Re: Federated Authentication (without SAML)

[Scovetta Labs <security () scovettalabs com>]

Gary,
 I've written some simple code to do the following:
1. User accesses site A, gets redirected to B.
2. B does NTLM authentication (any arbitrary method could be used).
3. B generates a "signature", consisting of: [username + T + 
MD5(username + T + S)]
4. User is redirected back to A with the signature
5. A decodes the signature, checks that the hash is valid.

Where T is an increasing number (just an integer), and S is a secret 
(password) known only to A and B. This method should be secure against 
replay and timing attacks, and you could always subsititute a stronger 
hash algorithm like SHA-256 or 512.

Oh, and I encode the signature (xor) just to obscure it as well.

Hope that helps--

Mike

Gary Gwin wrote:

> Given that SAML, Project Liberty, etc. are not yet supported by most 
> companies, I'm curious what solutions you may have seen for the 
> following use case:
>
> User logs into web site A using forms with username and password 
> authentication. Web site A has a link to a parter web site B, which 
> also requires user authentication using forms authentication with 
> username and password. The goal is to automatically authenticate the 
> user to web site B. Web site B offers no additional services for any 
> sort of identity assertion interchange between the two sites (but may 
> be willing to do deploy something "lightweight"). The username and 
> password for a given user may or may not be equivalent on site A and 
> B. To further complicate life, site B has a requirement that user must 
> update their passwords every 30 days.
>
> Gary