Agreed for the most part. However, to the "end users" this gives them the perception that this is SSO. The "minimal additional security" part can be debated. Most companies I've worked in )commerial and government) have users storing credentials in spreadsheets, in notepad files, in sticky notes (all of the common security issues I'm sure others have seen). Additionally, I've seen where the password policies are documented but not enforced.
At least with the Passlogix product set it does provide the password management capability to simulate the SSO process to the end users, centrally and securely store the credentials (supports major encryption algorithms (AES, Blowfish, etc...), and supports CAC authentication systems. The application also works with the majority of applications and doesn't require any modification of the application itself. Is this true SSO? I would say not because true SSO would have applications accepting authentication from a single authentication authority and until the industry and product vendors can work together on a standard integration it will be hard to achieve. Applications from vendors like Passlogix make it easier to simulate an SSO environment. So whenever I hear about SSO integration I think there is a bigger question to be answered here and that is do I implement a solution to meet the requirements of one application (and then have to do this every time a application wants SSO) or do I provide a solution that would work for a majority of the applications that the end users are using and would provide additional security that auditors would be looking for? Just my .02. Scott ________________________________ From: Action Request System discussion list(ARSList) [EMAIL PROTECTED] On Behalf Of Jason [EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 12:44 PM To: arslist@ARSLIST.ORG Subject: Re: SSO & CAC Authentication ** Passlogix provides a password management system. It is no more secure than the automatic authentication processes we've already discussed. It is merely a program that stores the end users' username and password for individual websites and applications and sends it to the appropriate application when activated. While you can use CAC authentication to access the stored information. It doesn't make the CAC required to access Remedy. These types of applications only provide ease of use for the end user and minimal additional security by encouraging more complex passwords. ________________________________ From: Scott Hammons <[EMAIL PROTECTED]> To: arslist@ARSLIST.ORG Sent: Wednesday, December 3, 2008 7:12:31 PM Subject: Re: SSO & CAC Authentication All, There are products out there that will meet the DOD requirements. One of the industry leaders in the SSO market is Passlogix and they support CAC authentication as well. Website: www.passlogix.com<http://www.passlogix.com/> One good thing about their SSO solution is that it will work for most applications (not just Remedy). Hope this helps. Scott ________________________________________ From: Action Request System discussion list(ARSList) [EMAIL PROTECTED]<mailto:arslist@ARSLIST.ORG>] On Behalf Of Kaiser, Norm E CIV USAF AFMC 96 CS/SCCE [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Wednesday, December 03, 2008 10:29 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: SSO & CAC Authentication >>The workaround I came up with was to automatically login by pulling information from environment variables. Yep! That's pretty much exactly what I did. I even changed the file associations so that when the user double clicked the ARTask attachment in email, my custom app kicked in and did the same type of authentication and then fired up the User client, but the Air Force balked because the solution was not directly re-validating the user from the CAC; it was instead "trusting" that the OS had previously validated the user from the CAC. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>] On Behalf Of Jason Sent: Wednesday, December 03, 2008 9:24 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: SSO & CAC Authentication ** Correct, the dll needs to be on each client. I've run into the same issue with DOD clients. The workaround I came up with was to automatically login by pulling information from environment variables. Then once logged in, re-check environment variables, log the users information, and exit the app if OS and Remedy information didn't match. Not a perfect solution but, the autonotifications to the admins and security folks allow for quick response to anybody trying to bypass the system. ________________________________ From: "Kaiser, Norm E CIV USAF AFMC 96 CS/SCCE" <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Sent: Wednesday, December 3, 2008 6:12:33 PM Subject: Re: SSO & CAC Authentication Yes, Jason, you are 100% right to my knowledge. I remember that being their solution advertised about a year and a half ago and it only "works" in version 7.0 (if memory serves me correctly). So when I considered that "solution" I said to myself, A) We're running 6.3, so it wouldn't work anyway and B) Trying to compile and/or interface with a dll distribute it to all clients would be extraordinarily difficult. Am I right that the dll has to be on each client? Awhile back I wrote an application that did "single sign on" for Remedy that I hoped would satisfy the DoD mandate, but it didn't. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>] On Behalf Of Jason Sent: Wednesday, December 03, 2008 9:02 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: SSO & CAC Authentication ** The white paper is just about useless. It provides the base code for a dll that the v7+ user tool will check for when it's opening. The dll base code supplies a static username, password, and preference server/port/rpc. If you're not a programmer, you'll need to hire one to build an application that the dll can call, collect or generate login credentials, and then supply that information to the user tool. (BMC will not provide any support for this. All they will give you is the base code that will let your programmer know what values to provide for authentication.) The major problem with the dll is that it still requires a username and password. Your external application will need to pull or build that information then supply it to the system. If you're using the mid-tier too, you'll need to build a solution that works to retrieve login credentials from both clients. The downside to the dll is security. There's no way to force the use of the dll. It's simply a file that resides on the client machine. If you delete it, you'll get the regular login prompt. If anybody reverse engineers the dll and identifies how you're retrieving/building the login credentials, they can then log in as anybody. Anybody accept admins. Admins will still need to login manually. The dll doesn't work for the Admin tool. The dll doesn't work well with the alert tool either. It'll login, but in the 7.0 version(haven't tried with 7.1) it would prompt you for a username when trying to open any alerts unless an instance of the usertool is already running. There is a working group comprised of BMC and DOD Remedy Developers, etc... that are working on a solution. However, I haven't heard from them in quite some time so I wouldn't hold your breath. Jason Bess Bess Development Corp ________________________________ From: "Kaiser, Norm E CIV USAF AFMC 96 CS/SCCE" <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Sent: Wednesday, December 3, 2008 5:35:52 PM Subject: Re: SSO & CAC Authentication It's not too hard doing it on the Midtier, but doing it on the client is much more involved. Like Jennifer Meyer said, to do it on the client, there's a whitepaper out there somewhere. Good luck! I don't know anyone who's done it successfully... -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>] On Behalf Of Abdullah Baytops Sent: Tuesday, December 02, 2008 11:35 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: SSO & CAC Authentication ** Hello Listers Does anyone have any information on how to begin with an CAC auth. for a government client? We have a requirement to have users have the ability to login using SSO & CAC cards. Has anyone done this yet or is there a product to make this a seamless intergration any information would be appreciated. V/R Abdul Baytops Web: www.thedigitalcorp.com<http://www.thedigitalcorp.com/> <http://www.thedigitalcorp.com/> <http://www.thedigitalcorp.com/> <http://www.thedigitalcorp.com<http://www.thedigitalcorp.com/> <http://www.thedigitalcorp.com/> <http://www.thedigitalcorp.com/> > Email: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> __Platinum Sponsor: www.rmsportal.com<http://www.rmsportal.com/> <http://www.rmsportal.com/> <http://www.rmsportal.com/> ARSlist: "Where the Answers Are" html___ ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org<http://www.arslist.org/> <http://www.arslist.org/> <http://www.arslist.org/> Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" __Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" html___ ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" __Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" html___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" __Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" html___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
