Security is a difficult area to say something very specific about - but I would also be concerned to have SDI connected directly to the public internet.
But you could probably put a proxy upfront (ISVA or Apache/IBM HTTPServer) to ensure only validated traffic is coming across. But again this basically is against the beauty of SDI and will basically point to build a "real" web server solution.
I have played around with the SDI HTTP Server connector and it is funny thing to work with and very useful for building SDI functionality - that said I would recommend keeping it away from any uncontrolled domain - also simply because the way it works it is easy to make some stupid error in authentication/aythorization as you code that yourself....
But SDI is IMHO the best integration tool I ever worked with and I love tinkering around with it - so happy SDIing ;-)
HTH
------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------
Original Message:
Sent: Mon April 17, 2023 03:42 PM
From: Christopher Williams
Subject: SDI - Using HTTP Server Connector on open Internet
We are considering options on how to provide custom tools to our clients. IBM Security Directory Integrator (SDI) is a very versatile tool. We are considering developing a tool which runs on SDI and leverages its HTTP Server Connector. Clients would be able to leverage this tool built on SDI over the open internet.
I wondering if the community is aware of any use cases out there were teams have done something similar. Our security architects are aware of the versatility of SDI and are concerned that if this tool were compromised, an attacker could get access to SDI and it's full suite of capabilities.
------------------------------
Christopher Williams
------------------------------