[Owasp-leaders] Passing username in request header between apps as SSO feature

• Previous message: [Owasp-leaders] (Reporting from OWASP Manila [Hackademic] Success!
• Next message: [Owasp-leaders] Passing username in request header between apps as SSO feature
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a question about some security issue I'm concern regarding SSO
between applications

Some security frameworks/apps that are used for authentication purposes
(because ether can handle security security tokens) need to be integrated
with a web application that ha stye final functionality and are being
protected.

In order to integrate single sign on, the username is passed as a request
header parameter from this Security framework application to the Web
application that has been secured using this mechanism

I personally think that the web application accepting the request header
parameter (username) should also enforce some form of validation that the
request is coming from this secure authentication system

I would like to hear your opinions on this matter and what is the best
approach

Hoping to get some answers

Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150314/915b63ad/attachment.html>

• Previous message: [Owasp-leaders] (Reporting from OWASP Manila [Hackademic] Success!
• Next message: [Owasp-leaders] Passing username in request header between apps as SSO feature
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]