0

My customer has an ActiveDirectory server and a work server, both without SSO. Employees use their ActiveDirectory account to connect to the work server. They change passwords every month.

My app connects to the work server. My app can use SSO, or can let users set a password manually.

For some reason my customer does not want to implement SSO, but their employees are fed up with manually changing their password every month.

QUESTION: Can I do anything about it?
I believe it would not be secure for my app to somehow get the changed passwords from ActiveDirectory or otherwise connect to the work server without knowing the new passwords, and without SSO. Might it be able to work securely using hashes maybe?

(If that matters, the work server is Alfresco)

Nicolas Raoul
  • 1,276
  • 2
  • 12
  • 17
  • 1
    I am confused. How does your app authenticate to the "work server" does it pass on user credentials or use its own account? What is the reason given by the customer for not using SSO? Could it be that they want people to have different access when going through your app? – billc.cn Sep 20 '16 at 14:06
  • My app authenticates with the username/password to the work server. In turn, the work server checks against ActiveDirectory. The customer apparently has obscure (financial?) reasons for not implementing SSO despite my strong recommendations. One Windows account uses one work server account, so that's not their reason for not using SSO. – Nicolas Raoul Sep 21 '16 at 02:54

1 Answers1

1

Your application should be able to use ADFS or LDAP to send authentication questions to the AD, without your application having to know anything about the users and their passwords. You'd essentially use the AD as a directory server.

Jenny D
  • 1,197
  • 9
  • 18