I'm curious if anyone has any come across 'best practices' as when applications should use CA SSO vs. using ASP.NET's built-in security? Or possible a hybrid of the two?
What are the pros and cons of each approach?
For logins using Windows credentials internally, we've written developed our own IWA Auth Scheme such that for various conditions we can dynamically redirect to a forms-based login for Firefox, etc. if conditions are not valid for IWA to happen. We also perform the custom login to allow some computers to bypass using IWA (plant computers, testers, etc.); and we never want users to see IWA's Basic Auth challenge that can occur. CA SSO has allowed us to be successful for these requirements. In short our auth scheme can do one of the following dynamically -- and our users can 'choose.' IWA-Preamble==>IWA or IWA-Preamble==>FCC
After we get control back from logins, we run post-login checks required by our legal team before a login is considered valid. Again, CA SSO is great for this type of flexibility. Not too mention getting 'layers of defense' for free where the SiteMinder agent will deny an unauthorized user from being able to 'touch' application logic, session hijacking protection, etc.
That said, Microsoft's Passport/Hello brings new capabilities to the table as well. So...
At a high-level, what are other doing to properly secure ASP.NET applications when SiteMinder is an option for these applications too?