Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3489

Modernizing the Single Sign-on Process Flow

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Duplicate
    • None
    • REST
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Like already discussed in our support request (CWDSUP-7916) we see possible security issues with the current implementation of SSO in Crowd.

      The Crowd REST API allows any application that can create session tokens to create this tokens without password (POST to /session?validate-password=false). The consequence in a SSO environment is, that any application authentication can be used to compromise all other applications. The application doesn't need to know neither the token nor the password for retrieve the user token. As far as I know that option is mainly for the "remember me" functionality. The parameter "validate-password=false" cannot be disabled so we need to filter all requests with this parameter in our reverse proxy to block this feature.

      The real solution in our point of view is a login system where the web-application doesn't need to know the credentials, because the authentication provider is the only one which creates the tokens.
      See the linked figure for details.

      Attachments

        Issue Links

          duplicates

          Suggestion - CWD-3153 Allows redirection to Crowd for login

          • Closed

          Activity

            People

              Unassigned Unassigned
              76acca8656a9 Gergely Kiss
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: