-
June 4th, 2007, 06:07 PM
#1
Verification of single sign on system integration
Does anyone here have any experience implementing and or testing single sign on systems? Have you ever worked on verifying the integration of these systems with other systems...say in a service oriented architecture?
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
June 4th, 2007, 06:26 PM
#2
We toyed with the idea of single sign-on where I work Juridian, but I put so many restrictions around it (e.g. It wouldn't be used in the HR department, It could be used by anyone with access to confidential information, none of the technical IT staff or system admins could use it) it ended up not being a viable project. I am currently testing fingerprint readers and am having problems integrating them with all our App's (off the shelf and in house written)
Cheers.
-
June 4th, 2007, 06:32 PM
#3
Ahh, the finger print readers. Be sure to get a good one. There is a mythbusters episode where they faked out a couple of models fairly easily.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
June 4th, 2007, 08:04 PM
#4
Originally Posted by Juridian
Ahh, the finger print readers. Be sure to get a good one. There is a mythbusters episode where they faked out a couple of models fairly easily.
Yea, they have gotten better since the famous "Gummy Bear" hack.
Cheers:
-
June 4th, 2007, 09:51 PM
#5
Hi
Sorry for the general blabla and being unspecific. I can only write down
a couple of thoughts and share some experience - but I cannot do more
without knowing details.
simple, but often sufficient approach
When it comes to a verification of a SSO system, you are lost
when you try to show it too generally. In every single integration
project I participated, we had to restrict our proposition:
Instead of
"single-sign on is fully integrated"
we verified specific statements like
"database system xy is single-sign on-capable (Kerberos-tickets)"
"application xy is single-sign on-capable (Kerberos-tickets)"
...
etc. Hence, based on the actual needs, we have verified what
had to be verified. That was the only thing we could do in budget,
and it is reflected in DjM's statement
having problems integrating them with all our App's
- What kind of SSO is to be applied/verified?
- What kind of hardware/software has to be supported?
My personal taste is to go with ticketing systems. However the reality
certainly is, often proprietary software does not support it, and mostly,
you are not in a position to require it from the manufacturers. Thus you
are left with ***censored*** 'identify the mask'- approaches. I suggest
to evaluate these according to the above simple recipe - which is a simple,
but often sufficient approach.
SOA
The 'loose coupling' paradigma of SOA gives rise to what is known as
identity services - a set of services allowing applications to
leverage identity information (with the ambiguity of what identity
information actually is ). A few well known projects are bandit[1], OSIS[2]
and Higgins[3], however, on a enterprise level, they might not be sufficient
(depending on the actual regulations to be satisfied).
Thus, without going into specifics (please do so), I currently cannot give you
another hint than to wait - if possible.
Large software manufacturers, such as IBM, Microsoft and Oracle,
have or are on the way to build IAAS ("Identity as a Service")-frameworks,
which may help to reduce effective costs of integration - have an eye on verified
implementations of WS-Trust (OASIS approved[4a,4b]) in particular.
Cheers
[1] http://www.bandit-project.org/index....come_to_Bandit
[2] http://osis.netmesh.org/wiki/Main_Page
[3] http://www.eclipse.org/higgins/
[4a] http://docs.oasis-open.org/ws-sx/ws-...spec-cs-01.htm
[4b] http://www.ibm.com/developerworks/li...tion/ws-trust/
Last edited by sec_ware; June 4th, 2007 at 09:55 PM.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
June 6th, 2007, 04:23 PM
#6
A good finger print scanner that supports multiple users would work well but I think people would be hesitant to scan their prints all the time. They might think you will keep a copy of it or something.
I would recommend using "smart cards" Xp has support for them built into the OS. :-)
Similar Threads
-
By gore in forum *nix Security Discussions
Replies: 22
Last Post: December 8th, 2005, 06:53 PM
-
By gore in forum Operating Systems
Replies: 2
Last Post: February 25th, 2005, 08:12 AM
-
By Irongeek in forum AntiOnline's General Chit Chat
Replies: 7
Last Post: August 9th, 2004, 10:48 PM
-
By hatebreed2000 in forum AntiOnline's General Chit Chat
Replies: 1
Last Post: March 14th, 2003, 06:36 AM
-
By Ennis in forum The Security Tutorials Forum
Replies: 4
Last Post: November 15th, 2001, 07:42 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|