2

Our IT staff refuses to install the SiteMinder agent on our application's IIS 6.0 web server, citing security concerns as it is a third-party software, as well as the possibility of high resource utilization impacting application performance.

They suggest that we set up an independent, segregated web server containing only a bare-bones IIS, the SiteMinder Agent, and a "shim" to authenticate login attempts.

This shim would be a single ASPX page marked to be protected by the agent. It would use the SiteMinder agent to authenticate the user ID, look up the user ID in the application's database, and return the user ID and password to the user's browser. A JavaScript function would then POST the user ID and password to the application's existing login page as if they typed it in themselves.

Are their concerns warranted? Why or why not?

Have you ever heard of anyone implementing a similar architecture?

Is their proposed solution good, bad, or ugly?

4

2 回答 2

3

它看起来不会起作用,因为代理不仅管理初始登录,还管理对应用程序的后续调用,即经过身份验证的会话。代理检查 cookie,对其进行验证等。您的场景没有描述这将如何发生。

在我们的环境中,所有 Internet 流量在访问 IIS 之前都会通过 Apache 反向代理。IIS 在防火墙后面。Apache 反向代理具有 SM 代理,它所做的只是将流量重定向到 IIS。我想用 IIS 作为反向代理进行类似的设置是可行的。

顺便说一句,告诉你的 IT 人员,他提出的小包和泡泡糖登录解决方案比在 IIS 上安装 SiteMinder 更安全。

于 2013-07-16T15:30:20.580 回答
2

apache 反向代理解决方案肯定会工作,但 SiteMinder r12.51 包含安全代理服务器,它基本上是 SiteMinder 的反向代理版本(还有更多)。

SPS 将允许您将单个服务器配置为所有无法或不会安装 SiteMinder 代理的应用程序的“网关”。Web 代理嵌入在 SPS 中,一个专有的 Java 应用程序完成了繁重的工作。SPS 也有一个 GUI,它遵循 r12 WAMUI 的外观和感觉,这使得配置非常简单。

Secure Proxy Server 还具有联合网关功能,因此如果您正在执行 SAML 联合,则无需安装 Web 代理选项包。您的所有 fcc 页面也可以由 SPS 提供服务,因此您可以减少支持您的 SSO 环境所需的网络服务器数量。

于 2013-08-13T17:10:46.637 回答