Atrium SSO VS Other after market solutions
John, I have often wanted to ask you this question 'What is it that the BMC Provided SSO doesn't offer that your solution does' I don't want this to be a marketing sales pitch for your product by any means, but you consistently balk at the community sso solution, and allude to its vulnerabilities, but you and I have never sat down (in private, or in a public forum such as this) and discussed what some of those vulnerabilities are and what problems they can cause. At a previous job I implemented SSO using the community example. I utilized Tomcat on Solaris, and because of that I couldn't use IIS passthrough of the credentials, so I ended up using SPNEGO ( http://spnego.sourceforge.net/) to provide Kerberos authentication to Tomcat and even though it was relatively complicated to setup, once setup it was pretty solid with very few issues. At my current job there is a modified version of the same community plugin in place that is using the IIS passthrough and works just as well. Earlier today I was told about a tool named 'Waffle' ( https://github.com/dblock/waffle) which seems to be similar to SPNEGO that I used previously, but a bit more flexible and if I was still at my old job, I might consider utilizing it. Now, my understanding regarding one of your complaints about the community SSO is that it uses request responses and the 'getRemoteUser' function to provide the user ID to the plugin, which is then passed between the web server and the app server for authentication. Why is that a vulnerability? I look forward to your response. On Thu, May 30, 2013 at 10:39 AM, John Baker wrote: > Sandra, > > What you need to achieve is Integrated Windows Authentication. What BMC > are proposing is deploying part of the protocol, so you're bound to find > instances where it doesn't work. Microsoft have tried going "Kerberos > only" and couldn't make it work; there's some documentation on their > website suggesting an "Impact assessment" is carried out before moving > to Kerberos only. > > In any corporate network, you need > Kerberos+NTLMv2+NegotiateExtensions+etc. There's a video on the BMC > communities forum recorded by a BMC AtriumSSO engineer stating that "it > will work 80% of the time" - a glowing endorsement :-) > > The problem faced by BMC is the OpenSSO/AM product that has been > re-badged to AtriumSSO does not provide IWA, so you don't get it for > free. > > > John > -- > JSS SSO Plugin for BMC ITSM, ITBM, Analytics, Kinetic, and more. > > > ___ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Atrium SSO VS Other after market solutions
Lj You raise good points. On postings to BMC DN I often mention the open source solution, and suggest that if one does not want to pay for a solution, then the open source solution plus some other external tool is a good step forward versus wrestling with a rebranded OpenSSO. One of the downsides with the open source solution is, the last time I looked, it uses a fixed string for authentication. This means users can go to the standard BMC login page and login as anyone if they know the fixed string. Maybe it has changed - has it? You mention IIS. Yes, this can be used in conjunction with the above but from a pure security point of view, we are now delegating SSO to IIS and we leave Tomcat open to attack by some other means. This means one has to take additional measures to secure Tomcat and only allow access from IIS. I'm pleased you recognised that I wasn't pushing our own product. I tried to stick to the facts. But the reason people buy it is because the cost of building a bespoke, less mature, often poorly supported solution is not too much different to purchasing an SSO Plugin license. And the product offers vastly more than just SSO. So as I always maintain: building a solution is entirely achievable and given the community SSO solution plus additional measures, it can be made to work. Sorry if I forgot to add this point :) Note, JSS is not the only vendor of a third party solution. But the others tend not to put it on a website and allow anyone to download. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Atrium SSO VS Other after market solutions
Lj Removing the input for authentication field is a great step forward for user friendliness. We replace the BMC login page to provide a polished entry to Mid Tier with options for LDAP, Windows credentials, and AR System login (because it removes the AREA LDAP hassle). But removing a field doesn't stop one using Fiddler or other tools to post the authentication field value. Obtaining it can be achieved from viewing a Windows User Tool DLL in a hex editor, or more easily, enumerating it (a classic pen-test fail). Saying that, WUT is slowly being killed off by BMC. We keep tweaking our solution to ensure it carries on working as AR System evolves. But there is a secondary debate to sensitivity of data: some organisations are happy to have almost no security because the data is just help desk tickets etc. Saying that, CMDB data is more valuable - access to network data is valuable for attacking other services. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Atrium SSO VS Other after market solutions
Dan That almost sounds like a sales pitch for WWRUG .. :) As it happens, one of my colleagues (Danny) has booked some flights and is looking forward to meeting our customers. Danny has been involved with AR System for a decade or so (a relative newbie, I guess?) and has been involved in SSO for 7 years. I'm pleased to hear you want to listen to us, but more importantly, Danny will be listening to you and AR System administrators to see where we take SSO Plugin in 2014. After all, where else could we find out exactly what people want from the product? Why not stick Danny on one of those panels and ask him some really difficult questions? Maybe I can send a list of potentially difficult questions with regards to IWA negotiation etc :-) John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Atrium SSO VS Other after market solutions
I have personally always modified the login.jsp to not prompt for the authentication field, mainly because it confuses most users, so in my solutions, they don't have the ability to do a 'post' to the login servlet via my jsp pages and provide the proper 'key'that is of course assuming they know what the key is (which I guess wouldn't be that hard to get with fiddlerbut the community sso DOES provide a provision for you to limit the SSO to specific IP's...so even if someone were to know the key, and try to post from their own server...it would be rejected based on not being on the white list...so I consider that 'relatively secure' In regard to delegating sso to something elseyou don't then have a problem with IIS providing the user name to the plugin? Is there anything inherently insecure with using the getRemoteUser method for obtaining a user name? I remember some postings in the past where you discussed that it's not the proper way of doing it...but I don't recall the exact verbiage. I have personally found that the 'roll your own' is likely quite often MORE expensive than a purchased solution...but the problem that you end up with is the fact that a company is quite often willing to continue paying 'person x' to do that rolling because their pay check is already in the budget, whereas even something as moderate as a few thousand dollars for a OTS solution is outside the realm of being paid for. Now...because I don't really know much about AtriumSSO, other than what I have heard from you in various forms, can you tell me what its shortcomings are vs other solutions? On Thu, May 30, 2013 at 12:36 PM, John Baker wrote: > Lj > > You raise good points. On postings to BMC DN I often mention the open > source solution, and suggest that if one does not want to pay for a > solution, then the open source solution plus some other external tool is a > good step forward versus wrestling with a rebranded OpenSSO. > > One of the downsides with the open source solution is, the last time I > looked, it uses a fixed string for authentication. This means users can go > to the standard BMC login page and login as anyone if they know the fixed > string. Maybe it has changed - has it? > > You mention IIS. Yes, this can be used in conjunction with the above but > from a pure security point of view, we are now delegating SSO to IIS and we > leave Tomcat open to attack by some other means. This means one has to take > additional measures to secure Tomcat and only allow access from IIS. > > I'm pleased you recognised that I wasn't pushing our own product. I tried > to stick to the facts. But the reason people buy it is because the cost of > building a bespoke, less mature, often poorly supported solution is not too > much different to purchasing an SSO Plugin license. And the product offers > vastly more than just SSO. > > So as I always maintain: building a solution is entirely achievable and > given the community SSO solution plus additional measures, it can be made > to work. Sorry if I forgot to add this point :) > > Note, JSS is not the only vendor of a third party solution. But the others > tend not to put it on a website and allow anyone to download. > > > John > > > ___ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Atrium SSO VS Other after market solutions
HmmmI would be curious to see if the the key is available to me, as a user...because the key isn't actually stored in the JSP...it's stored on the Mid-Tier server config...yes, true, if the key was compromised I'm sure it could be 'faked', but does an end user actually have access to that informationI'll hafta check that out :) Regarding the 'sensitivity' aspect...completely agree...too many organizations are way too sloppy with their data :) On Thu, May 30, 2013 at 2:53 PM, John Baker wrote: > Lj > > Removing the input for authentication field is a great step forward for > user friendliness. We replace the BMC login page to provide a polished > entry to Mid Tier with options for LDAP, Windows credentials, and AR System > login (because it removes the AREA LDAP hassle). > > But removing a field doesn't stop one using Fiddler or other tools to post > the authentication field value. > > Obtaining it can be achieved from viewing a Windows User Tool DLL in a hex > editor, or more easily, enumerating it (a classic pen-test fail). > > Saying that, WUT is slowly being killed off by BMC. We keep tweaking our > solution to ensure it carries on working as AR System evolves. > > But there is a secondary debate to sensitivity of data: some organisations > are happy to have almost no security because the data is just help desk > tickets etc. Saying that, CMDB data is more valuable - access to network > data is valuable for attacking other services. > > > > John > > > ___ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Atrium SSO VS Other after market solutions
So, John, perhaps this is a good year for you to come to WWRUG (or others from JavaSystemSolutions but it would be great to meet you in person) ? A booth and let people kick the tires. No, we won't pay for you to come and talk about your product, but we would love to listen. Cheers Daniel -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: May 30, 2013 2:36 PM To: arslist@ARSLIST.ORG Subject: Atrium SSO VS Other after market solutions Lj You raise good points. On postings to BMC DN I often mention the open source solution, and suggest that if one does not want to pay for a solution, then the open source solution plus some other external tool is a good step forward versus wrestling with a rebranded OpenSSO. One of the downsides with the open source solution is, the last time I looked, it uses a fixed string for authentication. This means users can go to the standard BMC login page and login as anyone if they know the fixed string. Maybe it has changed - has it? You mention IIS. Yes, this can be used in conjunction with the above but from a pure security point of view, we are now delegating SSO to IIS and we leave Tomcat open to attack by some other means. This means one has to take additional measures to secure Tomcat and only allow access from IIS. I'm pleased you recognised that I wasn't pushing our own product. I tried to stick to the facts. But the reason people buy it is because the cost of building a bespoke, less mature, often poorly supported solution is not too much different to purchasing an SSO Plugin license. And the product offers vastly more than just SSO. So as I always maintain: building a solution is entirely achievable and given the community SSO solution plus additional measures, it can be made to work. Sorry if I forgot to add this point :) Note, JSS is not the only vendor of a third party solution. But the others tend not to put it on a website and allow anyone to download. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Atrium SSO VS Other after market solutions
John, If I'm able to negotiate travel/lodging this year, I will certainly participate in this forum (if it exists :) On Sun, Jun 2, 2013 at 8:41 AM, John Baker wrote: > Dan > > That almost sounds like a sales pitch for WWRUG .. :) As it happens, one > of my colleagues (Danny) has booked some flights and is looking forward to > meeting our customers. Danny has been involved with AR System for a decade > or so (a relative newbie, I guess?) and has been involved in SSO for 7 > years. > > I'm pleased to hear you want to listen to us, but more importantly, Danny > will be listening to you and AR System administrators to see where we take > SSO Plugin in 2014. After all, where else could we find out exactly what > people want from the product? > > Why not stick Danny on one of those panels and ask him some really > difficult questions? Maybe I can send a list of potentially difficult > questions with regards to IWA negotiation etc :-) > > > John > > __**__** > ___ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Atrium SSO VS Other after market solutions
Of course it is a sales pitch:-) Then again, you have just said it is the best place to be, and there is still time to get a booth and showcase your product. After all you haven't made it the past 4 years I have been asking. The conference is not a profitable event so asking for free entry to present on your product doesn't count. Being a visible part of the community can do you nothing but good. I am not in charge of panels, but I don't think there is one specifically on SSO, so Danny being on a Panel sounds unlikely (they have all been submitted and populated to the best of my knowledge). Did Danny submit a paper on SSO before the deadline? Daniel -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: June 2, 2013 10:42 AM To: arslist@ARSLIST.ORG Subject: Atrium SSO VS Other after market solutions Dan That almost sounds like a sales pitch for WWRUG .. :) As it happens, one of my colleagues (Danny) has booked some flights and is looking forward to meeting our customers. Danny has been involved with AR System for a decade or so (a relative newbie, I guess?) and has been involved in SSO for 7 years. I'm pleased to hear you want to listen to us, but more importantly, Danny will be listening to you and AR System administrators to see where we take SSO Plugin in 2014. After all, where else could we find out exactly what people want from the product? Why not stick Danny on one of those panels and ask him some really difficult questions? Maybe I can send a list of potentially difficult questions with regards to IWA negotiation etc :-) John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"