Is this simple Single sign on soap token proposal safe?

StackOverflow https://stackoverflow.com/questions/23383192

  •  12-07-2023
  •  | 
  •  

Question

We have a custom Single Sign On requirement that once a user has logged into to a portal they can go to another clients application and be signed in automatically with no messages.

I have looked at dotnetopenauth open id provider but i dont think its quite right for this as seems overly complex. There is a proposed solution from a client below but i would like to know if it is secure, less or more so that say open id etc. If open id sounds like a better fit for this please explain why and how to implement properly (there are not many good examples yes i have searched see a previous post that i have no help with https://stackoverflow.com/questions/23311063/how-to-implement-a-soap-webservice-for-api-to-api-open-auth-2-provider)

The proposed solution is:

key:

  • Domain_Master (this is us)
  • Domain_Client (clients applications, third parties, who need us to pass a logged in user to them so they can log them in their end)

SOAP messages over HTTPS.

Once a user is logged into Domain_Master they will click a link to Domain_Client with a secure token added to the URL. {token is encrypted and will contain a minimum of: timestamp, ClientID, and possibly a nonce}.

The Domain_Client will then upon receiving a secure token validate it with Domain_Master web service using SOAP. The SOAP response will tell Domain_Client who the user is and will log them in to the Domain_Client application accordingly. So basically its like a key to open a door.

The validity of the token (e.g. that it hasn't expired or has already been used etc.) will be done by Domain_Master in the SOAP API – Domain_Client will simply collect the token passed in the URL and query it directly with the Domain_Master SOAP API.

Thanks

Était-ce utile?

La solution

I cannot confirm if this method is more or less secure, however my initial concern with the above method is that there is no validation of the token by domain_client. Without validation of this token, anything could be passed to domain_client and it would pass it straight to your web service at domain_master - this could lead to problems as it could provide an attack vector.

You could implement HMAC for validation of the token - http://www.piotrwalat.net/hmac-authentication-in-asp-net-web-api/

Hope this helps!

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top