Re: ADAM - SSO and provisioning considerations

Hi Al,

Thanks for the info. Actually, the main reason (that I know of) for
vendors not choosing AD as their authentication store has to do with
the working environment. It's the case where PC's are in public areas,
and are left logged on all the time. The user who walks up to the
machine needs to tell the application who he is in order to access his
data. For whatever reason (lazy users...), in those environments, the
user feels that it's too cumbersome to log in and out of windows.
They'd rather just launch the desired app, identify themselves, do the
work, quit and walk away. Of course, if they launch more than one app,
that's when the SSO issue arises.

I did get some clarity about the non-WIA case: as it turns out, we can
expect some level of integration with the 3rd party. In other words,
that app will launch our app, so it can pass the username or SID on the
command line and assume the user was already authenticated. Then we
just need to access our authorization data for that user.

Btw, the other reason I was given to use ADAM is to simplify our
architectural design, since if we need to support talking to different
data stores (AD, LDAP, SAM, etc), it makes sense to have our apps talk
to ADAM as a "universal" authenticator, and let ADAM deal with the rest
of the world. What I don't know is whether that's practical, or even
realistic. I'm guessing it probably is. Basically, my app needs to
bind to ADAM, passing credentials if they were supplied. If not, it
passes null credentials, binding as the domain user. Correct? The
trick appears to be getting the identity info into ADAM at the time a
user is provisioned, and telling ADAM where to go to authenticate.

FWIW, I should say that I've gotten ADAM setup on XP, gone through the
step-by-step and gotten bindProxy to work. At this point, I'm just
trying to work out a few top level details before we go to design
review.

- Rob

.

Relevant Pages

  • Re: ADAM - SSO and provisioning considerations
    ... single credential store. ... > that app will launch our app, so it can pass the username or SID on the ... ADAM doesn't simplify your architecture from what I can tell in your posts. ... LDAP bind is not an authentication process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Using ADAM to authenticate application users against 2 seperate AD
    ... ADAM relies on domain membership of the server it resides on to ... So you would need domain trust (which I guess ... your BI app assumes for multi-domain working) or forest trust as your ... its authentication mechanism can only be configured to point ...
    (microsoft.public.windows.server.active_directory)
  • Exclude pages from authentication!
    ... I have an app that mostly requires authentication. ... However there are a couple of pages that don't require authentication.. ... thus the user is not redirected to my default login url..when they ... Adam ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)