Changes between Version 1 and Version 2 of SecurityTeam/PassingAuthenticationDetailsAcrossDomains


Ignore:
Timestamp:
03/07/06 10:33:50 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SecurityTeam/PassingAuthenticationDetailsAcrossDomains

    v1 v2  
    1 Description 
     1== Description == 
    22For a web browser client to NDG security cookies are used to link the client to the user’s session held on a Session Manager web service.  This breaks where the user visits a site in another domain.  The other site can’t see the NDG ID cookie that was set.  This use case offers a possible solution. 
    3 Actors 
    4 •       Home Site Web Server 
    5 •       Home Site SessionMgr 
    6 •       External Site Web Server 
    7 •       External Site SessionMgr 
    8 Assumptions 
     3 
     4== Actors == 
     5 * Home Site Web Server 
     6 * Home Site !SessionMgr 
     7 * External Site Web Server 
     8 * External Site !SessionMgr 
     9 
     10== Assumptions == 
    911Home and external sites must have NDG security infrastructure in place. 
    10 Triggers 
     12 
     13== Triggers == 
    1114User accesses data from an external site other than the one where they authenticated. 
    12 Outcome 
     15 
     16== Outcome == 
    1317User’s identity is recognised by an NDG enabled site other than the one where they authenticated themselves. 
    1418Normal Course  
    1519 
    16  1.     User visits an external NDG enabled site 
    17  1.     They access restricted data 
    18  1.     The external site requires their credentials 
    19  1.     It can’t see their NDG security cookie because this was set in another domain 
    20  1.     It prompts the user for the URL of their home site login page 
    21  1.     User selects URL and is redirected there over a secure connection 
    22  1.     Once redirected to the home site URL, it is possible for the home site server side code to check for an existing NDG security cookie set there. 
    23  1.     If set, parse the cookie and redirect back credentials as URI arguments. 
    24  1.     If no cookie set, display user login. 
    25  1.     User enters their credentials and the home site web server calls the SessionMgr to create a new session. 
    26  1.     The SessionMgr returns the cookie details to the home site web server so that the latter can set the cookie. 
    27  1.     The home site forwards the cookie details back to the external site over https as URI arguments. 
    28  1.     The external site web server receives the cookie details and can use these to set a new cookie in the external sites domain. 
    29  1.     User access to the data from the external site can proceed. 
     20 1. User visits an external NDG enabled site 
     21 1. They access restricted data 
     22 1. The external site requires their credentials 
     23 1. It can’t see their NDG security cookie because this was set in another domain 
     24 1. It prompts the user for the URL of their home site login page 
     25 1. User selects URL and is redirected there over a secure connection 
     26 1. Once redirected to the home site URL, it is possible for the home site server side code to check for an existing NDG security cookie set there. 
     27 1. If set, parse the cookie and redirect back credentials as URI arguments. 
     28 1. If no cookie set, display user login. 
     29 1. User enters their credentials and the home site web server calls the !SessionMgr to create a new session. 
     30 1. The !SessionMgr returns the cookie details to the home site web server so that the latter can set the cookie. 
     31 1. The home site forwards the cookie details back to the external site over https as URI arguments. 
     32 1. The external site web server receives the cookie details and can use these to set a new cookie in the external sites domain. 
     33 1. User access to the data from the external site can proceed.