| Having built a number of systems for a medium-large enterprise, I often chose to build on solutions from "enterprise" vendors because they had the best answers to these questions: - will it integrate easily with our existing LDAP database of users and groups? - can it authenticate users using our existing Kerberos infrastructure, via SPNEGO, HTTP Negotiate, or whatever is appropriate? - were authentication and authorization more than afterthoughts in its design? Is authorization fine grained enough? - can non-technical users administer it without bugging me all the time? - if it needs to talk to the outside internet (updates, plugins, whatever), can I make it do so through a Kerberos/Negotiate authenticating HTTP proxy that MITMs everything? Will its outbound requests leak sensitive internal information (Referrer headers, internal host names, etc.)? - can I get a license for perpetual use, with source code? (If the vendor goes bankrupt, at least I still have the source) |