes making headway
into the arena, the Liberty
Alliance and MS Passport
(.NET passport or whatever
name du jour it has). There
are lots of vendors playing
in this space and my advice is
to look at them all, but focus
on how their products will
implement the emerging
standards and not what
they do today.
Waveset
sunOne Identity server
Tivoli Access Manager 360
Netegrity
Passport will only run on
NT and is heavily tied into
MS, so I would strongly
suggest you look at Liberty
Alliance as a strategic
scheme. Its backed by
Amex, CitiCorp and may
other big names.
2 - You should call IBM and
discuss how they might be
using SAML and WS-Security
in future versions of
WebSphere (hint hint). You
are right in your
observations about scaling
and integrating new
applications although tens of
thousands of users is
relatively small by
todays standards.
I was interested in your
comments that your
application is protected by
firewalls and ACLs. This is the
classic webappsec mistake ;-(
Take a look at the OWASP
site www.owsp.org/guide for
a details.
On Mon, 09 Dec 2002
10:11:46 -0800 Marty wrote:
Hi,
This was posted at Vuln-
Dev, maybe it would be
intersting to hear
from
your group too.
---
Merci
Marty!
******************
*******************
*****
Hi group,
We have a big
discussion going on at one of
my clients as we are
about
to add an Internet
portal to several
applications. We are looking
at
implementing a single
sign-on (SSO) solution for
our web applications.
This discussion is as
follow:
1- Should we buy an
already made up single sign-
on solution or
build
one in house?
We've met with the
people from Tivoli and
Computers associates
already. Other
suggestions?
2- What if we go for a
temporary in-house solution
for next year
and
get stuck with it as the
portal and the number of
applications
starts
growing?
My concern here is the
potential of risk being
blamed by the auditors
about an in-house
development vs a well known
product.
The number of users of
the portal will grow in the
ten of thousands
by
the end of next year.
Robustness of the solution
should also be
a main
factor.
The security of the
project is taken care of by
firewall, access
list,
DMZ etc.
The number of
different application is
already up to ten and the
portal is not even built
yet. The deployment of the
appliactions
(all
web
based) should start as
early as march 2003.
Pre-requisites : We
have to work with the fact
that the environment
is
IBM Websphere servers
and the fact that we are
already using LDAP
for
authentication on some
applications. No comments
on that part
please,
we have to live with it...
---
Thanks!
Marty
*******************
*******************
****
Pensée de la semaine :
Comme pour l'esprit, rien
n'est trop grand,
pour la bonté, rien n'est
trop petit.
Martin M Samson
Chef de projets,
Concerned about your
privacy? Follow this link to
get
FREE encrypted email:
https://www.hushmail.com/?
l=2
Big $$$ to be made with
the HushMail Affiliate
Program:
https://www.hushmail.com/a
bout.php?subloc=affiliate&l
=427
Intro
