Re: Web single sign-on

Quoting Marty <marti@videotron.ca>:

> We have a big discussion going on at one of my clients as we are about
> to add an Internet portal to several applications. We are looking at
> implementing a single sign-on (SSO) solution for our web applications.

Good idea.

> 1- Should we buy an already made up single sign-on solution or build one
> in house?

Or use an existing opensource solution.  

> We've met with the people from Tivoli and Computers associates already.
> Other suggestions?

Nope. Lots out there.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> 2- What if we go for a temporary in-house solution for next year and get
> stuck with it as the portal and the number of applications starts
> growing?

Then you need to make sure the in-house solution you pick, even if only meant to be temporary, is flexible and extensible.

> My concern here is the potential of risk being blamed by the auditors
> about an in-house development vs a well known product.

I wouldn't worry about that. Either cen be secure/insecure, cheap/expensive, easy/hard to maintain, etc. No clear advantage either way without knowing your extact setup (manpower available, skill level, etc).

> The number of users of the portal will grow in the ten of thousands by
> the end of next year. Robustness of the solution should also be a main
> factor.

Yes, but that doesn't affect the choice of in-house/opensource/commercial.

> The security of the project is taken care of by firewall, access list,
> DMZ etc.

Well, I'd sure not depend on only that. Build security into everything, including the single-signon. Security through depth.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> The number of different application is already up to ten and the portal
> is not even built yet. The deployment of the appliactions (all web
> based) should start as early as march 2003.

Normal.

> Pre-requisites : We have to work with the fact that the environment is

Look at commerical apps and opensource apps (like Horde at www.horde.org) and see if anything meets your needs. If not, then go in-house.

> Thanks!
>
> Marty

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!