User Authentication Options

Three methods of user authentication allow the flexibility to choose how to authenticate users:
  • No user authentication
  • Authenticate users locally
  • Authenticate users using Sterling External Authentication Server
Authenticate using Sterling External Authentication Server is the most secure option. Following is a description of the user authentication methods:

Option

Description

Authenticate Users With Sterling External Authentication Server (Recommended)
Select this option to perform external user authentication, using Sterling External Authentication Server, This option sends the user credentials presented by the client to Sterling External Authentication Server for authentication. Sample user authentication validations that Sterling External Authentication Server can perform include:
  • Through LDAP to bind to user in LDAP
  • Through Tivoli Access Manager
  • Through a customer java exit
Choose this option to enforce the following security policy requirements:
  • To maintain users in an application that is external to Secure Proxy
  • You have an existing infrastructure to validate users against
  • To use the user mapping provided by Sterling External Authentication Server, refer to the Secure Proxy documentation library
  • To implement multi-factor authentication and bind the factors together in the LDAP infrastructure

Authenticate Users Locally
Select this option to authenticate users using information in the Secure Proxy local user store. This option requires you to maintain the users in the Secure Proxy configuration. Select this option for the following security requirements:
  • To store and maintain users in the Secure Proxy user store.
  • No external infrastructure exists for user authentication to interface with.

No User Authentication
Select this option if you do not want to validate trading partner credentials in the DMZ. If you select this method, we recommend that you enforce SSL client authentication to provide at least one factor of authentication in the DMZ. If you select no user authentication, you may pass the user credentials through to the destination node in the internal network and validate the user credentials at the internal network. Choose this option to enforce the following security policy requirements:
  • Enforce single factor authentication in the DMZ and authenticate the trading partner using SSL client authentication. Pass the user credentials to Sterling B2B Integrator or Connect:Direct® trusted zone application so it will authenticate the user and differentiate between users accessing the system.
  • Use an SSL session break or IP break in the DMZ but do not authenticate the trading partner. Do not enforce SSL client authentication or authenticate the user. Pass the user credentials to the external network in order Sterling B2B Integrator or Connect:Direct to differentiate between users accessing the system.
  • You implement a bulletin board type system, where user credentials are not important. This option is not a typical implementation. Carefully evaluate your environment before using this configuration.