Information Technology Reference
In-Depth Information
to all of its resources. Portal solutions commonly implement some form of
SSO identity management system, so that individually configured port-
lets or web parts may be coupled to disparate resources without requiring
the user to provide multiple sets of log-on credentials at each log-on. The
aggregate collection of all identities and related credentials is sometimes
termed a metadirectory.
Because the metadirectory acts as an authentication proxy, it can serve
as a vulnerability subject to exploitation through access to the metadi-
rectory server. If it is not specifically prevented by the chosen solution,
administrative or physical access to this service can allow an individ-
ual to associate his or her own credentials with stored credentials from
another user. This association can allow unauthorized access to enterprise
resources, which must then be identified through a later review of access
logs as a reactive rather than proactive security measure.
Password Synchronization
One other method used to improve authentication transparency involves
the use of a service that synchronizes accounts and passwords across mul-
tiple authentication domains. Transparent password synchronization solu-
tions accept a password change within one authentication boundary and
replicate that change to all other associated accounts within other authen-
tication boundaries. Provisioning password synchronization systems rely
on a central location for password update or change, such as a secured
website, and then apply the new changes to all registered accounts associ-
ated with the authenticated log-on used to conduct the change process.
Variation in password complexity, length, and other constraints between
vendors can present difficulties for password synchronization systems,
which must restrict password selection based on the minimum length,
complexity, and other factors present across all authentication systems.
Pluggable Authentication Modules
Some technologies, such as FreeBSD and OpenBSD, can consume
authentication provided by lower-level components known as pluggable
authentication modules (PAMs). Higher-level applications do not have
to implement their own authentication solution, calling the exposed
Search WWH ::




Custom Search