Re: Web single sign-on

[securityarchitect () hush com]

1. There are emerging standards for this. You should look at SAML and the upcoming WS-name standards as key contenders. 
There are of course several large schemes making headway into the arena, the Liberty Alliance and MS Passport (.NET 
passport or whatever name du jour it has). There are lots of vendors playing in this space and my advice is to look at 
them all, but focus on how their products will implement the emerging standards and not what they do today. 

Waveset
sunOne Identity server
Tivoli Access Manager 360
Netegrity

Passport will only run on NT and is heavily tied into MS, so I would strongly suggest you look at Liberty Alliance as a 
strategic scheme. Its backed by Amex, CitiCorp and may other big names. 

2 - You should call IBM and discuss how they might be using SAML and WS-Security in future versions of WebSphere (hint 
hint). You are right in your observations about scaling and integrating new applications although tens of thousands of 
users is relatively small by todays standards.

I was interested in your comments that your application is protected by firewalls and ACLs. This is the classic 
webappsec mistake ;-( Take a look at the OWASP site www.owsp.org/guide for a details.



On Mon, 09 Dec 2002 10:11:46 -0800 Marty <marti () videotron ca> wrote:
> Hi,
>
> This was posted at Vuln-Dev, maybe it would be intersting to hear 
> from
> your group too.
>
> ---
>
> Merci
>
> Marty!
>
> ******************************************
>
>
> > Hi group,
> >
> >
> > We have a big discussion going on at one of my clients as we are 
> about
>
> > to add an Internet portal to several applications. We are looking 
> at 
> > implementing a single sign-on (SSO) solution for our web applications.
> >
> >
> > This discussion is as follow:
> >
> > 1- Should we buy an already made up single sign-on solution or 
> build 
> > one in house?
> >
> > We've met with the people from Tivoli and Computers associates 
>
> > already. Other suggestions?
> >
> > 2- What if we go for a temporary in-house solution for next year 
> and 
> > get stuck with it as the portal and the number of applications 
> starts 
> > growing?
> >
> > My concern here is the potential of risk being blamed by the auditors 
>
> > about an in-house development vs a well known product.
> >
> > The number of users of the portal will grow in the ten of thousands 
> by
>
> > the end of next year. Robustness of the solution should also be 
> a main
>
> > factor.
> >
> > The security of the project is taken care of by firewall, access 
> list,
>
> > DMZ etc.
> >
> > The number of different application is already up to ten and the 
>
> > portal is not even built yet. The deployment of the appliactions 
> (all 
> > web
> > based) should start as early as march 2003.
> >
> > Pre-requisites : We have to work with the fact that the environment 
> is
>
> > IBM Websphere servers and the fact that we are already using LDAP 
> for 
> > authentication on some applications. No comments on that part 
> please, 
> > we have to live with it...
> >
> >
> >
> > ---
> >
> > Thanks!
> >
> > Marty
> >
> > ******************************************
> >
> > Pensée de la semaine :  Comme pour l'esprit, rien n'est trop grand,
>
> > pour la bonté, rien n'est trop petit.
> >
> > Martin M Samson
> > Chef de projets,



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427