[Owasp-leaders] Passing username in request header between apps as SSO feature

Jim Manico jim.manico at owasp.org
Sat Mar 14 21:01:43 UTC 2015


 > In order to integrate single sign on, the username is passed as a 
request header parameter from this Security framework application to the 
Web application that has been secured using this mechanism

Normally this kind of federation is the job of a standard like SAML or 
even OAuth.

You can allow one app to act of your behalf for a second app via an 
OAuth "Authorization code" grant type.

You also have SAML federation. Supposed GE was a customer to my app, 
JimForce.com, but GE wanted to handle authentication and did not want to 
use my websites login mechanism. So GE and JimForce could set up a SAML 
relationship, and folks for JimForce who worked at GE would *log in via 
GE *and be redirected to JimForce with proper security characteristics 
based in cryptography, not sharing tokens or credentials.

Both of these standards avoid passing passwords to the third party you 
are trying to authorize or authenticate. Passing usernames and passwords 
between systems for this purpose seems like a bad idea overall.

Aloha,
Jim



On 3/14/15 10:51 AM, johanna curiel curiel wrote:
> I have a question about some security issue I'm concern regarding SSO 
> between applications
>
> Some security frameworks/apps that are used for authentication 
> purposes (because ether can handle security security tokens) need to 
> be integrated with a web application that ha stye final functionality 
> and are being protected.
>
> In order to integrate single sign on, the username is passed as a 
> request header parameter from this Security framework application to 
> the Web application that has been secured using this mechanism
>
> I personally think that the web application accepting the request 
> header parameter (username) should also enforce some form of 
> validation that the request is coming from this secure authentication 
> system
>
> I would like to hear your opinions on this matter and what is the best 
> approach
>
> Hoping to get some answers
>
> Johanna
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150314/c08a6a4d/attachment.html>


More information about the OWASP-Leaders mailing list