While I am a fresher when it comes to ECM, I can surely say that I have learned a lot from Laurence Hart
. Most recently, he blogged on the notion of Single Signon, SAML and Authentication in Documentum
of which I think has been useful but needs further analysis...
James’ most important statement is this, Security, in order to be done correctly requires server APIs which run in the address space of Documentum itself. He is correct. All Documentum sessions are created at the server.
The very first thing one needs to know is whether the DFC APIs talk to Documentum itself using SSL or is it clear-text? I never found any documentation of putting an SSL certificate in Documentum. If there is a way, please share, otherwise I think security professionals may think that any form of credential exchange over an insecure channel is simply insecure.
Though I wouldn’t attempt implementing SAML until D6 to leverage the more advanced capabilities of DFS, I could create a Web Application, or customize the authentication in an existing Documentum Web Application to work with SAML.
Do we know if D6 actually supports SAML? I only read from Craig Randall
mention of WS-Security. WS-Security support doesn't equal SAML. Besides, in order for SAML to work, you should have some notion of certificates somewhere within the Documentum product which I can't find.
A more secure, and thus more involved, manner would be passing the processing of the SAML request to the server from the Web Application. This would require a modification to the current authentication process, quite similar to how SSO is implemented in Documentum.
Absolutely, the most secure way of supporting SAML would be for Documentum to support SAML and not have it use anything in the DFC.
Bex has been railing against SAML and has made some very good points. The biggest is that SAML is not really needed within an Enterprise that uses one single authentication source, like Active Directory. If all your users come from the same LDAP source, you can use a SSO product to leverage the users initial authentication and not worry about SAML.
I agree and disagree with Bex for different reasons. I agree in that if your ECM system has a great architecture and stores contents while not storing users, then it is a lot cleaner. However if your favorite ECM system made the mistake of storing users then something else is required. It is generally a good strategy to support binding to Active Directory. Another fatal mistake that I have seen products do is that they assume
that an enterprise only has one Active Directory Forest and can't traverse multiples. There are a variety of reasons security folks will segment users into different forests and products need to work in this world.
Documentum provides integration with the SiteMinder SSO product. Other SSO products can be integrated as well differing degrees of effort.
Integration is a somewhat overloaded word. Are you saying that it can use Siteminder for authentication? SiteMinder also provides the ability to support Authorization as well. I haven't ran across Documentation that demonstrates how Documentum can delegate Authorization to Siteminder. While the industry standard way for supporting this is XACML, if their product allows for it even in a non-proprietary way, then that is good news.
When external partners need to access multiple systems within your architecture, SAML becomes a necessity. Before that, it becomes a matter of convenience. If SAML is supported out of the box, it can make life easier
Here is where I hope that Craig Randall will chime in and provide a definite answer. Too many folks have been busy speculating when there is no reason to.
Translation, I don’t expect vendors to support SAML until multiple, loud, customers make it a requirement. They’ll point to their integration with SSO products for this requirement.
I know of several loud customers that have many of their vendors even outside of ECM to embrace SAML and the message wasn't received. In fact, I know of several loud customers that talked to several vendors all at once and it still didn't happen. Don't believe that everyone is willing to listen simply because customers ask...