Re: ADAM - SSO and provisioning considerations
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 5 Aug 2005 17:47:45 -0500
Yep, I'm agreeing with Al as well here.
Joe K.
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:O2vlmzgmFHA.3900@xxxxxxxxxxxxxxxxxxxxxxx
> Agreed, although I wonder what the implication would be if you used AD as
> the authentication store for the user and groups in SQL for the
> authorization?
> Is that possible with your product?
>
> I know a little while back I did some work with a company that wanted to
> install an OU, do LDAP bind's to AD for authentication, and used some
> middleware components to sit between. Wasn't elegant, but they were nice
> enough not to extend the schema so I was very willing to go along. It was
> an OU and a bunch of groups that they used to permit access to their
> resources. I bring this up as an example of how you *could* do this. They
> were porting that application from SunOne directories, so there were a few
> issues, but nothing unexpected.
>
> The above illustrates why you don't need ADAM. We didn't need ADAM
> because there was no need to proxy the directory or the authentication
> mechanism. Just the authorization portion of the transaction needed to be
> different. In there case, they saw no reason to put that into a separate
> DB. I don't see one here either.
>
> What your application does with the information it collects is up to you.
> Making it work with AD, ADAM, SunOne, OpenLDAP etc is all possible and
> would be fairly consistent with some extra effort. I don't think your
> clients are going to mind if you do that, as long as you don't require
> schema extensions. If you do, then some will be OK and some won't but for
> just about all it will increase the barrier to entry for your sales team
> and cause a weakness where your competition can get a toe-hold in your
> accounts.
>
> I think you're going down the wrong path if you think you're going to walk
> into an account and architect a SSO solution for their identity stores and
> the third-party applications they buy. You may be able to create an
> ecosystem that third-party vendors choose to plug-in to and use as many
> open protocols as possible, but you would be nutz if you think you can
> solve this problem for them and the customers. Really, you'd be nutz if
> you created this solution and didn't sell it as a solution in and of
> itself.
>
> I see nothing in your posts that indicate you cannot use just about any
> LDAP store for your identity store. In some you'll also get SSO like
> qualities. Like AD. ADAM buys you nothing but complexity that I can see
> as long as you don't need to modify the schema. If you do, it could offer
> an alternative to some.
>
> Al Mulnick -MVP Directory Services
>
.
- References:
- ADAM - SSO and provisioning considerations
- From: Rob Lewis
- Re: ADAM - SSO and provisioning considerations
- From: Al Mulnick
- Re: ADAM - SSO and provisioning considerations
- From: Rob Lewis
- Re: ADAM - SSO and provisioning considerations
- From: Al Mulnick
- Re: ADAM - SSO and provisioning considerations
- From: Rob Lewis
- Re: ADAM - SSO and provisioning considerations
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM - SSO and provisioning considerations
- From: Rob Lewis
- Re: ADAM - SSO and provisioning considerations
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM - SSO and provisioning considerations
- From: Al Mulnick
- ADAM - SSO and provisioning considerations
- Prev by Date: Re: Upgrading my domain to Windows 2003
- Next by Date: Re: cannot find AD snap-ins
- Previous by thread: Re: ADAM - SSO and provisioning considerations
- Next by thread: Script Logic
- Index(es):
Relevant Pages
|
