I havent tested against a SSO for a few years but the last one I looked at was Siteminder and I found out if developers mixed http and https across applications it was possible to capture the session details from a http request and replay them to access other resources on the same or other applications. This may have been fixed, i haven't looked at it recently.
Zate On Thu, Mar 24, 2011 at 9:13 AM, Todd Haverkos <[email protected]> wrote: > Alex Manchester <[email protected]> writes: > > > I have been tasked with researching potential Compliancy concerns > regarding > > implementing a single sign-on solution. > > The majority of the information has been relatively positive such as > > providing centralized user and log management. > > Other than ensuring the security and minimum strength requirements of the > > master password, are there other concerns anybody else has faced with > > implementing or researching a SSO solution. > > One issue I've seen in single sign ons in large organizations is that > just about anyone can stand up an internal web server that looks to > hook into the single sign on API and herds of users (who are used to > providing that one magical credential) are happy to type it in just > about anywhere. > > Without some sort of one time password integrated, this can make > single sign on tantamount to an authentication monoculture with its > attendant weaknesses. > > I have no silver bullet here other than foisting unpopular 2-factor > auth on people (insert joke about RSA's current woes here), but it's a > risk to be aware of at least. The benefits of SSO still generally > outweigh warts like this. > > -- > Todd Haverkos, LPT MsCompE > http://haverkos.com/ > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
