Posted by BPuhl on April 4, 2008
In the AD world, we love our password policies. We want them to be complex, and change frequently, and long, and never reused. In fact, for years, one of the biggest complaints has been that we’ve only been allowed to have ONE password policy for the domain (HORROR!). Fortunately, the uber-geeks in the AD product group have brought us into the light with Fine Grained Password Policy (HURRRAY!) in Windows Server 2008.
So that’s the AD world.
Let’s step just a bit to the left though, away from the directory servers, over into the web farm. Ok…fine…take three steps left…then two steps forward into the next row of racks… now walk down the aisle… there, see that one…the one with the ADFS label on it. Ok…good.
“Have I got a deal for you!”
There are two doors, behind each one lies a possible solution to solving your authentication in the DMZ for business partners problem:
Behind door #1 – You can keep your directory, your provisioning system, and your custom password policies. Issue a shiny-new identity for each of the business partners, and empower those users to change their passwords in your directory to keep their access.
Behind door #2 – Toss out that directory and provisioning system, and build in federation. The users will use the username/passwords that get them access to their company’s “stuff” (your business partner), and now they can use those same accounts to access your resources.
Of course there’s a catch (there’s always a catch):
If you pick door #2, you don’t get to see what your partners password policies. For all you know – and you might find out – they could REQUIRE that their users maintain at least 4 character passwords that never expire. Or maybe not, you just don’t know.
If you pick door #1, then you’ve got “strong access”, but you have no way of knowing when that user got fired or quit from their company. In other words, no “de-provisioning”. So it may be secure, but they are now “secure and malicious”, which doesn’t help much
This is the common argument that I seem to have with AD people when talking about ADFS. They compare something new (ADFS) with something they know (AD), and the result is often a fear of losing control. So it’s not surprising, but is a bit frustrating, that almost everyone still picks door #1.
If you have this conversation a few dozen times…using this (and other) blog posts as fodder for your thoughts…then you’ll likely come to the conclusion that we have as well – which is that de-provisioning trumps password policy.
I want the authentication of YOUR users accessing MY data, to be as credible as the authentication of YOUR users accessing YOUR data.