I've seen that single sign implemented using a tiered approach. Based on the level of security required, the log on page will either prompt for user credentials based on their active directory profile, or use RSA SecureID. In general I haven't seen to many drawbacks with using this approach or having a single log on page served across all the enterprise applications.
On Thu, Mar 24, 2011 at 7:38 PM, Zate <[email protected]> wrote: > I havent tested against a SSO for a few years but the last one I looked at > was Siteminder and I found out if developers mixed http and https across > applications it was possible to capture the session details from a http > request and replay them to access other resources on the same or other > applications. This may have been fixed, i haven't looked at it recently. > > Zate > > > > On Thu, Mar 24, 2011 at 9:13 AM, Todd Haverkos <[email protected]>wrote: > >> Alex Manchester <[email protected]> writes: >> >> > I have been tasked with researching potential Compliancy concerns >> regarding >> > implementing a single sign-on solution. >> > The majority of the information has been relatively positive such as >> > providing centralized user and log management. >> > Other than ensuring the security and minimum strength requirements of >> the >> > master password, are there other concerns anybody else has faced with >> > implementing or researching a SSO solution. >> >> One issue I've seen in single sign ons in large organizations is that >> just about anyone can stand up an internal web server that looks to >> hook into the single sign on API and herds of users (who are used to >> providing that one magical credential) are happy to type it in just >> about anywhere. >> >> Without some sort of one time password integrated, this can make >> single sign on tantamount to an authentication monoculture with its >> attendant weaknesses. >> >> I have no silver bullet here other than foisting unpopular 2-factor >> auth on people (insert joke about RSA's current woes here), but it's a >> risk to be aware of at least. The benefits of SSO still generally >> outweigh warts like this. >> >> -- >> Todd Haverkos, LPT MsCompE >> http://haverkos.com/ >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
