Kyle Abrahams, PMP
asked on
Enterprise Application Security Architecture
Hi All,
We currently have a bunch of applications using forms based authentication. One of the major probelms we're facing is that each application has its own table for users and managing credentials. I'm looking at trying to combine everything and make it so we have one user table and then have each application refer here.
Some of our applications are accessible from the internet, but in essence all of our users are company users. With that in mind I'm wondering if we could get away with impersonation and implement a single sign on.
Workflow would be to request a page
if the user is in the local network we see a their domain account and I can just let that pass through.
If the user is not on the domain they'll need to be referred to a login page. I'm thinking the login page will ask for their windows credentials, authenticate against AD, impersonate them, and redirect back to the application. I'm also assuming the login page will need to be in HTTPS as credentials are passed.
Are there any "gotchya's" with this approach?
Any better ways of doing it?
And what about considerations for Single Sign On?
EG:
user hits site1.company.com and successfully authenticates
user hits site2.company.com (in the same session / browser) - would be nice if I didn't have to challenge again.
I have full access over the design so any suggestions and good reading greatly appreciated.
Thanks in advanced.
We currently have a bunch of applications using forms based authentication. One of the major probelms we're facing is that each application has its own table for users and managing credentials. I'm looking at trying to combine everything and make it so we have one user table and then have each application refer here.
Some of our applications are accessible from the internet, but in essence all of our users are company users. With that in mind I'm wondering if we could get away with impersonation and implement a single sign on.
Workflow would be to request a page
if the user is in the local network we see a their domain account and I can just let that pass through.
If the user is not on the domain they'll need to be referred to a login page. I'm thinking the login page will ask for their windows credentials, authenticate against AD, impersonate them, and redirect back to the application. I'm also assuming the login page will need to be in HTTPS as credentials are passed.
Are there any "gotchya's" with this approach?
Any better ways of doing it?
And what about considerations for Single Sign On?
EG:
user hits site1.company.com and successfully authenticates
user hits site2.company.com (in the same session / browser) - would be nice if I didn't have to challenge again.
I have full access over the design so any suggestions and good reading greatly appreciated.
Thanks in advanced.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
WIF is the way to go with this.
Session management option like "state sever"(out of procss) and "sql server" can be shared by many servers.
I think in load balancing we can specify, all requests for a particular session , we can route them to same server, so that the session is not lost.