Re: Remedy on Demand - integrations
I'm surprised they don't support SAML based authentication. It's the standard way to handle authentication in the cloud space. Axton Grams On Fri, Oct 28, 2011 at 7:43 AM, John Baker jba...@javasystemsolutions.comwrote: Hello, One of our clients is considering RoD and was given this information by BMC, which I believe is a pre-prepared script for when the question is asked: The OnDemand team has developed and offers an SSO AREA component and companion authentication library for mid-tier that can be configured in a variety of SSO scenarios. Generally, an SSO implementation requires some process, script, or 3rd party solution to be present at the customer site which takes responsibility for the actual authentication of the end-user. This on-premises process then provides the authenticated user's user-id to the Remedy environment. The user's password is not transmitted to Remedy, and the Remedy components do not perform the actual authentication of the user. The OnDemand AREA SSO component accepts the user-id in two distinct ways: through an HTTP header, or via a secure URL parameter. So the proposed solution is to tell clients that they are responsible for managing and maintaining their own SSO solution onsite, and passing an encrypted username to Mid Tier. This of course raises a number of questions: 1. Since when was simply passing an encrypted token with a username a serious security solution? Perhaps it could be tolerated between two internal systems, in a locked down environment with the user only having a limited amount of access to AR System, but it seems rather easy to encrypt Demo and login as an admin user. 2. The login request could be captured and replayed, making it all too easy for an attacker to login as someone else. 3. Who's going to pay and maintain the onsite integration, and how will that impact users who want seamless sign on through Integrated Windows Authentication? 4. How does this solution integrate with BMC Analytics (SAP Business Objects) and Dashboards? The text doesn't mention them, which suggests no-one has thought about it. There is good news: JSS have developed a solution with security and convenience in mind, so whilst these issues may be a problem for BMC, they aren't for SSO Plugin clients. John -- SSO Plugin for BMC http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy on Demand - integrations was an Ad
John, I don't actually see you answering or asking a real question here. Next time please prefix your post with AD: as this is clearly an attempted ad for your solution. Doesn't your solution require a 3rd party solution to be present at the customer site which takes responsibility for the actual authentication of the end-user? Daniel -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: October 28, 2011 8:44 AM To: arslist@ARSLIST.ORG Subject: Remedy on Demand - integrations Hello, One of our clients is considering RoD and was given this information by BMC, which I believe is a pre-prepared script for when the question is asked: The OnDemand team has developed and offers an SSO AREA component and companion authentication library for mid-tier that can be configured in a variety of SSO scenarios. Generally, an SSO implementation requires some process, script, or 3rd party solution to be present at the customer site which takes responsibility for the actual authentication of the end-user. This on-premises process then provides the authenticated user's user-id to the Remedy environment. The user's password is not transmitted to Remedy, and the Remedy components do not perform the actual authentication of the user. The OnDemand AREA SSO component accepts the user-id in two distinct ways: through an HTTP header, or via a secure URL parameter. So the proposed solution is to tell clients that they are responsible for managing and maintaining their own SSO solution onsite, and passing an encrypted username to Mid Tier. This of course raises a number of questions: 1. Since when was simply passing an encrypted token with a username a serious security solution? Perhaps it could be tolerated between two internal systems, in a locked down environment with the user only having a limited amount of access to AR System, but it seems rather easy to encrypt Demo and login as an admin user. 2. The login request could be captured and replayed, making it all too easy for an attacker to login as someone else. 3. Who's going to pay and maintain the onsite integration, and how will that impact users who want seamless sign on through Integrated Windows Authentication? 4. How does this solution integrate with BMC Analytics (SAP Business Objects) and Dashboards? The text doesn't mention them, which suggests no-one has thought about it. There is good news: JSS have developed a solution with security and convenience in mind, so whilst these issues may be a problem for BMC, they aren't for SSO Plugin clients. John -- SSO Plugin for BMC http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy on Demand - integrations
OK - I'll bite -- is there a reasonably working SSO for RoD??? -John On Oct 26, 2011, at 2:37 AM, John Baker wrote: John, You didn't ask if there was a (competent) Single Sign On solution? John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are -- John Sundberg Save the Date! First Annual KEG - Kinetic Enthusiasts Group Feb. 29th - Mar. 2nd 2012 in Denver CO For more information click here - KEG Kinetic Data, Inc. Building a Better Service Experience Recipient of: WWRUG10 Best Customer Service/Support Award WWRUG09 Innovator of the Year Award john.sundb...@kineticdata.com 651.556.0930 I www.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy on Demand - integrations
John: As long as you're using standard API clients, then OnDemand is no different than on-premesis -- it's just some application mid-tier servers at the other end of a network (a VPN, usually). For each integration, though; you'll have to open a change ticket with the OnDemand engineers so that they can perform analysis approval processes. After all, they have to manage their infrastructure, and any customization/integration that could impact capacity needs review approval. I've never specifically requested access to the application server filesystem, but I'm guessing they'd let you access certain folders via filters/escalations/API at a minimum. FWIW, --Phil -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Sundberg Sent: Wednesday, October 26, 2011 04:40 To: arslist@ARSLIST.ORG Subject: Re: Remedy on Demand - integrations OK - I'll bite -- is there a reasonably working SSO for RoD??? -John On Oct 26, 2011, at 2:37 AM, John Baker wrote: John, You didn't ask if there was a (competent) Single Sign On solution? John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are -- John Sundberg Save the Date! First Annual KEG - Kinetic Enthusiasts Group Feb. 29th - Mar. 2nd 2012 in Denver CO For more information click here - KEG Kinetic Data, Inc. Building a Better Service Experience Recipient of: WWRUG10 Best Customer Service/Support Award WWRUG09 Innovator of the Year Award john.sundb...@kineticdata.com 651.556.0930 I www.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy on Demand - integrations
Phil, Thanks for the response. -John On Oct 26, 2011, at 7:28 AM, Murnane, Phil wrote: John: As long as you're using standard API clients, then OnDemand is no different than on-premesis -- it's just some application mid-tier servers at the other end of a network (a VPN, usually). For each integration, though; you'll have to open a change ticket with the OnDemand engineers so that they can perform analysis approval processes. After all, they have to manage their infrastructure, and any customization/integration that could impact capacity needs review approval. I've never specifically requested access to the application server filesystem, but I'm guessing they'd let you access certain folders via filters/escalations/API at a minimum. FWIW, --Phil -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Sundberg Sent: Wednesday, October 26, 2011 04:40 To: arslist@ARSLIST.ORG Subject: Re: Remedy on Demand - integrations OK - I'll bite -- is there a reasonably working SSO for RoD??? -John On Oct 26, 2011, at 2:37 AM, John Baker wrote: John, You didn't ask if there was a (competent) Single Sign On solution? John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are -- John Sundberg Save the Date! First Annual KEG - Kinetic Enthusiasts Group Feb. 29th - Mar. 2nd 2012 in Denver CO For more information click here - KEG Kinetic Data, Inc. Building a Better Service Experience Recipient of: WWRUG10 Best Customer Service/Support Award WWRUG09 Innovator of the Year Award john.sundb...@kineticdata.com 651.556.0930 I www.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are -- John Sundberg Save the Date! First Annual KEG - Kinetic Enthusiasts Group Feb. 29th - Mar. 2nd 2012 in Denver CO For more information click here - KEG Kinetic Data, Inc. Building a Better Service Experience Recipient of: WWRUG10 Best Customer Service/Support Award WWRUG09 Innovator of the Year Award john.sundb...@kineticdata.com 651.556.0930 I www.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Remedy on Demand - integrations
Atrium SSO is supported within the Remedy OnDemand offering. -David J. Easter Manager of Product Management, Remedy Platform BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Sundberg Sent: Wednesday, October 26, 2011 1:40 AM To: arslist@ARSLIST.ORG Subject: Re: Remedy on Demand - integrations OK - I'll bite -- is there a reasonably working SSO for RoD??? -John On Oct 26, 2011, at 2:37 AM, John Baker wrote: John, You didn't ask if there was a (competent) Single Sign On solution? John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are -- John Sundberg Save the Date! First Annual KEG - Kinetic Enthusiasts Group Feb. 29th - Mar. 2nd 2012 in Denver CO For more information click here - KEG Kinetic Data, Inc. Building a Better Service Experience Recipient of: WWRUG10 Best Customer Service/Support Award WWRUG09 Innovator of the Year Award john.sundb...@kineticdata.com 651.556.0930 I www.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
