[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Web single sign-on

To: Marty <marti@xxxxxxxxxxxx>
Subject: Re: Web single sign-on
From: Eric Rostetter <eric.rostetter@xxxxxxxxxxxxxxxxxx>
Date: Mon, 9 Dec 2002 13:24:07 -0600
Cc: vuln-dev@xxxxxxxxxxxxxxxxx
Delivered-to: mailing list vuln-dev@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for vuln-dev@xxxxxxxxxxxxxxxxx
Delivery-date: Mon, 09 Dec 2002 23:06:01 +0100
Envelope-to: vuln-dev@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA0Ing+UGJBEC9f+fzj0KcVeKBAAAQAAAAdRJAQaqExkyNOkuJGST2UAEAAAAA@xxxxxxxxxxxx>
List-help: <mailto:vuln-dev-help@securityfocus.com>
List-id: <vuln-dev.list-id.securityfocus.com>
List-post: <mailto:vuln-dev@securityfocus.com>
List-subscribe: <mailto:vuln-dev-subscribe@securityfocus.com>
List-unsubscribe: <mailto:vuln-dev-unsubscribe@securityfocus.com>
Mailing-list: contact vuln-dev-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA0Ing+UGJBEC9f+fzj0KcVeKBAAAQAAAAdRJAQaqExkyNOkuJGST2UAEAAAAA@xxxxxxxxxxxx>
User-agent: Internet Messaging Program (IMP) 4.0-cvs

Quoting Marty <marti@xxxxxxxxxxxx>:

> We have a big discussion going on at one of my clients as we are about
> to add an Internet portal to several applications. We are looking at
> implementing a single sign-on (SSO) solution for our web applications.

Good idea.

> 1- Should we buy an already made up single sign-on solution or build one
> in house?

Or use an existing opensource solution.
 
> We've met with the people from Tivoli and Computers associates already.
> Other suggestions?

Nope.  Lots out there.

> 2- What if we go for a temporary in-house solution for next year and get
> stuck with it as the portal and the number of applications starts
> growing?

Then you need to make sure the in-house solution you pick, even if only
meant to be temporary, is flexible and extensible.

> My concern here is the potential of risk being blamed by the auditors
> about an in-house development vs a well known product.

I wouldn't worry about that.  Either cen be secure/insecure, cheap/expensive,
easy/hard to maintain, etc.  No clear advantage either way without knowing
your extact setup (manpower available, skill level, etc).

> The number of users of the portal will grow in the ten of thousands by
> the end of next year. Robustness of the solution should also be a main
> factor.

Yes, but that doesn't affect the choice of in-house/opensource/commercial.

> The security of the project is taken care of by firewall, access list,
> DMZ etc.

Well, I'd sure not depend on only that.  Build security into everything,
including the single-signon.  Security through depth.

> The number of different application is already up to ten and the portal
> is not even built yet. The deployment of the appliactions (all web
> based) should start as early as march 2003.

Normal.

> Pre-requisites : We have to work with the fact that the environment is
> IBM Websphere servers and the fact that we are already using LDAP for
> authentication on some applications. No comments on that part please, we
> have to live with it...

Look at commerical apps and opensource apps (like Horde at www.horde.org)
and see if anything meets your needs.  If not, then go in-house.

> Thanks!
> 
> Marty

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!

References:
- Web single sign-on
  - From: Marty

Prev by Date: Re: Web single sign-on
Next by Date: Re: Web single sign-on
Previous by thread: Re: Web single sign-on
Next by thread: Re: Web single sign-on
Index(es):
- Date
- Thread