[Owasp-leaders] Passing username in request header between apps as SSO feature

Venkatesh Jagannathan venki at owasp.org
Sun Mar 15 05:04:09 UTC 2015


For federating, normally auth tokens are passed ibstead of username. The
typucal protocol used is mainly SAML. This protocol has an aurhenticated
token that would be validated by the receivibg application.

Thanks & Regards,
~Venki
On 15-Mar-2015 2:22 am, "johanna curiel curiel" <johanna.curiel at owasp.org>
wrote:

> I have a question about some security issue I'm concern regarding SSO
> between applications
>
> Some security frameworks/apps that are used for authentication purposes
> (because ether can handle security security tokens) need to be integrated
> with a web application that ha stye final functionality and are being
> protected.
>
> In order to integrate single sign on, the username is passed as a request
> header parameter from this Security framework application to the Web
> application that has been secured using this mechanism
>
> I personally think that the web application accepting the request header
> parameter (username) should also enforce some form of validation that the
> request is coming from this secure authentication system
>
> I would like to hear your opinions on this matter and what is the best
> approach
>
> Hoping to get some answers
>
> Johanna
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150315/17f21bd3/attachment.html>


More information about the OWASP-Leaders mailing list