Posts

Showing posts from July, 2005

FIM and IP Based Authorization

In the world before the FIM, a lot of technologies were used to implement the federated single sign on. A very common way to allow corporate level access to services, was to allow all the users coming from a specific range of IP (usually the corporate proxy server of client) full access to the service without requiring authentication (though the identification may be implemented for personalization purpose). But with the development of FIM standards, does it make sense to continue to require the IP based authorization in addition to the FIM Sign On or does it give just an additional level of "security" at the cost of sacrificing convinience (people can only access the service from corporate network and not from outside unless VPNed to office)?

Biometrics: Some thoughts!!

After a quick read of thoughts on problems with biometrics , I was thinking how the accounts can be accessed after a person/owner has died. For example if a system is built that provides access solely on biometric authentication (without any escrow system in place), what would be the process to access those accounts after the owner has died. Does this mean that a biometric based security system can not be built without an escrow system in place. Also, does it make sense from a liability point of view to become owner of biometric data. Just in case more stringent privacy laws come in to force and/or a precedence is set specifing the data owner can ask the data manager (enterprise that has the information about the owner) to pay for the damages caused by the loss of data, the biometric database would become a huge liability for any enterprise. Thoughts??

Credential Mapping/Management, WS-Trust: Some use cases

The basic idea of Credential Mapping service is to provide necessary data to the service's client which will help client to identify with a specific security domain. Based on the security policy requirements of security domain, this authentication and identification data can take various forms like id/password, token (cert, kerberos ticket, etc.). This concept has been implemented in kerberos Ticket based authentication system, Global sign on (GSO) , Credential Mapping Providers , Security Token Service and enterprise reduced sign on. In this article I will try to discuss why such a service is important as a separate independent service within an enterprise or for an end-user. As discussed above, the credential mapping or token generation service (here after referred as security token service or STS), has been an important part of Authentication systems, Single Sign on integration, Legacy Application integration, and Federated Sign On. Due to the wide variety of the application t...