Precisely......unless i am dreaming ;-)
On Fri, 21 Jan 2005 07:41:11 -0600, Robert N. Leali <[EMAIL PROTECTED]> wrote: > Maybe I'm not see the big picture of how this can be done with website > redirection. Is it just a matter of making one mutual user account on > both my web server and the third party portal server that is trusted by > both machines and using that account to pass the web traffic after the > users authenticate to my site? > > My ultimate goal is to keep my risk and exposure of user names/ > passwords/ authentication to the bare minimum and still get the desired > affect of not maintaining two user names/passwords per user. It's not > that the third party isn't trusted as much as they aren't careful or > vigilant in their security configurations and we have no control over > that situation. We are trying to keep the attack surface coming from > their side as small as possible because we are required to make the > portal work for our users. > > I think I have a grasp on how a reverse proxy web publishing can achieve > this and still keep everything encrypted and semi secure using > certificates. > > R- > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra > Sent: Friday, January 21, 2005 3:30 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] LDAP export pros/cons > > Not worked that much on the 3rd party integrations.....but have an idea > > Can you try do Authentication re-directions to that site -> i mean > instead of people going to 3rd party site for authentication --> can > they come to your own website and get authenticated through your ldap or > RSA server and get re-directed to the desired locations. > > Regards, > Chandra > > On Thu, 20 Jan 2005 23:54:28 -0500, joe <[EMAIL PROTECTED]> wrote: > > Ditto. Whomever is running that web site gets to see all of the clear > > text passwords for every user that authenticates. I would say that is > > giving out a bit more info to the third party than you would normally > like to supply. > > Heck I don't even like doing that on intranet sites run by people in > > the same company let alone someone outside of the company. Sort of on > > par with saying, hi, here are my most sensitive parts and giving them > > to a third party and asking them to be nice to them. > > > > joe > > ________________________________ > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > > Sent: Thursday, January 20, 2005 6:54 PM > > > > To: 'ActiveDir@mail.activedir.org' > > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > Interesting. I may just not understand what you have in mind. > > > > I would agree, but I'm leery of ldap bind for authentication in this > > scenario. In addition, it seems that it would not really provide the > > full amount of usefulness to the solution since the user has to also > > remember a different set of creds if they use this portal with dual > > id. Am I just misunderstanding, or were you thinking of something > different?? > > > > Al > > ________________________________ > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, > > Hunter > > Sent: Thursday, January 20, 2005 4:44 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > Here's a common scenario, where an application like the web portal > > outsources authentication to an external directory but retains > > authorization....your user hits the web portal and gets a prompt for > > her login ID and password. She enters that information and hits the OK > > > button, and your portal then attempts to do an authenticated bind to > > the user's object in the LDAP directory, using the submitted ID and > > password. If the bind is successful, then the LDAP directory returns a > > > successful acknowledgement to the portal. The portal hears that the > > user ID and password are correct, so the portal can then present the > > user with the appropriate content based on the portal permissions > assigned to her account. > > > > The key here is that there has to be a common identifier in the portal > > > and LDAP directory, so that the user gets the right stuff (based on > > the authorization in the portal) as a result of successful LDAP > > "login" (based on the LDAP authentication). Typically the common > > identifier is the logon ID, so that the portal knows that a successful > > > LDAP bind to jane.doe should be associated with the jane.doe object in > the portal. > > > > It would be a good idea to ask what specific attributes the portal is > > looking for, or even the syntax of the LDAP queries they hope to > issue. > > > > Hunter > > ________________________________ > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. > > Leali > > Sent: Thursday, January 20, 2005 2:05 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > I understand what you are saying and agree. On the same topic, what > > do you suggest is the best practice for having users authenticate to a > > > third party web portal. Is it better to set up a one-way > > non-transitive trust between the two forests or domains, or go with an > ldap export assuming this is going > > to be a long term solution. The only thing we are trying to do is to > allow > > our users to log into the third party web portal without having to > > learn an additional user name & password. I do not want to give out > > any more information than that about my users. > > > > Thanks for the quick responses. > > > > R- > > ________________________________ > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > > Sent: Thursday, January 20, 2005 2:27 PM > > To: 'ActiveDir@mail.activedir.org' > > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > not sure there are any documented risks. Risks being relational to > > the entity taking them. > > > > However, as a disinterested third party I'd have to point out that the > > > risk is not technical in nature but rather about the information > you're sharing. > > I suppose the information you give out is far mare important to the > > conversation, but it seems you don't know these folks nor trust them > really. > > If that's the case, then it's possible you could be giving out the > > account information to a non-trusted source. > > > > The questions you need to ask are "what can they do with the > > information I provide and can I take any action to protect myself?" > > > > Some folks wouldn't have a problem giving out that information. > > Others would. You'll need to assess that risk based on the > > information you plan to give out. > > > > Email addresses are a unique identifier by the way. And usually > > public knowledge. > > ________________________________ > > From: Robert N. Leali [mailto:[EMAIL PROTECTED] On > > Behalf Of Robert N. Leali > > Sent: Thursday, January 20, 2005 3:18 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > That's correct. Looking for risks associated .... > > > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Mulnick, Al > > Sent: Thu 1/20/2005 2:05 PM > > To: 'ActiveDir@mail.activedir.org' > > Subject: RE: [ActiveDir] LDAP export pros/cons > > > > > > > > Are you looking for risks associated with giving your directory away > > to a semi-trusted third party? Did I paraphrase that correctly? > > > > Al > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. > > Leali > > Sent: Thursday, January 20, 2005 3:01 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] LDAP export pros/cons > > > > Can someone point me to a white paper or article that gives the pros > > and cons and security implications of allowing a semi-trusted > > third-party to access our AD with an LDAP export to an RSA server? > > > > We are being asked to allow our users to authenticate to a third party > > > web portal using their current Windows 2003 AD accounts. The third > > party wants an LDAP export to their RSA server and an account that > > has appropriate access to allow authentication to the AD box. This is > > > in an extra-net environment. > > > > Any guidance or advice would be appreciated. > > > > Robert > > ---- > > The information contained in this e-mail transmittal, including any > > attached > > document(s) is confidential. The information is intended only for the > > use of the named recipient. If you are not the named recipient, you > > are hereby notified that any use, disclosure, copying, or distribution > > > of the contents hereof is strictly prohibited. > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/