[thelist] Single Sign On Security

Bill Moseley moseley at hank.org
Tue Mar 2 20:30:00 CST 2010

On Tue, Mar 2, 2010 at 5:23 PM, Matt Warden <mwarden at gmail.com> wrote:
> You actually do not need the user's password. You only need to be able
> to take the username and password supplied and submit that securely
> (encrypted) to the third party site for a yes/no verification, which
> you will have to trust. After challenging the third party site, you
> can discard the password submitted.

Except in this case both sites need the same end-user's credentials --
because the end-user can log into either site directly.  (Having both sites
share the same credentials is the part I'm not thrilled about so I may see
if I can get the specs changed.)

The use case I'm asking about is where the the end user creates their
account for my site and logs in all via the third-party site.  Then they are
redirected to my site bypassing the login page.

That means there must be some backend API interaction between the third
party site and mine, namely to create the account on my site.  It's that
communication that I want to make sure is secure and authenticated.  I think
SSL plus the third-party's password (shared secret, really) is enough.  See
any security holes with that simple approach?

Of course, if I send the third-party any data that is returned to me then I
need a way to make sure it has not been altered.

Might be worth looking into client certificates, perhaps, if for nothing
else reduce the social engineering threat of a shared secret.

Bill Moseley
moseley at hank.org

More information about the thelist mailing list