[Owasp-leaders] Passing username in request header between apps as SSO feature

Timur 'x' Khrotko (owasp) timur at owasp.org
Sun Mar 15 11:33:00 UTC 2015


For authenticating your services you can also use good old Kerberos:
https://en.wikipedia.org/wiki/Kerberos_%28protocol%29
 On Mar 15, 2015 6:05 AM, "Venkatesh Jagannathan" <venki at owasp.org> wrote:

> For federating, normally auth tokens are passed ibstead of username. The
> typucal protocol used is mainly SAML. This protocol has an aurhenticated
> token that would be validated by the receivibg application.
>
> Thanks & Regards,
> ~Venki
> On 15-Mar-2015 2:22 am, "johanna curiel curiel" <johanna.curiel at owasp.org>
> wrote:
>
>> I have a question about some security issue I'm concern regarding SSO
>> between applications
>>
>> Some security frameworks/apps that are used for authentication purposes
>> (because ether can handle security security tokens) need to be integrated
>> with a web application that ha stye final functionality and are being
>> protected.
>>
>> In order to integrate single sign on, the username is passed as a request
>> header parameter from this Security framework application to the Web
>> application that has been secured using this mechanism
>>
>> I personally think that the web application accepting the request header
>> parameter (username) should also enforce some form of validation that the
>> request is coming from this secure authentication system
>>
>> I would like to hear your opinions on this matter and what is the best
>> approach
>>
>> Hoping to get some answers
>>
>> Johanna
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-- 
This message may contain confidential information - you should handle it 
accordingly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150315/70656931/attachment-0001.html>


More information about the OWASP-Leaders mailing list