Re: Web single sign-on

From: Eric Rostetter (
Date: 12/09/02

  • Next message: Dan Kaminsky: "Re: Web single sign-on"
    Date: Mon,  9 Dec 2002 13:24:07 -0600
    From: Eric Rostetter <>
    To: Marty <>

    Quoting Marty <>:

    > We have a big discussion going on at one of my clients as we are about
    > to add an Internet portal to several applications. We are looking at
    > implementing a single sign-on (SSO) solution for our web applications.

    Good idea.

    > 1- Should we buy an already made up single sign-on solution or build one
    > in house?

    Or use an existing opensource solution.
    > We've met with the people from Tivoli and Computers associates already.
    > Other suggestions?

    Nope. Lots out there.

    > 2- What if we go for a temporary in-house solution for next year and get
    > stuck with it as the portal and the number of applications starts
    > growing?

    Then you need to make sure the in-house solution you pick, even if only
    meant to be temporary, is flexible and extensible.

    > My concern here is the potential of risk being blamed by the auditors
    > about an in-house development vs a well known product.

    I wouldn't worry about that. Either cen be secure/insecure, cheap/expensive,
    easy/hard to maintain, etc. No clear advantage either way without knowing
    your extact setup (manpower available, skill level, etc).

    > The number of users of the portal will grow in the ten of thousands by
    > the end of next year. Robustness of the solution should also be a main
    > factor.

    Yes, but that doesn't affect the choice of in-house/opensource/commercial.

    > The security of the project is taken care of by firewall, access list,
    > DMZ etc.

    Well, I'd sure not depend on only that. Build security into everything,
    including the single-signon. Security through depth.

    > The number of different application is already up to ten and the portal
    > is not even built yet. The deployment of the appliactions (all web
    > based) should start as early as march 2003.


    > Pre-requisites : We have to work with the fact that the environment is
    > IBM Websphere servers and the fact that we are already using LDAP for
    > authentication on some applications. No comments on that part please, we
    > have to live with it...

    Look at commerical apps and opensource apps (like Horde at
    and see if anything meets your needs. If not, then go in-house.

    > Thanks!
    > Marty

    Eric Rostetter
    The Department of Physics
    The University of Texas at Austin
    Why get even? Get odd!