Difference beween TAM 5.1 and TAM 6? - tivoli-identity-manager

I'm working with both TAM 5.1 and TAM 6.
But I couln't find any difference between these both versions, except for the two step login in TAM 6.
Can you tell me what is the basic difference between these two version TAM 5.1 and TAM6 ?
Thanks

Apologies if my answer is obvious but have you referred the release info?
Link here - TAM 6 Release notes
Now I haven't worked with 5.1 but apparently there are some major differences. I've listed a few below.
Base
64 bit support for some windows, RHEL and SUSE OSes.
WebSEAL
EAI support
Maintaining session state using HTTP headers
Multidomain AD user Id support in SPNEGO
LTPA V2 support
Junction throttling
IPV6, VirtualHost junctions
Session management support via SMS for multiple WebSeal instances -
It's similar for the TAM plugin used in webservers if you don't like WebSEAL
P.S. now in the next verision i.e. TAM 6.1 if I recall correctly it allows you to add the HTTPOnly flag in the cookie which is a critical security feature which TAM 6.0 lacks.

Related

From windows authentication to token based authentication, keeping .net framework 4.6 and active directory in use

My enterprise application is developed in .net framework 4.5 and is using windows authentication. In which case, as we all understand, it is the underlying AD(active directory) that authenticates the user.
I have to replace windows authentication with token based authentication, keeping the .net framework 4.6 and AD(active directory). I guess oAuth is a possible solution, could you please share some thoughts on other possible solutions and as how could I get started.
HISTORY
It was common some years ago for apps to be developed for a corporate intranet, in which case Windows Authentication was a good solution. When token based authentication came along the benefits typically were:
Extend reach so that apps could be used over the internet
Support cross domain scenarios, eg APIs in a different domain
Support multiple authentication methods / policies depending on user location and device type
Write less security code and make new security features available to multiple apps
IMPLEMENTATION
An OAuth migration is a major architectural change and needs to be managed in terms of costs and benefits, though once done your apps will be quite cutting edge. Here is how Windows Authentication typically works in an OAuth 2.0 / Open Id Connect world, which requires a more complex setup:
Your UI redirects to a Cloud Authorization Server (AS), such as Azure Access Control
The AS redirects to an identity provider - such as an on premise version of ADFS (Active Directory Federation Services) - that is configured to use Windows authentication
When in the corporate intranet the user is automatically signed in and ADFS posts tokens to the AS
The AS posts different tokens to your UI
Your UI calls the API with the AS token and the API validates it
GETTING STARTED
If you decide that the effort is worthwhile then there are 2 parts to the job. Note that your application code will only ever interact with the AS and doesn't need to know or care about the authentication method:
Infrastructure migration
Updating the code in your UIs and APIs
If it helps, my blog and code samples are designed to help people deal with some of the challenges of OAuth tech. Maybe have a look at my first tutorial to get set up.

Apache 2 - LDAP/eDirectory(Novell) Automatic Login / Authentication

So I've been tasked to develop some enterprise web applications, but our users hate logging in to every site. After our users authenticate to eDirectory, is it possible to provide a Single Sign On feature for them. I know it's possible to do with AD, but I was wondering if anyone has actually done it with Novell?
Currently, I'm testing out solutions on WAMP (Apache 2.2). I was looking into mod_auth_sspi but I'm not sure if it will work with Novell.
The typical issue on these setups is how you are going to pass credentials from the Browser to the Web Application. You can setup Kerberos on eDirectory which should work similar to Microsoft Active Directory using GSSAPI which is vendor independent.
You may need to make some changes to browser settings to make any of these work seamlessly.
However, SPPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types and AFIK, will not work easily with eDirectory or browsers other than IE.
If possible, look into a Access Manager product that will be (at least nearly) seamless. Most will allow any(?) WEB based application to utilize SSO in one form or another.
-jim

Spring Security Single Sign On in Windows Environment

I have a feeling I've stumbled into a technical black hole. There have been many questions and not many (recent) answers out there.
Short summary:
I have a Windows environment operating with a domain controller and Active Directory implementation (soon to be operating with Quest's Authentication Services). I have a series of Spring-based web applications I want to deploy to this environment and we need them to operate seamlessly with Single Sign-On using the domain credentials.
It looked like the answer was this:
http://blog.springsource.org/2009/09/28/spring-security-kerberos/
I was informed by some of the local AD admins that ktpass, though, was an unsafe (principals and keys stored in plain-text file) and outdated solution. Given the blog linked above is 3 years old, it was tough to argue.
Then I came across this:
http://forum.springsource.org/showthread.php?134465-JDK-7-0-and-Spnego-Extension-don-t-work!
Posted just a week or so ago, it looks like recent efforts to integrate SPNEGO extensions have shown that it's incompatible with JDK 7 and no longer supported!
It seems like this would be a common thing for people to want to do. I'm surprised that with a framework as widespread as Spring that there's not a simple way to achieve this. Is there another approach I haven't found in the documentation?
Thanks for any insights or suggestions.
Check out WAFFLE.
WAFFLE is a native Windows Authentication Framework consisting of two
C# and Java libraries that perform functions related to Windows
authentication, supporting Negotiate, NTLM and Kerberos. Waffle also
includes libraries that enable drop-in Windows Single Sign On for
popular Java web servers, when running on Windows.
It has a tutorial for using it with Spring Security.

Simple php framework to support multi-tenancy

I am looking for a PHP based framework which is ready to go with following features
1. Simple dashboard with login/logout
2. Multiple DB with each db representing a client
Just the basic framework.
3. Simple registration support
Use case:
I download from github and deploy on the server - Assume the server is all configured up with dns and stuff.
I create a user through registration - a new db is created and tenant folder created on the server
I can then access
tenant1.stckoveawesm.com
tenant2.stckoveawesm.com
each connecting to different db. Assume: *.stckoveawesm.com is mapped to the server I am hosting the framework on.
I know there is code igniter, Zend and Symphony that supports the framework. I m looking for a library/framework which is ready to go. A shell code which can just do the trick with min. config.
I finally managed to get something done using Laravel framework and is hosted on github for folks to help and improve. Any one wants to pitch in and help fork and let me know so I can collaborate.
https://github.com/sseshachala/laravel-multi-tenant

Running ibm websphere like setup on Apache Tomcat or some open server

Is there a way to mimic IBM web sphere on an open appserver? There are functions we use, ibm's jsecurity_check and their cookie ltpa token. That should be it to get a functioning ibm like server. Would those be available from an open server. Even an open version of ibm websphere.
The usage of j_security_check is defined in the Servlet Specification, so any Java Web Container is compatible with that.
On the other side, LTPA token is an IBM Techology that's only used by IBM Products, so you need to find another way to implement single sign-on. As #Manglu said, that's more a Container concern that shouldn't have any impact in your application.
Some SSO solutions are described in https://stackoverflow.com/questions/173704/which-sso-framework-to-use
I am not sure what you mean by open version. If you are looking at free versions of WAS, you should look at WAS Developers edition
http://www-01.ibm.com/software/webservers/appserv/developer/
If your production is WAS then i would suggest you use this
Deploy your applications with complete fidelity to a WAS production environment, rendering development to production migration a non-issue
How are you using the LTPA token in your application? This should typically be under the hood and you don't necessarily need to be using that in your application. I would be interested in hearing what you do with the LTPA token in your application!
HTH
Manglu
I'm wondering if you're looking for something open, or something smaller. If you're already using WebSphere, but are looking for something smaller/lighter that still supports LTPA tokens, you might want to check out the new Liberty profile in WebSphere Application Server 8.5 (which was just announced). You can get the low-down and download versions to play with from http://wasdev.net
(disclaimer: I worked on it, I am biased)

Resources