John Merrells wrote:
The interesting aspect of the above scenario is that monster.com cannot communicate with the server "intranet.acme.com" it is behind the companies firewall. It is also worth mentioning that acme, like all large multinationals, has "intranet.acme.com" locked away deep inside a data center. It can talk to its ldap server and a database server, but nothing else and certainly not "monster.com"Correct. With dmd0 the enterprise would have to put its Homesite (HS) endpoint out in the DMZ and punch a hole through the firewall so that the HS code can talk to the enterprise IdM stack. It was a deliberate compromise to simplify the implementation of a Membersite (MS).
Having just implemented a dmd0 homesite that is intended to be behind the firewall I have thought a little on this. It seems to me that there is nothing preventing the verification code alone from being in the DMZ, with the business end of the homesite behind the firewall. This could be achieved I suspect by a little script redirection trickery which perhaps redirects internal requests to an intranet server acting as the homesite. Though I confess I have not attempted this I don't see any problem with it in theory.
-- Pete
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
