Firstly, is this configuration correct or are there any recommendations to improve it.
That sounds fine to me.
Secondly, we would now like to use Crowd as a centralised user management server for externally hosted applications and potentially Google Apps.
Aside from the custom development required to allow the externally hosted applications to "talk" to Crowd via the Crowd REST API, what is the best approach to exposing Crowd externally?
It seems that it simply a case of creating additional applications in Crowd for each externally host application and permitting access to the Crowd server/url from those locations.
We do our best to make Crowd safe to be exposed to the greater internet, but yes, since you already have a firewall set up to restrict access to it, you might as well continue to use to open up exceptions on a case by case basis.
As you mentioned, you will want to set up individual applications in Crowd for each externally hosted application so that applications don't have to their login credentials. It's probably also worth pointing out that Crowd's security model is "applications with valid credentials are trusted to not be malicious".
In other words, Crowd enforces the configured separation between applications (e.g. an application mapped to use one directory won't be able to use another directory mapped to a different application if that second directory isn't also mapped to the first application, as you'd expect), but poorly written or malicious applications can have a performance impact on each other. E.g. an application mapped to an LDAP directory can have a performance impact on another application mapped to a different LDAP directory by making excessive "authenticate this user" requests to Crowd (or a reasonable amount of requests when the LDAP directory is taking a long time to respond) because applications share a limited pool of LDAP connection threads and each user authentication requires an LDAP connection (the LDAP connections pool size is configurable in the Crowd admin settings, but hopefully this example serves to illustrate how an application could interfere with another).
Should I also consider removing the 'crowd' Context from the Application URL?
That's up to you. Since your users may interact with Crowd, it might make things easier for them if you can tell them "go to crowd.example.com" (if you were to also modify the port to 80) rather than "go to crowd.example.com:8443/crowd", but it shouldn't affect the functionality. (If you do change this, remember to also change the config in each app using Crowd!).
Are there any other configurations that should be considered to improve security or apply best practise?
Not off the top of my head, but I'm a developer on Crowd, and not a deployment expert :) You might want to engage a Crowd expert to review your particular setup; experts also regularly answer questions here, so you might get some more specific advice from them if you're lucky!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.