企业 SSO 和身份管理/建议

发布于 2024-08-04 10:25:54 字数 1480 浏览 9 评论 0原文

我们之前讨论过 SSO。考虑到最近的新发展,我想根据明确的要求重新加强对话。

在过去的一周中,我一直在进行市场研究,寻找以下关键问题的答案:

该项目应该是:

要求

  • Web 应用程序的 SSO 解决方案。
  • 集成到现有开发的产品中。
  • 具有基于策略的密码安全性(长度、复杂性、持续时间等)
  • 安全策略可以使用 Web 界面进行管理。
  • 可定制的用户界面(密码提示和公司屏幕)。
  • 高可用性 (99.9%)
  • 可扩展。
  • 在红帽 Linux 上运行。

很高兴拥有

  • 包含用户组和角色。
  • 用Java编写。
  • 自由软件(开源)解决方案。

到目前为止提出的解决方案都不是“杀手级选择”,这让我认为我将使用多个项目(OWASP、AcegiSecurity + X??),因此进行了这次讨论。

我们是提供前端和应用程序的 ISV后端应用程序套件。前端被分成几个模块,这些模块应该充当自治单元,从客户端的角度来看,他使用“应用程序”——这导致了重新分级 SSO 的讨论。

我很感激人们分享他们的经验和关于适当解决方案的想法。

有些解决方案很有趣

或者更一般地说 此列表

谢谢, 格言。

We've discussed SSO before. I would like to re-enhance the conversation with defined requirements, taking into consideration recent new developments.

In the past week I've been doing market research looking for answers to the following key issues:

The project should should be:

Requirements

  • SSO solution for web applications.
  • Integrates into existing developed products.
  • has Policy based password security (Length, Complexity, Duration and co)
  • Security Policy can be managed using a web interface.
  • Customizable user interface (the password prompt and co. screens).
  • Highly available (99.9%)
  • Scalable.
  • Runs on Red Hat Linux.

Nice to have

  • Contains user Groups & Roles.
  • Written in Java.
  • Free Software (open source) solution.

None of the solutions came up so far are "killer choice" which leads me to think I will be tooling several projects (OWASP, AcegiSecurity + X??) hence this discussion.

We are ISV delivering front-end & backend application suite. The frontend is broken into several modules which should act as autonomous unit, from client point of view he uses the "application" - which leads to this discussion regrading SSO.

I would appreciate people sharing their experience & ideas regarding the appropriete solutions.

Some solutions are interesting

Or more generally speaking this list

Thank you,
Maxim.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

樱&纷飞 2024-08-11 10:25:54

FreeIPA 怎么样?

“FreeIPA 是一个集成的安全信息管理解决方案,结合了 Linux (Fedora)、389(以前称为 Fedora Directory Server)、MIT Kerberos、NTP、DNS。它由 Web 界面和命令行管理工具组成。”

如果您专注于 Web 应用程序,请查看 http://oauth.net/

What about FreeIPA?

"FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 (formerly known as Fedora Directory Server), MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools."

If you focus on web applications, check out http://oauth.net/.

三人与歌 2024-08-11 10:25:54

CAS 拥有强大的采用率、用户基础和强大的领导力(他最近换了工作,但仍然致力于该项目)。它易于集成(如果您习惯于编写 Java 代码/配置 Spring beans),并且可以满足您的所有要求,特别是:

Web 应用程序的 SSO 解决方案。

集成到现有开发的产品中。

是(虽然有些比其他产品更干净 - 但许多模块可用于主要产品,并且它支持通用标准(SAML、OpenID)。

具有基于策略的密码安全性(长度、复杂性、持续时间等)

*是 - 可以轻松实现,并且支持一些与 LDAP(可能是最常见的用户存储)集成的扩展

可以使用 Web 界面管理安全策略。不

- 虽然可以相当简单地构建 - 如果您对开发感到满意,并且考虑到这可能是一个不平凡的项目,我建议考虑将其视为非阻塞程序,因为该产品是开源的

可自定义的用户界面(密码提示和相关屏幕)。

是 - 通过一些基本的 HTML/CSS 编辑轻松自定义

高度可用 (99.9%)

是 -既可靠,又可以轻松支持多个节点/故障转移场景

可扩展。

是 - 用于许多高流量环境,包括内联网和互联网

在 Red Hat Linux 上运行。

CAS has strong adoption, user-base, and a strong lead (who recently switched jobs, but is still comitted to the project). It is straightforward to integrate (if you're comfortable writing Java code/configuring Spring beans), and can do all your requirements, noteably:

SSO solution for web applications.

YES

Integrates into existing developed products.

YES (though some cleaner than others - but many modules are available for major products, and it supports common standards (SAML, OpenID).

has Policy based password security (Length, Complexity, Duration and co)

*YES - can easily be implemented, and some extensions to integrate with LDAP (probably the most common user store) are supported

Security Policy can be managed using a web interface.

NO - though one could be build fairly simply - if you're comfortable with development, and given that this is likely to be a non-trivial project, I'd recommend considering this a non-blocker given that the product is open-source

Customizable user interface (the password prompt and co. screens).

YES - easily customized through some basic HTML/CSS editing

Highly available (99.9%)

YES - both reliable, and can support multiple node/failover scenarios easily

Scalable.

YES - used in many high-traffic environments both intranet and internet

Runs on Red Hat Linux.

YES

三寸金莲 2024-08-11 10:25:54

Oracle Enterprise Single Sign-On 不是您想要的 - 它需要部署 Windows 可执行文件。 Oracle Access Manager 更接近您的需求之后(尽管它不是免费的或基于 Java 的)。

Oracle Enterprise Single Sign-On is not what you're after - it requires a Windows executable to be deployed. Oracle Access Manager is closer to what you're after (though it's not free or Java-based).

二智少女猫性小仙女 2024-08-11 10:25:54

身份和访问管理 (IAM) 市场领域的主要商业参与者包括 CA、Oracle、IBM、Sun 和 Novell。这些都不是免费的解决方案,但它们具有您正在寻找的许多功能。

对于免费软件,我推荐DACS:分布式访问控制系统。我知道我工作的一个部门已经在这一方面取得了巨大成功。它没有商业 IAM 产品那么多的功能,但在其他方面是一个很好的解决方案。

The major commercial players in the Identity and Access Management (IAM) market space are CA, Oracle, IBM, Sun and Novell. None of these are free solutions but they have many of the features that you are looking for.

For free software, I recommend DACS: The Distributed Access Control System. I know that one department where I work has implemented this with great success. It doesn't have as many features the commercial IAM products but otherwise is a good solution.

别挽留 2024-08-11 10:25:54

我使用了支持 Websphere 和 IIS 的 Tivoli Access Manager - 它将访问信息写入页眉的方式非常有用。不利的一面是,我没有发现 DB2 Ldap 后端具有很强的可扩展性或可靠性,而且您知道,对于 IBM,这不会便宜。

此外,用于识别不同服务器的异步路径(连接点)确实有点麻烦,例如 http://mysite/myserver/ myapp - 一个非常糟糕的主意,没有经过深思熟虑。

I have used Tivoli Access Manager backing onto Websphere and IIS boxes - the way it writes access information into the page headers is very useful. On the downside, I didnt find the DB2 Ldap backend very scalable or reliable, and you know with IBM this isn't going to come cheap.

Also the asynchronous paths (junctions) used to identify different servers is a bit of a hack really eg http://mysite/myserver/myapp - a very bad idea and not thought through very well.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文