Maybe I'm not see the big picture of how this can be done with website redirection. Is it just a matter of making one mutual user account on both my web server and the third party portal server that is trusted by both machines and using that account to pass the web traffic after the users authenticate to my site?
My ultimate goal is to keep my risk and exposure of user names/ passwords/ authentication to the bare minimum and still get the desired affect of not maintaining two user names/passwords per user. It's not that the third party isn't trusted as much as they aren't careful or vigilant in their security configurations and we have no control over that situation. We are trying to keep the attack surface coming from their side as small as possible because we are required to make the portal work for our users. I think I have a grasp on how a reverse proxy web publishing can achieve this and still keep everything encrypted and semi secure using certificates. R- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Friday, January 21, 2005 3:30 AM To: [email protected] Subject: Re: [ActiveDir] LDAP export pros/cons Not worked that much on the 3rd party integrations.....but have an idea Can you try do Authentication re-directions to that site -> i mean instead of people going to 3rd party site for authentication --> can they come to your own website and get authenticated through your ldap or RSA server and get re-directed to the desired locations. Regards, Chandra On Thu, 20 Jan 2005 23:54:28 -0500, joe <[EMAIL PROTECTED]> wrote: > Ditto. Whomever is running that web site gets to see all of the clear > text passwords for every user that authenticates. I would say that is > giving out a bit more info to the third party than you would normally like to supply. > Heck I don't even like doing that on intranet sites run by people in > the same company let alone someone outside of the company. Sort of on > par with saying, hi, here are my most sensitive parts and giving them > to a third party and asking them to be nice to them. > > joe > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Thursday, January 20, 2005 6:54 PM > > To: '[email protected]' > Subject: RE: [ActiveDir] LDAP export pros/cons > > Interesting. I may just not understand what you have in mind. > > I would agree, but I'm leery of ldap bind for authentication in this > scenario. In addition, it seems that it would not really provide the > full amount of usefulness to the solution since the user has to also > remember a different set of creds if they use this portal with dual > id. Am I just misunderstanding, or were you thinking of something different?? > > Al > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, > Hunter > Sent: Thursday, January 20, 2005 4:44 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP export pros/cons > > Here's a common scenario, where an application like the web portal > outsources authentication to an external directory but retains > authorization....your user hits the web portal and gets a prompt for > her login ID and password. She enters that information and hits the OK > button, and your portal then attempts to do an authenticated bind to > the user's object in the LDAP directory, using the submitted ID and > password. If the bind is successful, then the LDAP directory returns a > successful acknowledgement to the portal. The portal hears that the > user ID and password are correct, so the portal can then present the > user with the appropriate content based on the portal permissions assigned to her account. > > The key here is that there has to be a common identifier in the portal > and LDAP directory, so that the user gets the right stuff (based on > the authorization in the portal) as a result of successful LDAP > "login" (based on the LDAP authentication). Typically the common > identifier is the logon ID, so that the portal knows that a successful > LDAP bind to jane.doe should be associated with the jane.doe object in the portal. > > It would be a good idea to ask what specific attributes the portal is > looking for, or even the syntax of the LDAP queries they hope to issue. > > Hunter > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. > Leali > Sent: Thursday, January 20, 2005 2:05 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP export pros/cons > > I understand what you are saying and agree. On the same topic, what > do you suggest is the best practice for having users authenticate to a > third party web portal. Is it better to set up a one-way > non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going > to be a long term solution. The only thing we are trying to do is to allow > our users to log into the third party web portal without having to > learn an additional user name & password. I do not want to give out > any more information than that about my users. > > Thanks for the quick responses. > > R- > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Thursday, January 20, 2005 2:27 PM > To: '[email protected]' > Subject: RE: [ActiveDir] LDAP export pros/cons > > not sure there are any documented risks. Risks being relational to > the entity taking them. > > However, as a disinterested third party I'd have to point out that the > risk is not technical in nature but rather about the information you're sharing. > I suppose the information you give out is far mare important to the > conversation, but it seems you don't know these folks nor trust them really. > If that's the case, then it's possible you could be giving out the > account information to a non-trusted source. > > The questions you need to ask are "what can they do with the > information I provide and can I take any action to protect myself?" > > Some folks wouldn't have a problem giving out that information. > Others would. You'll need to assess that risk based on the > information you plan to give out. > > Email addresses are a unique identifier by the way. And usually > public knowledge. > ________________________________ > From: Robert N. Leali [mailto:[EMAIL PROTECTED] On > Behalf Of Robert N. Leali > Sent: Thursday, January 20, 2005 3:18 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP export pros/cons > > That's correct. Looking for risks associated .... > > ________________________________ > From: [EMAIL PROTECTED] on behalf of Mulnick, Al > Sent: Thu 1/20/2005 2:05 PM > To: '[email protected]' > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > Are you looking for risks associated with giving your directory away > to a semi-trusted third party? Did I paraphrase that correctly? > > Al > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. > Leali > Sent: Thursday, January 20, 2005 3:01 PM > To: [email protected] > Subject: [ActiveDir] LDAP export pros/cons > > Can someone point me to a white paper or article that gives the pros > and cons and security implications of allowing a semi-trusted > third-party to access our AD with an LDAP export to an RSA server? > > We are being asked to allow our users to authenticate to a third party > web portal using their current Windows 2003 AD accounts. The third > party wants an LDAP export to their RSA server and an account that > has appropriate access to allow authentication to the AD box. This is > in an extra-net environment. > > Any guidance or advice would be appreciated. > > Robert > ---- > The information contained in this e-mail transmittal, including any > attached > document(s) is confidential. The information is intended only for the > use of the named recipient. If you are not the named recipient, you > are hereby notified that any use, disclosure, copying, or distribution > of the contents hereof is strictly prohibited. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
