1

Background:

I want to integrate SSO in my existing application with my client's application and client IDP does not support any SAML and OAuth standards.

Problem Statement:

I'm looking for a custom solution where if any client application simply opens a link of my application then my application must be able to recognise that user/client and should auto logged-in into my application.

Though, I've done enormous research before asking this question in this forum:

My findings so far:

Some of my findings which I can use to auto login into my system using the following custom techniques:

  • JWT token
  • Certificate
  • Simple encryption using a secret key token. ie AES, RSA

Are there any other custom secure options available?

And what option one should choose in this kind of situation?

Deepak
  • 1,510
  • 1
  • 14
  • 27
  • Do you use a unique domain and HTTPS? -> Just a cookie with a sessionId. Multiple domains? --> See [this](https://stackoverflow.com/questions/11434866/automatic-cookie-single-sign-on-on-multiple-domains-like-google/37405389?noredirect=1#comment97083513_37405389) and [this](https://stackoverflow.com/questions/33723033/single-sign-on-flow-using-jwt-for-cross-domain-authentication) – pedrofb Mar 15 '19 at 16:58
  • Yes, there are unique domains with HTTPS. – Deepak Mar 15 '19 at 17:30
  • Then you can use a shared authentication cookie between domains. Probably JWT is better for your scenario than an opaque session ID, because each app can verify it independently without maintaining a session. The IDP will set this cookie when the authentication is performed – pedrofb Mar 15 '19 at 17:57
  • My application built on REST based api and angular at client side so cookie can't be used. – Deepak Mar 16 '19 at 05:18
  • A cookie can be used perfectly by an Angular application (it does not have to be `httponly`). Alternatively you can also use `localStorage`, but the essence of operation is the same. Oauth2, OIDC or saml web clients usually use a cookie to maintain the user connected. – pedrofb Mar 16 '19 at 08:38
  • Agree that Angular application can also use cookie because ultimately it's running on the browser. but in my case, I've to implement custom SSO and other application would simply genetate a encrypted token for user and send it to my application then my application woud then verify and authenticate that token allow user seamless login after successful authentication. Question is how I would ensure that token came from client only? there might be possible a middle man attack? – Deepak Mar 16 '19 at 14:36
  • the token must be signed using a shared or asymmetric key (signed with private key / verified with public) – pedrofb Mar 16 '19 at 17:34
  • Yes, That we can use but what about the digital certificate? that certificate would auto-expire and renew at client application through some of our exposed services. I think this would make encryption more secure than sharing a secret key. Any thought? – Deepak Mar 17 '19 at 03:36
  • I do not understand your scenario. If the other application is going to send you an authentication token, why do you need to add client certificates? – pedrofb Mar 18 '19 at 09:20
  • Authentication token must be encrypted using some secret key and that key must be present in my application so that I would decrypt the same, the certificate is another option which can be used for client verification. – Deepak Mar 18 '19 at 15:23
  • SAML and OIDC do not need a cookie --- so no hazzle with 'cookie spec' – Bernhard Thalmayr Mar 18 '19 at 15:53
  • The first decision you have to make is whether you want to rely on a (internet) standards based technology or a proprietary one. – Bernhard Thalmayr Mar 18 '19 at 15:54
  • I've decided that I will go for certificate with public key encryption technique. https://stackoverflow.com/questions/55255036/how-to-create-a-self-signed-certificate-in-dotnet – Deepak Mar 20 '19 at 06:56

0 Answers0