wiki:SecurityTeam/PassingAuthenticationDetailsAcrossDomains

Version 1 (modified by pjkersha, 13 years ago) (diff)

--

Description For a web browser client to NDG security cookies are used to link the client to the user’s session held on a Session Manager web service. This breaks where the user visits a site in another domain. The other site can’t see the NDG ID cookie that was set. This use case offers a possible solution. Actors • Home Site Web Server • Home Site SessionMgr? • External Site Web Server • External Site SessionMgr? Assumptions Home and external sites must have NDG security infrastructure in place. Triggers User accesses data from an external site other than the one where they authenticated. Outcome User’s identity is recognised by an NDG enabled site other than the one where they authenticated themselves. Normal Course

  1. User visits an external NDG enabled site
  2. They access restricted data
  3. The external site requires their credentials
  4. It can’t see their NDG security cookie because this was set in another domain
  5. It prompts the user for the URL of their home site login page
  6. User selects URL and is redirected there over a secure connection
  7. Once redirected to the home site URL, it is possible for the home site server side code to check for an existing NDG security cookie set there.
  8. If set, parse the cookie and redirect back credentials as URI arguments.
  9. If no cookie set, display user login.
  10. User enters their credentials and the home site web server calls the SessionMgr? to create a new session.
  11. The SessionMgr? returns the cookie details to the home site web server so that the latter can set the cookie.
  12. The home site forwards the cookie details back to the external site over https as URI arguments.
  13. The external site web server receives the cookie details and can use these to set a new cookie in the external sites domain.
  14. User access to the data from the external site can proceed.