Re: Web single sign-on

From: Eric Rostetter (
Date: 12/09/02

  • Next message: Dan Kaminsky: "Re: Web single sign-on"
    Date: Mon,  9 Dec 2002 13:24:07 -0600
    From: Eric Rostetter <>
    To: Marty <>

    Quoting Marty <>:

    > We have a big discussion going on at one of my clients as we are about
    > to add an Internet portal to several applications. We are looking at
    > implementing a single sign-on (SSO) solution for our web applications.

    Good idea.

    > 1- Should we buy an already made up single sign-on solution or build one
    > in house?

    Or use an existing opensource solution.
    > We've met with the people from Tivoli and Computers associates already.
    > Other suggestions?

    Nope. Lots out there.

    > 2- What if we go for a temporary in-house solution for next year and get
    > stuck with it as the portal and the number of applications starts
    > growing?

    Then you need to make sure the in-house solution you pick, even if only
    meant to be temporary, is flexible and extensible.

    > My concern here is the potential of risk being blamed by the auditors
    > about an in-house development vs a well known product.

    I wouldn't worry about that. Either cen be secure/insecure, cheap/expensive,
    easy/hard to maintain, etc. No clear advantage either way without knowing
    your extact setup (manpower available, skill level, etc).

    > The number of users of the portal will grow in the ten of thousands by
    > the end of next year. Robustness of the solution should also be a main
    > factor.

    Yes, but that doesn't affect the choice of in-house/opensource/commercial.

    > The security of the project is taken care of by firewall, access list,
    > DMZ etc.

    Well, I'd sure not depend on only that. Build security into everything,
    including the single-signon. Security through depth.

    > The number of different application is already up to ten and the portal
    > is not even built yet. The deployment of the appliactions (all web
    > based) should start as early as march 2003.


    > Pre-requisites : We have to work with the fact that the environment is
    > IBM Websphere servers and the fact that we are already using LDAP for
    > authentication on some applications. No comments on that part please, we
    > have to live with it...

    Look at commerical apps and opensource apps (like Horde at
    and see if anything meets your needs. If not, then go in-house.

    > Thanks!
    > Marty

    Eric Rostetter
    The Department of Physics
    The University of Texas at Austin
    Why get even? Get odd!

    Relevant Pages

    • Re: Sharing Code
      ... I simply followed the steps that someone suggest of referencing the DLL. ... If I do that with all applications, then updating or fixing the DLL will require exactly zero steps to ensure all applications are upgraded to the new version. ... The biggest issue I run into is upgrading the library and then making sure every application uses the newest version. ... But for me, particularly for in-house stuff, only one of these issues is a concern. ...
    • Re: GNU
      ... Ben Hochstrasser wrote: ... > applications don't fall in this category ... But even in-house, you'll have to give people using your binary ... the source on request. ...
    • Application Encryption
      ... Are people who write software for clients (as opposed to in-house use) ... encrypting their applications, and what is the general state of password ... protected encrypted applications or even applications that cannot be ...
    • [NEWS] Advanced Application-Level OS Fingerprinting: Practical Approaches and Examples
      ... Get your security news from a reliable source. ... Dan presents an alternate approach to application-level OS fingerprinting. ... cross-platform applications which result in OS-dependant responses. ... As a part of a default Apache ...
    • Re: Active Directory/HIPPA Question
      ... The client ... > roll out AD when their top priority this year is securing the applications ... Security is one of the biggest reasons. ... ESPECIALLY if you have 800 remote offices. ...