<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Book Antiqua";
        panose-1:2 4 6 2 5 3 5 3 3 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Mike,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I got a bit confused by the writeup, but I think you&#8217;re working
out how to use ESAPI to achieve SSO, right?&nbsp; That&#8217;s a bit different
than identity management, at least to me.&nbsp; Anyway, it&#8217;s a very
useful discussion since so many sites are really conglomerations of applications
these days.&nbsp; Rather than create yet another cookie-based SSO approach, I&#8217;d
really like to see us head towards a SAML, OpenID, or other Identity 2.0 type
solution.<o:p></o:p></span></p>

<div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>--Jeff<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
esapi-user-bounces@lists.owasp.org [mailto:esapi-user-bounces@lists.owasp.org] <b>On
Behalf Of </b>Boberski, Michael [USA]<br>
<b>Sent:</b> Tuesday, January 19, 2010 11:48 AM<br>
<b>To:</b> ESAPI-Users<br>
<b>Subject:</b> Re: [Esapi-user] Exploring ESAPI identity management<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Here is a
picture of what I mean (if it doesn't make it, I'll post it and send the link),
does it look right:</span><o:p></o:p></p>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

<p class=MsoNormal><img width=698 height=450 id="_x0000_i1025"
src="cid:image001.jpg@01CA996B.1CC2F690"><o:p></o:p></p>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Mike&nbsp;B.</span><o:p></o:p></p>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div class=MsoNormal align=center style='text-align:center'>

<hr size=3 width="100%" align=center>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> esapi-user-bounces@lists.owasp.org
[mailto:esapi-user-bounces@lists.owasp.org] <b>On Behalf Of </b>Boberski,
Michael [USA]<br>
<b>Sent:</b> Tuesday, January 19, 2010 9:04 AM<br>
<b>To:</b> ESAPI-Users<br>
<b>Subject:</b> [Esapi-user] Exploring ESAPI identity management</span><o:p></o:p></p>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Hi,</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>I'm working
on a first&nbsp;language-independent ESAPI design spec, for authentication. It
will be posted for review and comment once there's at least something in each
of the sections.</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>One
section/topic that I would like to try to explore a little bit before I put pen
to paper is &quot;identity management&quot; as described/defined in the current
draft of the ESAPI &quot;Establishing a Security API for Your Enterprise&quot;
book.</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Let us say
that we have a single Java application that is using ESAPI user and
authentication controls. In this case, getCurrentUser&nbsp;and whatnot work
together to&nbsp;create a new user object after authentication,
regenerate&nbsp;the session identifier, and so on.</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>How might
identity management using ESAPI be intended to work when one has an application
comprised of <em><span style='font-family:"Book Antiqua","serif"'>multiple</span></em>
servers integrated together, <em><span style='font-family:"Book Antiqua","serif"'>mixing
programming languages and solution stacks</span></em>?</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>E.g., let
us say we have a PHP application running on LAMP solution stack, and a
separate&nbsp;C# application running on a Windows solution stack (IIS), and now
we want to integrate the two, we want to be able to navigate between the two
separate web user interfaces, and log in and out correctly. How might identity
management work using ESAPI in this scenario? Assume that the ESAPI for PHP
user and authentication interfaces exist and are implemented in a similar
fashion as the Java version, and that the ESAPI for .NET user and
authentication interfaces do not exist, as IIS/Windows provides basically
equivalent functionality. How might the ESAPI for PHP user and authentication
reference implementation need to be modified? Would the ESAPI for .NET need
user and authentication implementations in this instance, e.g. to retrieve
session information produced by the PHP application?</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Thanks in
advance, and remember I publish what I work on when it comes to ESAPI, so your
help == helping the project and the user community. The end goal is to come up
with an explanation that says with ESAPI and some custom coding, one doesn't
need to go buy a commercial SSO web portal type product.</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Thanks in
advance,</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Best,</span><o:p></o:p></p>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif"'>Mike&nbsp;B.</span><o:p></o:p></p>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

</div>

</body>

</html>