PaulDotCom mailing list archives
Re: Single Sign-On Compliancy
From: Zate <zate75 () gmail com>
Date: Thu, 24 Mar 2011 20:38:43 -0400
I havent tested against a SSO for a few years but the last one I looked at was Siteminder and I found out if developers mixed http and https across applications it was possible to capture the session details from a http request and replay them to access other resources on the same or other applications. This may have been fixed, i haven't looked at it recently. Zate On Thu, Mar 24, 2011 at 9:13 AM, Todd Haverkos <infosec () haverkos com> wrote:
Alex Manchester <amanchester () gmail com> writes:I have been tasked with researching potential Compliancy concernsregardingimplementing a single sign-on solution. The majority of the information has been relatively positive such as providing centralized user and log management. Other than ensuring the security and minimum strength requirements of the master password, are there other concerns anybody else has faced with implementing or researching a SSO solution.One issue I've seen in single sign ons in large organizations is that just about anyone can stand up an internal web server that looks to hook into the single sign on API and herds of users (who are used to providing that one magical credential) are happy to type it in just about anywhere. Without some sort of one time password integrated, this can make single sign on tantamount to an authentication monoculture with its attendant weaknesses. I have no silver bullet here other than foisting unpopular 2-factor auth on people (insert joke about RSA's current woes here), but it's a risk to be aware of at least. The benefits of SSO still generally outweigh warts like this. -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Single Sign-On Compliancy Alex Manchester (Mar 24)
- Re: Single Sign-On Compliancy Todd Haverkos (Mar 24)
- Re: Single Sign-On Compliancy Zate (Mar 25)
- Re: Single Sign-On Compliancy Dimitrios Kapsalis (Mar 25)
- Re: Single Sign-On Compliancy Zate (Mar 25)
- Re: Single Sign-On Compliancy Todd Haverkos (Mar 24)