[Owasp-leaders] Passing username in request header between apps as SSO feature

johanna curiel curiel johanna.curiel at owasp.org
Sat Mar 14 20:51:00 UTC 2015


I have a question about some security issue I'm concern regarding SSO
between applications

Some security frameworks/apps that are used for authentication purposes
(because ether can handle security security tokens) need to be integrated
with a web application that ha stye final functionality and are being
protected.

In order to integrate single sign on, the username is passed as a request
header parameter from this Security framework application to the Web
application that has been secured using this mechanism

I personally think that the web application accepting the request header
parameter (username) should also enforce some form of validation that the
request is coming from this secure authentication system

I would like to hear your opinions on this matter and what is the best
approach

Hoping to get some answers

Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150314/915b63ad/attachment.html>


More information about the OWASP-Leaders mailing list