Security Basics mailing list archives
Re: Authentication solution
From: Nick Owen <nickowen () mindspring com>
Date: Wed, 15 Jul 2009 18:45:47 -0400
On 07/15/2009 12:19 PM, Hellkyng () gmail com wrote:
Everyone, I've got an issue where I need to authenticate an external client/customer to multiple applications through our website. Ideally we want the client to only have to login once, but have access to all of the other applications as necessary. Are there any security best practices available for this type of problem? A single sign on solution has been discussed as a possible solution. Has anyone had any experience using single sign on with external clients on a publicly available website? What problems (security or otherwise) did you encounter? What other solutions are available? Please poke holes in my ideas/problem, thanks! Mike
You could look at using Squid as a proxy and let it do the auth. I have a tutorial on adding two-factor auth to squid:
http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-squid-for-two-factor-authentication-from-wikid/ Also, you could do apache: http://www.wikidsystems.com/support/wikid-support-center/how-to/two-factor-authentication-for-apache-2.2-or-higher/This assumes you can use secure cookies or something to manage the sessions. You might also try CAS for SSO. I have tested CAS using radius, but have not written it up yet.
HTH, NIck -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open-source Two-Factor Authentication http://twitter.com/wikidsystems #wikid on irc.freenode.net ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Authentication solution Hellkyng (Jul 15)
- Re: Authentication solution Ali, Saqib (Jul 15)
- RE: Authentication solution Matt Flynn (Jul 16)
- Re: Authentication solution Nick Owen (Jul 16)
- RE: Authentication solution Matt Flynn (Jul 16)
- <Possible follow-ups>
- Re: Authentication solution Hellkyng (Jul 17)
- RE: Authentication solution Matt Flynn (Jul 17)
- Re: Authentication solution Lars (Jul 20)
- RE: Authentication solution Matt Flynn (Jul 17)
- Re: Authentication solution Ali, Saqib (Jul 15)