#StackBounty: #html #sso #cors #iframe #crossdomain Are there security issues around controlled cross site sharing behind SSO?

Bounty: 100

Very simply we have a ton of websites at our company behind SSO.

I am having a hard time figuring out what security issues there are if we open cross-site sharing between these sites but wanted to get a broader view. This is really a result of browser updates around cross site sharing in iframes in chrome and IE a few months back. With those security features disabled at the browser level (yes we will not have users do that) iframing within our sites work fine.

Let me give you context of the specific problem:

  1. example.com – main site
  2. subdomain1.example.com – subdomain we have a ton
  3. subdomain2.example.com – another sub
  4. example.login.com – SSO server we authenticate to
  5. example.cms.com – random vendor that uses our SSO

So right now as long as the servers in 1, 2, and 3 allow cross site sharing iframes work… as long as your cookie/token is already active. If it is not active then it just errors out trying to connect to example.login.com.

We are discussing changing the CORS/sharing settings on the login server and others brought up possible security issues. I just don’t see how there are issues with clickjacking or anything else when we control all of the sites ourselves. Am I missing something here? Are there security issues with sharing between controlled tenets? Let me know if I need to provide anymore info.

Get this bounty!!!

#StackBounty: #authentication #oauth2 #sso #saml #federation App-to-app or service-to-service authentication using federated login

Bounty: 100

I have an application Foo that exposes a web-based portal as well as a REST API service via HTTPS.

When a human user connects to the app Foo to use its web-based portal, the human user is first redirected to an OAuth2-based login page. Once the human user is authenticated, they are redirected back to app Foo and now the human user can access the portal. The actual identity of the human user is maintained in an active directory. The OAuth2 identity provider uses AD to validate the user’s identity. All of this sounds okay so far.

Now I have an app Bar which needs to connect to Foo and send REST API requests to it. So the app Bar is the client here. The app Bar’s identity (credentials) will once again be maintained in active directory behind the scenes. It will be a user account meant to be used exclusively by app Bar only. Once properly configured and setup, the app Bar should be able to authenticate to app Foo without human intervention. Can this be achieved using a federated authentication mechanism like OAuth2 or SAML?

What I am worried about is that as a human user, whenever I have tried to authenticate to a website that uses OAuth2 or SAML, it redirects me to another identity provider’s URL, where I need to enter my credentials. This is not exactly very convenient for automation when an app like Bar needs to authenticate itself to app Foo?

What are the available options here that allow us to implement app-to-app authentication without requiring human intervention, yet be convenient to implement, and also uses federated login?

Get this bounty!!!