How to perform Single Sign On from website to website in a secure manner?
There have been many requests recently for reviews of different methods of Single Sign on approaches from website 1 to website 2. The approaches have all been different and don't usually end up in the original form of the request but I wanted some thoughts on other options to solve the SSO problem. (website 1 and website 2 are completely separate companies and have no ties financially)
1. Have a hidden form in website 1 that can be posted to website 2. The hidden form includes an encrypted string (using DES cipher) that is a userid and timestamp (which is good for 5 minutes).
I don't like a lot of things about this method. First and foremost, use a cipher that cannot be broken in a couple hours. I recommended atleast RC4 but I would prefer AES. Hidden fields are the security by obscurity of the middle ages. A hidden field is not hidden and can be modified very easily by the end user. Then the end user could perform brute force attack against the encrypted string and never be locked out on the other end.
I think a better approach is to use a server side redirect over a dedicated VPN. Both sides could verify it is coming and going to the correct systems. The end user never has a chance to modify the encrypted string and an external attacker could not perform a brute force attack against website 2 without first authenticating to website 1.
I would like thoughts on this and other methods that people have used.
About Me
- David Lindner
- David Lindner is a senior application security consultant based in the Twin Cities area. David has extensive experience in application security and penetration assessments. He has conducted numerous security assessments for financial, enterprise and retail customers world-wide.
1 comment:
It might be worth looking at the Liberty Alliance's Federated Identity project. www.projectliberty.org
Post a Comment