single sign on - Right design for SiteMinder -
i have give recommendations architecture sso using site minder. have few j2ee applications. these j2ee applications designed work when http headers have information after authentication sso provider. have kept our applications sso provider agnostic. means rely on headers sso provider. worked rsa sso provider.
now there architecture proposed siteminder. way request flow is
siteminder iis -> apache reverse proxy -> tomcat application -> backend applications.
to break down have
a) siteminder iis (public facing site)
b) apache reverse proxy ( routing)
c) tomcat application (for routing , logic site access based on time)
d) backend applications
the reason bringing new architecture end applications have code site access. site can down time, controlled property file.
i find architecture wrong. not understand why apache reverse proxy requried. still go simple architecture flow a) siteminder iis doing routing -> backend applications(accessing common service check whether site can accessed or not)
am missing something?
the apache reverse proxy make easier load balance between multiple iis instances. far know similar on iis need use arr (application request routing) module won't optimised work tomcat etc.
however, siteminder iis seem added overhead in architecture. apache reverse proxy supports siteminder agents. why don't push setting siteminder agent on apache proxy , remove iis picture. can think of following benefits:
- remove 1 layer architecture
- remove network hop
- clean stack. apache + tomcat standard in enterprises while iis + apache + tomcat isn't.
hope helps
Comments
Post a Comment