LW-SSO security warnings

The following security warnings apply to the LW-SSO configuration:

  • Confidential initString parameter in LW-SSO

    LW-SSO uses Symmetric Encryption to validate and create a LW-SSO token. The initString parameter within the configuration is used to initialize the secret key. An application creates a token, and each application that uses the same initString parameter validates the token.

    • You cannot use LW-SSO without setting the initString parameter.

    • The initString parameter is confidential information and must be treated as such in terms of publishing, transporting, and persistency.

    • The initString is to be shared only between applications that are integrated with each other using LW-SSO.

    • The initString parameter value must be at least12 characters long.

  • Enable LW-SSO only if it is specifically required

    Otherwise, leave it disabled.

  • Level of authentication security

    The application that uses the weakest authentication framework and issues a LW-SSO token that is trusted by other integrated applications determines the level of authentication security for all the applications. We recommend that only applications using strong and secure authentication frameworks issue an LW-SSO token.

  • Symmetric encryption implications

    LW-SSO uses symmetric cryptography to issue and validate LW-SSO tokens. Therefore, any application that uses LW-SSO can issue a token to be trusted by all other applications that share the same initString parameter value. This potential risk is relevant if an application that shares the initString value either resides in, or is accessible from, an untrusted location.

  • User mapping (Synchronization)

    The LW-SSO framework does not ensure user mapping between the integrated applications. Therefore, the integrated application must monitor user mapping. We recommend that the same user registry (as LDAP/AD) be shared among all integrated applications.

    Failure to map users may cause security breaches and negative application behavior. For example, the same user name may be assigned to different real users in different applications.

    In addition, in cases where a user logs onto an application (AppA), and then accesses a second application (AppB) that uses container or application authentication, the failure to map the user forces the user to manually log on to AppB and enter a user name. If the user enters a different user name than was used to log on to AppA, the following can occur: If the user subsequently accesses a third application (AppC) from AppA or AppB, then they will access it using the user names that were used to log on to AppA or AppB, respectively.

  • Identity Manager

    Used for authentication purposes, all unprotected resources in the Identity Manager must be configured as nonsecureURLs settings in the LW-SSO configuration file.

  • LW-SSO Demo mode

    LW-SSO Demo mode restrictions are as follows:

    • Use only for demonstration purposes

    • Use only in unsecured networks

    • Must not be used in production. Any combination on the Demo mode with the production mode must not be used.