Single Sign-On (SSO) with VB.Net 1.1 App

[Kirk]

My company wants to integrate our application to some of our clients'
SSO systems. These systems may be either proprietary, LDAP, or Active
Directory. I have a couple of general questions that I've been unable
to find answers to elsewhere. Your help is appreciated.

1. Once the user is logged in to the machine, is the password
retrievable, or is it just ignored from that point onward?
2. How is the LDAP (or AD) system secured? If it requires a username/
password, do I have to prompt the user? Wouldn't this negate the
benefit of a SSO system? But if we don't require password, how is it
secured? Just by getting the logged on user from the OS?

 

[Cor Ligthert[MVP]]

Kirk,

1. Once the user is logged in to the machine, is the password
retrievable, or is it just ignored from that point onward?

What do you think when this question was answered with a positive answer,
there would be the next day a security patch to make it impossible. A user
pasword should never be retrievable.

How is the LDAP (or AD) system secured?

Have a look at the principal class
http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsprincipal.aspx

Cor

 

[Kirk]

Kirk,




What do you think when this question was answered with a positive answer,
there would be the next day a security patch to make it impossible. A user
pasword should never be retrievable.


Have a look at the principal classhttp://msdn2.microsoft.com/en-us/library/system.security.principal.wi...

Cor

Cor, I did not mean to insult anyone's intelligence here. I
appreciate your help.

So, SSO applications generally do not query the AD or LDAP system
directly, but instead just get user information through the Principle
class? Am I correct in thinking that a client then would be able to
use whatever system they want for SSO and our application would work,
since we would only be dependent on the Principle class?

This seems too simple. Are there any security concerns with this
method, other than the obvious case of a user leaving their computer
unlocked? Are there any other configuration issues or anything like
that which may need to be considered before deployment?

 

[Guest]

Cor, I did not mean to insult anyone's intelligence here. I
appreciate your help.

I think it's just Cor's writing style ... I don't think anyone took
offence

So, SSO applications generally do not query the AD or LDAP system
directly, but instead just get user information through the Principle
class? Am I correct in thinking that a client then would be able to
use whatever system they want for SSO and our application would work,
since we would only be dependent on the Principle class?

You query the principal - but how you retrieve the principal is upto
you.

Windows will provide a default principal for the current login account.

This seems too simple. Are there any security concerns with this
method, other than the obvious case of a user leaving their computer
unlocked? Are there any other configuration issues or anything like
that which may need to be considered before deployment?

Most of this security is handled by .NET's CAS (Code Access Security):

http://msdn2.microsoft.com/en-us/library/930b76w0(VS.71).aspx

CAS is multilayered and there are several sets of permissions:

Enterprise (Active Directory Permissions)
Machine (Machine level security policies)
User (User level policies)
AppDomain (Current app)

When you're querying the principal in your application, you're really
handling AppDomain specific permission. So say you ignore the AppDomain
Security (no security at all) and attempt a "format c:\", if the user is
restricted, one of the levels of CAS will throw a security exception.

CAS is relatively secure - provided the policies are set correctly

 

[Guest]

I think it's just Cor's writing style ... I don't think anyone took
offence


You query the principal - but how you retrieve the principal is upto
you.

Windows will provide a default principal for the current login account.

Most of this security is handled by .NET's CAS (Code Access Security):

http://msdn2.microsoft.com/en-us/library/930b76w0(VS.71).aspx

CAS is multilayered and there are several sets of permissions:

Enterprise (Active Directory Permissions)
Machine (Machine level security policies)
User (User level policies)
AppDomain (Current app)

When you're querying the principal in your application, you're really
handling AppDomain specific permission. So say you ignore the AppDomain
Security (no security at all) and attempt a "format c:\", if the user is
restricted, one of the levels of CAS will throw a security exception.

CAS is relatively secure - provided the policies are set correctly

Here's a good article:

http://www.codeproject.com/dotnet/UB_CAS_NET.asp

 

[Kirk]

Here's a good article:

http://www.codeproject.com/dotnet/UB_CAS_NET.asp

How do I make sure that the user does not take the app outside of the
organization? Most AD or LDAP systems will not allow you to access
them without username and password, right?