Not worked that much on the 3rd party integrations.....but have an idea Can you try do Authentication re-directions to that site -> i mean instead of people going to 3rd party site for authentication --> can they come to your own website and get authenticated through your ldap or RSA server and get re-directed to the desired locations.
Regards, Chandra On Thu, 20 Jan 2005 23:54:28 -0500, joe <[EMAIL PROTECTED]> wrote: > Ditto. Whomever is running that web site gets to see all of the clear text > passwords for every user that authenticates. I would say that is giving out > a bit more info to the third party than you would normally like to supply. > Heck I don't even like doing that on intranet sites run by people in the > same company let alone someone outside of the company. Sort of on par with > saying, hi, here are my most sensitive parts and giving them to a third > party and asking them to be nice to them. > > joe > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Thursday, January 20, 2005 6:54 PM > > To: '[email protected]' > Subject: RE: [ActiveDir] LDAP export pros/cons > > Interesting. I may just not understand what you have in mind. > > I would agree, but I'm leery of ldap bind for authentication in this > scenario. In addition, it seems that it would not really provide the full > amount of usefulness to the solution since the user has to also remember a > different set of creds if they use this portal with dual id. Am I just > misunderstanding, or were you thinking of something different?? > > Al > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter > Sent: Thursday, January 20, 2005 4:44 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP export pros/cons > > Here's a common scenario, where an application like the web portal > outsources authentication to an external directory but retains > authorization....your user hits the web portal and gets a prompt for her > login ID and password. She enters that information and hits the OK button, > and your portal then attempts to do an authenticated bind to the user's > object in the LDAP directory, using the submitted ID and password. If the > bind is successful, then the LDAP directory returns a successful > acknowledgement to the portal. The portal hears that the user ID and > password are correct, so the portal can then present the user with the > appropriate content based on the portal permissions assigned to her account. > > The key here is that there has to be a common identifier in the portal and > LDAP directory, so that the user gets the right stuff (based on the > authorization in the portal) as a result of successful LDAP "login" (based > on the LDAP authentication). Typically the common identifier is the logon > ID, so that the portal knows that a successful LDAP bind to jane.doe should > be associated with the jane.doe object in the portal. > > It would be a good idea to ask what specific attributes the portal is > looking for, or even the syntax of the LDAP queries they hope to issue. > > Hunter > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali > Sent: Thursday, January 20, 2005 2:05 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP export pros/cons > > I understand what you are saying and agree. On the same topic, what do you > suggest is the best practice for having users authenticate to a third party > web portal. Is it better to set up a one-way non-transitive trust between > the two forests or domains, or go with an ldap export assuming this is going > to be a long term solution. The only thing we are trying to do is to allow > our users to log into the third party web portal without having to learn an > additional user name & password. I do not want to give out any more > information than that about my users. > > Thanks for the quick responses. > > R- > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Thursday, January 20, 2005 2:27 PM > To: '[email protected]' > Subject: RE: [ActiveDir] LDAP export pros/cons > > not sure there are any documented risks. Risks being relational to the > entity taking them. > > However, as a disinterested third party I'd have to point out that the risk > is not technical in nature but rather about the information you're sharing. > I suppose the information you give out is far mare important to the > conversation, but it seems you don't know these folks nor trust them really. > If that's the case, then it's possible you could be giving out the account > information to a non-trusted source. > > The questions you need to ask are "what can they do with the information I > provide and can I take any action to protect myself?" > > Some folks wouldn't have a problem giving out that information. Others > would. You'll need to assess that risk based on the information you plan to > give out. > > Email addresses are a unique identifier by the way. And usually public > knowledge. > ________________________________ > From: Robert N. Leali [mailto:[EMAIL PROTECTED] On Behalf > Of Robert N. Leali > Sent: Thursday, January 20, 2005 3:18 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP export pros/cons > > That's correct. Looking for risks associated .... > > ________________________________ > From: [EMAIL PROTECTED] on behalf of Mulnick, Al > Sent: Thu 1/20/2005 2:05 PM > To: '[email protected]' > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > Are you looking for risks associated with giving your directory away to a > semi-trusted third party? Did I paraphrase that correctly? > > Al > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali > Sent: Thursday, January 20, 2005 3:01 PM > To: [email protected] > Subject: [ActiveDir] LDAP export pros/cons > > Can someone point me to a white paper or article that gives the pros and > cons and security implications of allowing a semi-trusted third-party to > access our AD with an LDAP export to an RSA server? > > We are being asked to allow our users to authenticate to a third party web > portal using their current Windows 2003 AD accounts. The third party wants > an LDAP export to their RSA server and an account that has appropriate > access to allow authentication to the AD box. This is in an extra-net > environment. > > Any guidance or advice would be appreciated. > > Robert > ---- > The information contained in this e-mail transmittal, including any attached > document(s) is confidential. The information is intended only for the use of > the named recipient. If you are not the named recipient, you are hereby > notified that any use, disclosure, copying, or distribution of the contents > hereof is strictly prohibited. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
