SSO and retrieved credentials?

Oilerfan21_ · ‎04-08-2008

Just curious if anyone out there is doing anything to retrieve credentials (particularly AD creds) from a directory or likewise to be used for SSO? Is there a local password store on the IVE that I can use to do something like that? We do have a password synchronization utility that I can script if there is a place to write to that the IVE can read and 'variablize'. Our clients would prefer (and in some instances just can't) provide two sets of credentials and our policy requires 2 factor auth for remote access, but most resources behind that are AD authenticated.

ben_ · ‎04-09-2008

Are you talking about web ressources or what, that is authenticated against AD?

Just activate two authentications on your realm, i.e. 1. 2-factor, 2. AD.

The post the Username + Password (username and password[2]) to the ressources, authenticating against AD.

Oilerfan21_ · ‎04-09-2008

Thanks for the reply! It's primarily Citrix and OWA that we need to authenticate to although there are several others.

We are, as you suggest, 'stacking' the authentications for some of our clients so that on the login page they are asked for both sets and doing SSO that way. The unfortunate thing for me is we have a different portal product installed (that we're trying to replace with the IVE) that has it's own password store that can be written to. Which we are with a password synchronization utility. With this set up users are only asked for the 2 factor username and passcode and the portal then looks up the other stuff and passes it to the downstream app. So, regardless of what functionality I add with the IVE I'm taking away that piece of functionality which seems to be much loved and too costly for some to make the change.

DougR_ · ‎04-16-2008

We have it set up here to use both AD and an SBR Radius backened with AD and SQL. We assign roles and allow realm access based on ADS groups, and set the SSO creds with the same. Haven't tried connecting to OWA with it, only file shares and RDP connections.

Oilerfan21_ · ‎04-16-2008

Thanks for the reply!

We've got an SBR server for other reasons that is doing SecurID authentication as well. I can leverage that if required and I did see the LDAP/SQL scripting documentation and thought that that might help us.

I'm curious about your set up though... Do you have the AD credentials stored in the SQL Database on the SBR server or will SBR somehow get the credentials from AD? Are you then handing back the credentials to the IVE as a return attribute from the RADIUS auth? I'm very interested to hear what you've got set up.

I'm confident if I can get the credentials in the IVE as a variable then I can pass that to any resource I want. My struggle is finding a way to get the password there without the client putting it there themselves. I also don't want to be storing the password somewhere in such a form as to put those credentials at risk. Even though we understand that just by the mere ability for them to looked up by something that risk is already increased.

DougR_ · ‎04-18-2008

All of our AD credentials come AD, and are not stored elsewhere. SBR has a feature to backed with other sources. We simply make the AD server one of the methods it checkes when looking for an Auth. We also return credentials, like Group memebership in our case, back to the SBR to help derive roles. We use SSO for file share auth and RDP, and it works.

SSO and retrieved credentials?

SSO and retrieved credentials?

Re: SSO and retrieved credentials?

Re: SSO and retrieved credentials?

Re: SSO and retrieved credentials?

Re: SSO and retrieved credentials?

Re: SSO and retrieved credentials?