Re: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

Fri, 28 Apr 2006 08:04:04 -0700 

I suspect you'll want to talk with the Tivoli reps to see what they
can do for you.  As for management of the identities and third
parties, I suspect that a roll-your-own approach is just as good as
anything until you have more requirements.  There are a ton of vendors
that can help with that - just take a look in the IdM space (again,
Tivoli, Microsoft, Abridean, etc can all help there).  The
considerations for scalability and process are justified, but you'll
need to drive to some requirements.

I wouldn't get wrapped up in the possibilities as much as I would the
requirements at this stage (actually, I personally might, but that's
because I have no stamina when it comes to meetings :)


Once you find out what the requirements are, the rest might start to
make a lot more sense.  The administration model will be determined in
large part by the needs vs. the tools.  You'll just have to marry the
requirements to the tools is all, and since you have a large array of
tools to work with (.net, websphere, etc) you'll ahve a lot of
flexibility in how you solve this problem.  If you don't define the
requirements well enough, you'll know because you'll be chasing the
right solution forever and a day.

-ajm

On 4/28/06, Jef Kazimer <[EMAIL PROTECTED]> wrote:



Mylo,



Thanks for the information!



I have setup ADAM utilizing a custom web UI utilizing AZman for a small
project before, but I have concerns about scalabilty.  The issues are not
with the ADAM instance at all, but the UI that is needed to manage ADAM.
ADSIedit is great for someone who understands the directory, but it's not
that user friendly for web application owners, helpdesk, etc.  This was for
a simple application of about 500 users, and it met their needs but I don't
see this as a scalable solution from a global perspective.



This will be a backend data store that contains the user identity, but the
applications that utilize it will be of different flavors from DMZ hosted
web apps, to externally hosted apps.   The flavors of web apps will range
from websphere, ColdFusion,  .NET and I suspect some PHP apps.



With AD,  I guess I was thinking it has a well known support interface
(though I am sure I would need to customize anyway...so I'm not sure that
value is really there).   So I was expecting to maybe find 3rd parties that
do sit in front of this to manage the IDs stored. Though this could be AD or
ADAM with ADAM being the most cost effective.   This looks like siteMinder
might be a good solution to manage all of these environments but I will need
to look into that.





 I suppose I am getting ahead of myself, because I do not know the
requirements as of yet, and I'm making assumptions that could be totally off
the mark here.   I guess it's a new environment and wanted to get some info
ahead of before it was needed. :)



Thanks again!



Jef



________________________________




> Date: Fri, 28 Apr 2006 01:40:09 +0200
> From: [EMAIL PROTECTED]

> To: [email protected]
> Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

>
> Jef,
>
> As Al pointed out, there are numerous products
from vendors such as
> IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs
(RIP) etc providing
> web-based authentication/authorisation in front of
AD. Since from a
> design point-of-view it's generally not a good idea
to stick AD too
> close to the Internet, often these solutions comprise
a presentation
> tier, e.g. with  IIS (using  some sort of ISAPI plugins)
that then hooks
> into your business&n bsp;logic (e.g. middleware) or your
data tier (e.g.

> LDAP/AD/SQL) ... if you want to look at this from an
MS purist
> perspective then I'd suggest having a look at
n-Tier solutions within
> the MSDN area. Although, this has a more developer
emphasis than you'll
> probably want, it gives a good insight into how
Internet authentication
> works, particularly .NET as well as older products
such as Site
> Server/Commerce..
>
> Try googling on Authorization Manager (AZMan) to give
a good example of
> how a role-based management approach (assuming a web t
ier) with an AD

> backend would work..... Also look at ADAM as an initial
'point' solution
> for Internet usag rather than AD alone.
>
> You also mentioned self-registration and this
kicks off an entirely
> different thread (in my mind anyway)...
>
> 1. What are you providing access to?
> 2. Whom are you registering and for what ?
> 3. What authentication mechanism do you wish to use
(username/password,
> certs, OTP).
> 4. Do you need to provide some form of authorisation
once authenticated
> as well? What form does this need to take?
> &nb sp;

> Hope this helps.
>
> Regards,
> Mylo
>
> if you need an initial
>
> Jef Kazimer wrote:
>
> >Al,
> >
> >I apologize,  as I am going only on what little
information I have.  I guess I was trying
to do some pre-meeting recon work since I had
seen it metioned here about 25mil internet
users for some people.  I had assumed
there might be some scenario documentation
for such a thing.
> >
> >I will know more after the meeting of course, so
I'll see if I can explain myself better.
> >
> >I understand dire ctory design for an enterprise, but
have never done so for a internet instance that
would have self registration.  I suspect
there are some different lessons learned
from that scenario so was curious.
> >
> >Thanks,
> >
> >Jef
> >
> >
> >
> >
> >
> >>Date: Thu, 27 Apr 2006 15:31:33 -0400> From:
[EMAIL PROTECTED]> To: [email protected]> Subject: Re:
[ActiveDir] Internet Authentication
Concepts: Pointers?> > That's not a lot to go on, Jef.
Can you give some more information?> > For
example, these public internet sites? Are  they web only?
What type> of authentication is needed?
What were your plans for authorization?> Are
you planning to use something like
SiteMinder or Tivoli or ?? to> help you deal
with authorization if using web sites?> >
Al> > On 4/26/06, Jef Kazimer <[EMAIL PROTECTED]> wrote:> >>
>> > Ok, here is something I'm just
starting to research, and I thought maybe>
> someone here has some pointers or a
direction they can steer me in.> >> >> >>
> We are looking at a potential
consolidated directory/database to
contain>&nbs p;> user registrations (Self
registration and possible bulk load) for multiple>
> public internet sites for products of
our company.> >> >> >> >> >> >> >> > I was
wondering if there are any published scenarios
that addess this> > solution as
> >>
> >>
> >a starting point for consideration.  We are thinking
of using a> > public AD forest as the
potential repository, but I am curious if there
are> > any lessons learned when designed
such a scenario.> >> >> >> > Thanks,>  >> >> >> > Jef> >>
>> >> >> >> >> >
________________________________> > Upgrade for
free to Windows Live Mail beta and you
could win an African> > Safari Learn more> ا~m

> >List info   : http://www.activedir.org/List.aspx
> >List FAQ    : http://www.activedir.org/ListFAQ.aspx
> >List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
>
>------------------------------------------------------------------------
> >
> >No virus found in this incoming message.
> >Checked by AVG Free Edition.
> >Version: 7.1.385 / Virus Database:&nbs p;268.5.1/326 - Release
Date: 27/04/2006

> >
> >
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



________________________________
Join the next generation of Hotmail and you could win a trip to Africa
Upgrade today

Reply via email to