Sean, Java System's plugin use authentication password saved in the windows register on all workstations to authenticate users through the RUT. All users have the same password. In my opinion it is not very save method.
Mid-tier use the ARSAPI to communicate with ARS so communication between mt and ars is crypted. Of course we must believe that crypted method between ars an mt used by BMC is save. In this document you can read about ars security. http://documents.bmc.com/supportu/documents/22/39/92239/92239.pdf Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Elry Sent: Tuesday, March 30, 2010 4:54 PM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Thanks for all the responses... Konrad - quick question: Seems like you are saying that by signing on through the WUT - there is a secure protocol that is followed when using java system's plugin. Are there any issues when trying to do SSO through the Mid-Tier? Not that I perceive this as an issue for us, since we are primarily focused on the WUT. On Mar 30, 10:35 am, Konrad Banasiak <gene...@remedy-sso.com> wrote: > Sean, > > You have right. I agree with you. > I will try to explain you how Plugin SSO works from TopPositions. > > If you connect to ARS through the Mid-Tier. Md-Tier is authenticating in the ARS through the special password. > Of course the mid-tier-ip is on the whitelist (see the Installation guide page 15, MidTier-IP parameter). > > But if client connect to ARS through the Windows client you have the followed process: > 1. Remedy User authenticate user in the special Authentication Service through the NTLM negotiation(NTLMv2) in the Domain Controler. > 2. If user is confirmed the Service return generated token to the Remedy User. (Token is unique for every User) > 3. Remedy User passed into the "Authentication" field in area this token to ARESSO. > 4. AREA SSO confirm in the Authentication Service this token, If token is correct user is authenticate, if no user is no authenticate. Of course the Authentication Service confirm client IP address. And the token expired if is not use to long time. > > Cheers > > Konrad > > TopPositions > Really only one secure Plugin SSO for BM Remedy AR System. > Http://www.remedy-sso.com > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Garrison, Sean (Norcross) > Sent: Tuesday, March 30, 2010 4:01 PM > To: arsl...@arslist.org > Subject: Re: Top Positions SSO Solution > > Without being too technical I don't really trust an ARS SSO integration that much. In order to build an sso you have to follow a process: > > 1. Modify the authentication to the mid-tier to check the users credentials. > 2. If the user is valid allow them to log into remedy > 3. If the user is from mid-tier and they have valid credentials bypass the AREA authentication and let them in. > > It is at step 3 where I believe the security hole lies in an SSO implementation. Granted there is some security but it is relatively weak. Typically they ask you to enter in a list of ip addresses and a password of some type. This password is usually passed into the "Authentication" field in area. The IP address is a "whitelist" to tell area whether or not this is a mid-tier ip. So let's say you added your ip address to the whitelist that you configure for the sso implementation. Using the User tool you enter in the mid-tier password into the authentication field and put in your username leaving the password field blank. My guess is that you would log right into ars with no problems. Go further and you could probably spoof one of the mid-tier ip addresses so that ars thinks your ip address is one of the mid-tiers you could do the same thing with entering in no password just the mid-tier password. I don't know what java system solutions does for this issue nor what the remedy-sso does. But in both flowcharts you see a little arrow going from mid-tier to ARS. Before implementing either SSO I would recommend validating with the vendor how secure that data is that is passed between mid-tier and ars and your comfort level with this type of security. The only reason I know this is because I have tried to build an SSO solution before. > > Thanks, > > Sean > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shellman, David > Sent: Tuesday, March 30, 2010 8:25 AM > To: arsl...@arslist.org > Subject: Re: Top Positions SSO Solution > > Top Positions is spamming every email address that they can associate with an Remedy Admin. They hit a new email address of mine that was added to thewww.wwrug.comwebsite a couple of weeks ago. > Dave > ------------------------- > dave.shell...@tycoelectronics.com > (Wireless) > > ----- Original Message ----- > From: Action Request System discussion list(ARSList) > ____________________________________________________________________________ ___ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are" ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
