jeff.tchang

CA Tuesday Tip: Get your password services under control with SiteMinder

Discussion created by jeff.tchang on Sep 29, 2011

Get your password services under control with SiteMinder

Password services is a general term for a set of use cases involving a user's password. The most common use cases are when a user forgets their password or wants to change their password. In SiteMinder these two cases are referred to as Forgotten Password and Change Password respectively.

User password recovery is not new. It is one of the most highly used feature of any web application. It is also the first service to be targeted by a potential cracker. Any weakness in a web application's password recovery process is commonly exploited to gain deeper access into the system.

The problem is that every web application today seems to roll their own. The newer web frameworks, such as Rails and Django, give you some of these services built in. However there is still a plethora of other webapps that are going the custom route.

SiteMinder's Advanced Password Services (APS) module can be a great help in this regard. It is a highly mature module that provides a variety of password related services. The module provides a battle hardened CGI that web applications redirect to if a user forgets their password. It is also highly customizable.

For example we can customize how a user is verified before a password is reset. Arbitrary methods such as using a token, custom security questions, or Radius auth are all viable. Newer methods such as sending out a custom SMS code can easily be built on top of the existing framework.

What APS gives you is a way to unify your organizations password policies and methods to reset a password into one place. The alternative is to code this in house for each webapp and make sure that everyone is following the same standard. I can't imagine doing this for more than a handful of apps. The chances someone introduces a bug is just too high. APS password services also gives you the ability to set password policies such as password length, reuse, and complexity all on a LDAP filtered basis (users in different subtrees have different password policies applied to them).

Custom logging, e-mail notifications, and dictionary checks are also supported.

One downside is that APS can be complex to configure. However this is easily mitigated by the extensive documentation. APS is an addon to SiteMinder and works with R6 as well as R12.

-Jeff Tchang

Outcomes