Hello, One of our clients is considering RoD and was given this information by BMC, which I believe is a pre-prepared script for when the question is asked:
"The OnDemand team has developed and offers an SSO AREA component and companion authentication library for mid-tier that can be configured in a variety of SSO scenarios. Generally, an SSO implementation requires some process, script, or 3rd party solution to be present at the customer site which takes responsibility for the actual authentication of the end-user. This on-premises process then provides the authenticated user's user-id to the Remedy environment. The user's password is not transmitted to Remedy, and the Remedy components do not perform the actual authentication of the user. The OnDemand AREA SSO component accepts the user-id in two distinct ways: through an HTTP header, or via a secure URL parameter. " So the proposed solution is to tell clients that they are responsible for managing and maintaining their own SSO solution onsite, and passing an encrypted username to Mid Tier. This of course raises a number of questions: 1. Since when was simply passing an encrypted token with a username a serious security solution? Perhaps it could be tolerated between two internal systems, in a locked down environment with the user only having a limited amount of access to AR System, but it seems rather easy to encrypt "Demo" and login as an admin user. 2. The login request could be captured and replayed, making it all too easy for an attacker to login as someone else. 3. Who's going to pay and maintain the onsite integration, and how will that impact users who want seamless sign on through Integrated Windows Authentication? 4. How does this solution integrate with BMC Analytics (SAP Business Objects) and Dashboards? The text doesn't mention them, which suggests no-one has thought about it. There is good news: JSS have developed a solution with security and convenience in mind, so whilst these issues may be a problem for BMC, they aren't for SSO Plugin clients. John -- SSO Plugin for BMC http://www.javasystemsolutions.com/jss/ssoplugin _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
