Results 1 to 6 of 6

Thread: Verification of single sign on system integration

  1. #1
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027

    Verification of single sign on system integration

    Does anyone here have any experience implementing and or testing single sign on systems? Have you ever worked on verifying the integration of these systems with other systems...say in a service oriented architecture?
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    We toyed with the idea of single sign-on where I work Juridian, but I put so many restrictions around it (e.g. It wouldn't be used in the HR department, It could be used by anyone with access to confidential information, none of the technical IT staff or system admins could use it) it ended up not being a viable project. I am currently testing fingerprint readers and am having problems integrating them with all our App's (off the shelf and in house written)

    Cheers.
    DjM

  3. #3
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Ahh, the finger print readers. Be sure to get a good one. There is a mythbusters episode where they faked out a couple of models fairly easily.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Quote Originally Posted by Juridian
    Ahh, the finger print readers. Be sure to get a good one. There is a mythbusters episode where they faked out a couple of models fairly easily.
    Yea, they have gotten better since the famous "Gummy Bear" hack.

    Cheers:
    DjM

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Sorry for the general blabla and being unspecific. I can only write down
    a couple of thoughts and share some experience - but I cannot do more
    without knowing details.




    simple, but often sufficient approach


    When it comes to a verification of a SSO system, you are lost
    when you try to show it too generally. In every single integration
    project I participated, we had to restrict our proposition:


    Instead of

    "single-sign on is fully integrated"

    we verified specific statements like

    "database system xy is single-sign on-capable (Kerberos-tickets)"
    "application xy is single-sign on-capable (Kerberos-tickets)"
    ...


    etc. Hence, based on the actual needs, we have verified what
    had to be verified. That was the only thing we could do in budget,
    and it is reflected in DjM's statement

    having problems integrating them with all our App's
    - What kind of SSO is to be applied/verified?
    - What kind of hardware/software has to be supported?



    My personal taste is to go with ticketing systems. However the reality
    certainly is, often proprietary software does not support it, and mostly,
    you are not in a position to require it from the manufacturers. Thus you
    are left with ***censored*** 'identify the mask'- approaches. I suggest
    to evaluate these according to the above simple recipe - which is a simple,
    but often sufficient approach.



    SOA


    The 'loose coupling' paradigma of SOA gives rise to what is known as
    identity services - a set of services allowing applications to
    leverage identity information (with the ambiguity of what identity
    information actually is ). A few well known projects are bandit[1], OSIS[2]
    and Higgins[3], however, on a enterprise level, they might not be sufficient
    (depending on the actual regulations to be satisfied).


    Thus, without going into specifics (please do so), I currently cannot give you
    another hint than to wait - if possible.
    Large software manufacturers, such as IBM, Microsoft and Oracle,
    have or are on the way to build IAAS ("Identity as a Service")-frameworks,
    which may help to reduce effective costs of integration - have an eye on verified
    implementations of WS-Trust (OASIS approved[4a,4b]) in particular.


    Cheers


    [1] http://www.bandit-project.org/index....come_to_Bandit
    [2] http://osis.netmesh.org/wiki/Main_Page
    [3] http://www.eclipse.org/higgins/
    [4a] http://docs.oasis-open.org/ws-sx/ws-...spec-cs-01.htm
    [4b] http://www.ibm.com/developerworks/li...tion/ws-trust/
    Last edited by sec_ware; June 4th, 2007 at 09:55 PM.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  6. #6
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    A good finger print scanner that supports multiple users would work well but I think people would be hesitant to scan their prints all the time. They might think you will keep a copy of it or something.

    I would recommend using "smart cards" Xp has support for them built into the OS. :-)

Similar Threads

  1. Why I put Slackware on my Free BSD box
    By gore in forum *nix Security Discussions
    Replies: 22
    Last Post: December 8th, 2005, 06:53 PM
  2. Slack BSD
    By gore in forum Operating Systems
    Replies: 2
    Last Post: February 25th, 2005, 08:12 AM
  3. Suggestions on a Tutorial Draft
    By Irongeek in forum AntiOnline's General Chit Chat
    Replies: 7
    Last Post: August 9th, 2004, 10:48 PM
  4. ports
    By hatebreed2000 in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: March 14th, 2003, 06:36 AM
  5. Denail Of Service FAQ
    By Ennis in forum The Security Tutorials Forum
    Replies: 4
    Last Post: November 15th, 2001, 07:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •