Lj You raise good points. On postings to BMC DN I often mention the open source solution, and suggest that if one does not want to pay for a solution, then the open source solution plus some other external tool is a good step forward versus wrestling with a rebranded OpenSSO.
One of the downsides with the open source solution is, the last time I looked, it uses a fixed string for authentication. This means users can go to the standard BMC login page and login as anyone if they know the fixed string. Maybe it has changed - has it? You mention IIS. Yes, this can be used in conjunction with the above but from a pure security point of view, we are now delegating SSO to IIS and we leave Tomcat open to attack by some other means. This means one has to take additional measures to secure Tomcat and only allow access from IIS. I'm pleased you recognised that I wasn't pushing our own product. I tried to stick to the facts. But the reason people buy it is because the cost of building a bespoke, less mature, often poorly supported solution is not too much different to purchasing an SSO Plugin license. And the product offers vastly more than just SSO. So as I always maintain: building a solution is entirely achievable and given the community SSO solution plus additional measures, it can be made to work. Sorry if I forgot to add this point :) Note, JSS is not the only vendor of a third party solution. But the others tend not to put it on a website and allow anyone to download. John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
