[thelist] Single Sign On Security

Matt Warden mwarden at gmail.com
Tue Mar 2 21:18:37 CST 2010

On Tue, Mar 2, 2010 at 9:30 PM, Bill Moseley <moseley at hank.org> wrote:
> Except in this case both sites need the same end-user's credentials --
> because the end-user can log into either site directly.  (Having both sites
> share the same credentials is the part I'm not thrilled about so I may see
> if I can get the specs changed.)

That defeats the purpose of single sign-on.

> That means there must be some backend API interaction between the third
> party site and mine, namely to create the account on my site.  It's that
> communication that I want to make sure is secure and authenticated.  I think
> SSL plus the third-party's password (shared secret, really) is enough.  See
> any security holes with that simple approach?

You *do* need to create a user record on your site that includes the
username. It should NOT include the password. You should defer to the
third party site for password authentication.

Matt Warden
Cincinnati, OH, USA

This email proudly and graciously contributes to entropy.

More information about the thelist mailing list