Tuesday, August 07, 2007


Single Sign-On, SAML, and Authentication in Documentum

While I am a fresher when it comes to ECM, I can surely say that I have learned a lot from Laurence Hart. Most recently, he blogged on the notion of Single Signon, SAML and Authentication in Documentum of which I think has been useful but needs further analysis...

The very first thing one needs to know is whether the DFC APIs talk to Documentum itself using SSL or is it clear-text? I never found any documentation of putting an SSL certificate in Documentum. If there is a way, please share, otherwise I think security professionals may think that any form of credential exchange over an insecure channel is simply insecure.

Do we know if D6 actually supports SAML? I only read from Craig Randall mention of WS-Security. WS-Security support doesn't equal SAML. Besides, in order for SAML to work, you should have some notion of certificates somewhere within the Documentum product which I can't find.

Absolutely, the most secure way of supporting SAML would be for Documentum to support SAML and not have it use anything in the DFC.

I agree and disagree with Bex for different reasons. I agree in that if your ECM system has a great architecture and stores contents while not storing users, then it is a lot cleaner. However if your favorite ECM system made the mistake of storing users then something else is required. It is generally a good strategy to support binding to Active Directory. Another fatal mistake that I have seen products do is that they assume that an enterprise only has one Active Directory Forest and can't traverse multiples. There are a variety of reasons security folks will segment users into different forests and products need to work in this world.

Integration is a somewhat overloaded word. Are you saying that it can use Siteminder for authentication? SiteMinder also provides the ability to support Authorization as well. I haven't ran across Documentation that demonstrates how Documentum can delegate Authorization to Siteminder. While the industry standard way for supporting this is XACML, if their product allows for it even in a non-proprietary way, then that is good news.

Here is where I hope that Craig Randall will chime in and provide a definite answer. Too many folks have been busy speculating when there is no reason to.

I know of several loud customers that have many of their vendors even outside of ECM to embrace SAML and the message wasn't received. In fact, I know of several loud customers that talked to several vendors all at once and it still didn't happen. Don't believe that everyone is willing to listen simply because customers ask...

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?