[OpenAM] password replay between different organizations

Bhupinder Singh bhupinder.saini at gmail.com
Fri Feb 3 04:35:08 EST 2012 

Hello Cyril

First Password reply across or external organisation is never advisable or
secure option.

If I understood your problem correctly.
Then I think you just need SAML Federation where your Organisation OpenAM
acts as SP
and external Organisation which also support SAML v2 Federation. SAML v2
spec convers
Digital Sign and Encryption of Payload. You don't need to send password
across you can
try Auto-Federation based on some common attribute (emailaddress). SAML v2
doesn't require userid/pwd
stored in Org A to be sent to Org B. OpenAM support out-of-box Encryption
for SAML no
development required.

Hope this gives you some idea.

Cheers
bhupinder
On Fri, Feb 3, 2012 at 7:24 AM, Cyril Grosjean <cgrosjean at janua.fr> wrote:

>
> I have already posted this message to the OpenIG mailing list, but didn't
> get
> any answer, so I try here:
>
>
> I have OpenAM 9.5.3 at one organization, used for access control and SSO
> between applications available through a portal, all of them under the same
> unique DNS domain.
> Both the portal and OpenAM uses OpenDJ as the user's repository. Users have
> to self-register to have access to the portal.
> An OpenAM agent is deployed to enforce access control on a reverse proxy,
> upstream.
>
> Now, I have to design a solution where applications from external
> organizations  will
> join the portal. These applications will have their users defined in the
> previously
> mentioned OpenDJ directory, and they require the user's password to
> authenticate
> someone.
>
> The user's password is stored as a standard hash in OpenDJ, so there's no
> way to extract
> and decrypt it.
>
> So, I see 2 options and would like some advice and possibly any other
>  solution to achieve this.
>
> 1)    - use the password replay feature of OpenAM to capture the password
> at authentication time and
>           then send it in an encrypted HTTP header thanks to the agent.
>       - deploy OpenIG at each external organization to extract, decrypt
> and replay the password on the application
>         of the organization.
>
> 2)  - configure OpenAM as an IDP
>      - customize OpenAM so that the IDP includes the user's encrypted
> password as an attribute in SAML
>         authentication assertions.
>      - deploy OpenIG as a federation gateway at each external organization
> to extract, decrypt and replay the password
>        on the application of the organization
>
> 1st solution looks easier to setup since there's no development to plan,
> just configuration, but less secure than the 2nd one.
> 2nd solution looks more secure and standard thanks to SAML features, but:
>
>      - it requires at least some development on the OpenAM side since the
> IDP must be customized, if possible, to be able to
>        add the password (encrypted by the password replay authentication
> module) in the SAML assertions it will generate. Correct ?
>      - OpenIG doesn't support encryption at the SAML assertion and/or
> attribute level, so SSL at the transport level is the only
>        feature available, in addition to signed assertions. Correct ?
>
>
>
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/openam/attachments/20120203/21a7f509/attachment.html

More information about the OpenAM mailing list