WebApp Sec mailing list archives
Re: Federated Authentication (without SAML)
From: Scovetta Labs <security () scovettalabs com>
Date: Sat, 17 Sep 2005 11:46:39 -0400
Gary, I've written some simple code to do the following: 1. User accesses site A, gets redirected to B. 2. B does NTLM authentication (any arbitrary method could be used).3. B generates a "signature", consisting of: [username + T + MD5(username + T + S)]
4. User is redirected back to A with the signature 5. A decodes the signature, checks that the hash is valid.Where T is an increasing number (just an integer), and S is a secret (password) known only to A and B. This method should be secure against replay and timing attacks, and you could always subsititute a stronger hash algorithm like SHA-256 or 512.
Oh, and I encode the signature (xor) just to obscure it as well. Hope that helps-- Mike Gary Gwin wrote:
Given that SAML, Project Liberty, etc. are not yet supported by most companies, I'm curious what solutions you may have seen for the following use case:User logs into web site A using forms with username and password authentication. Web site A has a link to a parter web site B, which also requires user authentication using forms authentication with username and password. The goal is to automatically authenticate the user to web site B. Web site B offers no additional services for any sort of identity assertion interchange between the two sites (but may be willing to do deploy something "lightweight"). The username and password for a given user may or may not be equivalent on site A and B. To further complicate life, site B has a requirement that user must update their passwords every 30 days.Gary
Current thread:
- Federated Authentication (without SAML) Gary Gwin (Sep 16)
- Re: Federated Authentication (without SAML) Scovetta Labs (Sep 17)
- Re: Federated Authentication (without SAML) Mamading Ceesay (Sep 17)