[Owasp-austin] Question to the app security smartypants (plural)

Thad Smith thadsmith at mail.com
Sun Nov 4 11:57:09 EST 2007


Ernest,

Implementing SAML authentication assumes that the user's identity can be
mapped to an existing user in the remote service provider's repository. This
can be 1:1 mapping or a 1:many mapping using a system account. Since you may
or may not have the user in the remote repository you would have to map to a
system account to implement SAML. But if the remote application needs the
user's information using system accounts probably isn't possible.

One approach could be to build a custom application that sends all of the
user's information in a secure manner to the remote application on logon.
This could be done using signed/encrypted cookies that the remote
application would have to consume or the authenticating application (aka
identity provider) would have to make a backend call to insert the users
information in the remote application if it's not already there. Either of
these solutions is going impact the performance of your system.

A better approach is to use an identity management system to synchronize
user's identity with the remote systems they need access to before they try
to access it. This will free you up to implementing single sign-on using
SAML or using an access management/SSO appliance that can authenticate the
user to the remote application using its native authentication mechanism
(for instance form-based authentication, BA authentication or Kerberos).

Let me know if you have any questions.

Regards,

Thad Smith

-----Original Message-----
From: owasp-austin-bounces at lists.owasp.org
[mailto:owasp-austin-bounces at lists.owasp.org] On Behalf Of Ernest Mueller
Sent: Friday, November 02, 2007 1:05 PM
To: Michael_Craigue at Dell.com
Cc: owasp-austin-bounces at lists.owasp.org; owasp-austin at lists.owasp.org
Subject: Re: [Owasp-austin] Question to the app security smartypants
(plural)

Cool - yeah, I'd looked into SAML, just wante dto get the group's take on if
that's how people are actually doing it (something getting declared a
standards body standard and actual adoption being largely unrelated).  It
kinda bypasses the issue of transferring any customer daata to the partner
though.

E
______________________
UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT information is
ENCOURAGED.



                                                                           
             <[email protected]                                             
             Dell.com>                                                     
             Sent by:                                                   To 
             owasp-austin-boun         <Ernest.Mueller at ni.com>,            
             ces at lists.owasp.o         <owasp-austin at lists.owasp.org>      
             rg                                                         cc 
                                                                           
                                                                   Subject 
             11/02/2007 08:07          Re: [Owasp-austin] Question to the  
             AM                        app security smartypants (plural)   
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Ernest,

Just a few thoughts to get the conversation started:

You might look into this article on SAML 2.0
(http://en.wikipedia.org/wiki/SAML) for some ideas.

You might also want to consider different ways to handle the various
affiliated sites, depending on the level of security your users require, and
taking into account the level of trust you place in those affiliated sites.


For example, you're going to be a lot more careful if the transactions might
involve payment data, but handing off just for the sake of some
personalization at the next site would demand a lot less.

-Mike

-----Original Message-----
From: owasp-austin-bounces at lists.owasp.org
[mailto:owasp-austin-bounces at lists.owasp.org] On Behalf Of Ernest Mueller
Sent: Thursday, November 01, 2007 3:34 PM
To: owasp-austin
Subject: [Owasp-austin] Question to the app security smartypants (plural)


I thought I'd use this list for a little discussion to get people's juices
flowing!

So, question.  I have a Web site that needs to integrate its custom login
procedures with various ASPs - in other words, we have a Web site login.
As we "outsource" parts of our Web site, we want users to be able to log in
and go to site sections really hosted on ASPs and be "logged in".

What's the "industry standard" secure ways of doing this?  I have
programmers talking about all kinds of crazy solutions; spoofing setting of
cookies, puting junk in URLs, etc.  I'm not sure what the canonical solution
is...

   Assume that the site and the ASP have different but fairly-standard
   login schemes (set a cookie, etc.)
   Assume that it could be the first time the ASP's heard of the user; the
   site doesn't pump all its user data to each partner proactively (meaning
   some data transfer needs to take place at the time).

Thoughts?

Thanks,
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT information is
ENCOURAGED.

_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin
(See attached file: smime.p7s)
_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin




More information about the Owasp-austin mailing list