[Owasp-austin] Question to the app security smartypants (plural)

Ernest Mueller Ernest.Mueller at ni.com
Fri Nov 2 14:04:31 EDT 2007


Cool - yeah, I'd looked into SAML, just wante dto get the group's take on
if that's how people are actually doing it (something getting declared a
standards body standard and actual adoption being largely unrelated).  It
kinda bypasses the issue of transferring any customer daata to the partner
though.

E
______________________
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.



                                                                           
             <[email protected]                                             
             Dell.com>                                                     
             Sent by:                                                   To 
             owasp-austin-boun         <Ernest.Mueller at ni.com>,            
             ces at lists.owasp.o         <owasp-austin at lists.owasp.org>      
             rg                                                         cc 
                                                                           
                                                                   Subject 
             11/02/2007 08:07          Re: [Owasp-austin] Question to the  
             AM                        app security smartypants (plural)   
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Ernest,

Just a few thoughts to get the conversation started:

You might look into this article on SAML 2.0
(http://en.wikipedia.org/wiki/SAML) for some ideas.

You might also want to consider different ways to handle the various
affiliated sites, depending on the level of security your users require,
and
taking into account the level of trust you place in those affiliated sites.


For example, you're going to be a lot more careful if the transactions
might
involve payment data, but handing off just for the sake of some
personalization at the next site would demand a lot less.

-Mike

-----Original Message-----
From: owasp-austin-bounces at lists.owasp.org
[mailto:owasp-austin-bounces at lists.owasp.org] On Behalf Of Ernest Mueller
Sent: Thursday, November 01, 2007 3:34 PM
To: owasp-austin
Subject: [Owasp-austin] Question to the app security smartypants (plural)


I thought I'd use this list for a little discussion to get people's juices
flowing!

So, question.  I have a Web site that needs to integrate its custom login
procedures with various ASPs - in other words, we have a Web site login.
As we "outsource" parts of our Web site, we want users to be able to log in
and go to site sections really hosted on ASPs and be "logged in".

What's the "industry standard" secure ways of doing this?  I have
programmers talking about all kinds of crazy solutions; spoofing setting of
cookies, puting junk in URLs, etc.  I'm not sure what the canonical
solution is...

   Assume that the site and the ASP have different but fairly-standard
   login schemes (set a cookie, etc.)
   Assume that it could be the first time the ASP's heard of the user; the
   site doesn't pump all its user data to each partner proactively (meaning
   some data transfer needs to take place at the time).

Thoughts?

Thanks,
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.

_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin
(See attached file: smime.p7s)
_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/octet-stream
Size: 3092 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-austin/attachments/20071102/5d66c03b/attachment.obj 


More information about the Owasp-austin mailing list