[thelist] Single Sign On Security
Matt Warden
mwarden at gmail.com
Tue Mar 2 21:18:37 CST 2010
On Tue, Mar 2, 2010 at 9:30 PM, Bill Moseley <moseley at hank.org> wrote:
> Except in this case both sites need the same end-user's credentials --
> because the end-user can log into either site directly. (Having both sites
> share the same credentials is the part I'm not thrilled about so I may see
> if I can get the specs changed.)
That defeats the purpose of single sign-on.
> That means there must be some backend API interaction between the third
> party site and mine, namely to create the account on my site. It's that
> communication that I want to make sure is secure and authenticated. I think
> SSL plus the third-party's password (shared secret, really) is enough. See
> any security holes with that simple approach?
You *do* need to create a user record on your site that includes the
username. It should NOT include the password. You should defer to the
third party site for password authentication.
--
Matt Warden
Cincinnati, OH, USA
http://mattwarden.com
This email proudly and graciously contributes to entropy.
More information about the thelist
mailing list