WebApp Sec mailing list archives
Re: Web single sign-on
From: "Andrew Chong" <andrewjw () singnet com sg>
Date: Wed, 11 Dec 2002 17:23:54 +0800
Try Netegrity Siteminder. Excellent SAML and SSO support. wbjw () mindspring com wrote on 10/12/02 5:09:
You left out one vendor: RSA, and they utilize SAML today. (I don't work for them, and don't use it, so I can't say if it works or if it is any good) On Mon, 9 Dec 2002 11:54:46 -0800 securityarchitect () hush com wrote:1. There are emergingstandards for this. You should look at SAML and the upcoming WS-name standards as key contenders. There are ofcourse several largeschemes making headway into the arena, the Liberty Alliance and MS Passport (.NET passport or whatever name du jour it has). There are lots of vendors playing in this space and my advice is to look at them all, but focus on how their products willimplement the emergingstandards and not what they do today.Waveset sunOne Identity server Tivoli Access Manager 360 Netegrity Passport will only run onNT and is heavily tied into MS, so I would strongly suggest you look at Liberty Alliance as a strategic scheme. Its backed by Amex, CitiCorp and may other big names.2 - You should call IBM anddiscuss how they might be using SAML and WS-Security in future versions of WebSphere (hint hint). You are right in your observations about scaling and integrating new applications although tens of thousands of users is relatively small bytodays standards. I was interested in yourcomments that your application is protected by firewalls and ACLs. This is the classic webappsec mistake ;-( Take a look at the OWASP site www.owsp.org/guide for a details.On Mon, 09 Dec 200210:11:46 -0800 Marty wrote:Hi, This was posted at Vuln-Dev, maybe it would be intersting to hearfrom your group too. --- Merci Marty!************************************* *****Hi group, We have a bigdiscussion going on at one of my clients as we areaboutto add an Internetportal to several applications. We are lookingatimplementing a singlesign-on (SSO) solution for our web applications.This discussion is asfollow:1- Should we buy analready made up single sign- on solution orbuildone in house? We've met with thepeople from Tivoli and Computers associatesalready. Othersuggestions?2- What if we go for atemporary in-house solution for next yearandget stuck with it as theportal and the number of applicationsstartsgrowing? My concern here is thepotential of risk being blamed by the auditorsabout an in-housedevelopment vs a well known product.The number of users ofthe portal will grow in the ten of thousandsbythe end of next year.Robustness of the solution should also bea mainfactor. The security of theproject is taken care of by firewall, accesslist,DMZ etc. The number ofdifferent application is already up to ten and theportal is not even builtyet. The deployment of the appliactions(allweb based) should start asearly as march 2003.Pre-requisites : Wehave to work with the fact that the environmentisIBM Websphere serversand the fact that we are already using LDAPforauthentication on someapplications. No comments on that partplease,we have to live with it... --- Thanks! Marty******************* ******************* ****Pensée de la semaine :Comme pour l'esprit, rien n'est trop grand,pour la bonté, rien n'esttrop petit.Martin M Samson Chef de projets,Concerned about yourprivacy? Follow this link to getFREE encrypted email:https://www.hushmail.com/? l=2Big $$$ to be made withthe HushMail Affiliate Program:https://www.hushmail.com/a bout.php?subloc=affiliate&l =427
Current thread:
- Web single sign-on Marty (Dec 09)
- RE: Web single sign-on Simon Cunningham (Dec 09)
- <Possible follow-ups>
- Re: Web single sign-on securityarchitect (Dec 09)
- RE: Web single sign-on Sarbjit Singh Gill (Dec 09)
- Re: Web single sign-on wbjw (Dec 09)
- Re: Web single sign-on Greg Gagnon (Dec 10)
- RE: Web single sign-on securityarchitect (Dec 09)
- FW: Web single sign-on johneder (Dec 10)
- Re: Web single sign-on Andrew Chong (Dec 11)