LW-SSO security warnings
The following security warnings apply to the LW-SSO configuration:
-
Confidential initString parameter in LW-SSO
LW-SSO uses Symmetric Encryption to validate and create a LW-SSO token. The
initString
parameter within the configuration is used to initialize the secret key. An application creates a token, and each application that uses the sameinitString
parameter validates the token.-
You cannot use LW-SSO without setting the
initString
parameter. -
The
initString
parameter is confidential information and must be treated as such in terms of publishing, transporting, and persistency. -
The
initString
is to be shared only between applications that are integrated with each other using LW-SSO. -
The
initString
parameter value must be at least12 characters long.
-
-
Enable LW-SSO only if it is specifically required
Otherwise, leave it disabled.
-
Level of authentication security
The application that uses the weakest authentication framework and issues a LW-SSO token that is trusted by other integrated applications determines the level of authentication security for all the applications. We recommend that only applications using strong and secure authentication frameworks issue an LW-SSO token.
-
Symmetric encryption implications
LW-SSO uses symmetric cryptography to issue and validate LW-SSO tokens. Therefore, any application that uses LW-SSO can issue a token to be trusted by all other applications that share the same
initString
parameter value. This potential risk is relevant if an application that shares theinitString
value either resides in, or is accessible from, an untrusted location. -
User mapping (Synchronization)
The LW-SSO framework does not ensure user mapping between the integrated applications. Therefore, the integrated application must monitor user mapping. We recommend that the same user registry (as LDAP/AD) be shared among all integrated applications.
Failure to map users may cause security breaches and negative application behavior. For example, the same user name may be assigned to different real users in different applications.
In addition, in cases where a user logs onto an application (AppA), and then accesses a second application (AppB) that uses container or application authentication, the failure to map the user forces the user to manually log on to AppB and enter a user name. If the user enters a different user name than was used to log on to AppA, the following can occur: If the user subsequently accesses a third application (AppC) from AppA or AppB, then they will access it using the user names that were used to log on to AppA or AppB, respectively.
-
Identity Manager
Used for authentication purposes, all unprotected resources in the Identity Manager must be configured as nonsecureURLs settings in the LW-SSO configuration file.
-
LW-SSO Demo mode
LW-SSO Demo mode restrictions are as follows:
-
Use only for demonstration purposes
-
Use only in unsecured networks
-
Must not be used in production. Any combination on the Demo mode with the production mode must not be used.
-