|
|
|
Identity information sent between federated partners or a partner and an application is best protected when communication takes place over a secure connection.
Securing the Connection Between the Relying Party and the Target Application
Secure the transmission of data from the relying party to the target application at the client site. Using a secure connection as the communication channel makes your environment less vulnerable to security attacks.
For example, an assertion can contain attributes that the relying party extracts and sends to the client application. The relying party can pass these attributes to the application using HTTP header variables or cookies. Attributes stored in headers or cookies can be overwritten at the client side, allowing a malicious user to impersonate other users. Using an SSL connection protects an environment from this type of security breach.
As a best practice, protect against this vulnerability by setting the UseSecureCookies parameter in the appropriate Agent Configuration Object (ACO). The UseSecureCookies parameter instructs Federation Web Services to generate cookies marked with the "secure" flag. This flag indicates that the cookie is sent only over an SSL communication channel.
Note: The ACO to modify differs depending on the setup of your federation environment. If you deploy Federation Web Services on the same system as the Web Agent is installed, edit the ACO for the Web Agent. If you deploy Federation Web Services on a different system than the Web Agent, edit the unique ACO you created for Federation Web Services.
Securing the Initial Authentication at the SOA Security Manager Asserting Party
The initial authentication of a user at a SOA Security Manager asserting party presents a potential vulnerability. When a user first authenticates to establish a user session at the asserting party, a session ID cookie is written to the browser. If the cookie is sent over a non-SSL connection, an attacker can obtain the cookie and steal sensitive user information. The attacker can then use the information, for impersonation or identity theft.
As a best practice, protect against this vulnerability by setting the Web Agent parameter UseSecureCookies, which you can modify in the Agent Configuration Object. The UseSecureCookies parameter instructs the Web Agent to generate cookies marked with the "secure" flag. This flag indicates that the browser passes the cookie only over an SSL connection, which increases security. In general, establishing SSL connections for all URLs is recommended.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |