This section contains the following topics:
Protecting Federated Communication
Several mechanisms help secure transactions between federated partners, such as encrypting assertions and using SSL connections between partner sites.
When setting up a federated environment with CA SiteMinder® Federation Standalone, here are some recommendations for protecting your environment:
These topics are described in the sections that follow.
Reusing an assertion beyond its validity results in authentication decisions based on out-of-date identity information. To prevent reuse, CA SiteMinder® Federation Standalone can generate an assertion intended for one-time use, in compliance with the SAML 1.x and 2.0 specifications. The assertion contains elements that tell the relying party not to retain the assertion for future transactions, preventing problems associated with reusing an assertion.
If CA SiteMinder® Federation Standalone is acting as the asserting party (Producer/IdP), you can configure the one time use of an assertion. For a SAML 1.x producer, you can select the Set DoNotCache Condition setting. For a SAML 2.0 IdP, you can select the Set OneTimeUse Condition setting. Both of these configuration settings enable CA SiteMinder® Federation Standalone to insert the proper elements in an assertion that indicate the one-time use condition.
Note: Do not confuse the one time use of an assertion with the single use policy for SAML 1.x and 2.0 HTTP-POST single sign-on. CA SiteMinder® Federation Standalone uses the single use policy when acting as the relying party, and it is only for POST transactions. The one time use feature is for HTTP-Artifact and HTTP-POST.
Identity information sent between federated partners or a partner and an application is best protected when communication takes place over a secure connection.
Securing the Connection Between the Relying Party and the Target Application
It is important to secure data transmission from the relying party to the target application at the client site. Using a secure connection as the communication channel makes your environment less vulnerable to security attacks.
For example, an assertion can contain attributes that the relying party extracts and sends to the client application. The relying party can pass these attributes to the application using HTTP header variables or cookies. Attributes stored in headers or cookies can be overwritten at the client side, allowing a malicious user to impersonate other users. Using an SSL connection protects an environment from this type of security breach.
Protect against this vulnerability by setting the Enable Secure Cookies check box in the Deployment Settings of the Administrative UI. The Enable Secure Cookies setting instructs CA SiteMinder® Federation Standalone to generate cookies marked with the "secure" flag. This flag indicates that CA SiteMinder® Federation Standalone sends the cookie only over an SSL communication channel.
Securing the Initial Authentication at the CA SiteMinder® Federation Standalone Asserting Party
The initial authentication of a user at a CA SiteMinder® Federation Standalone asserting party presents a potential vulnerability. When a user first authenticates to establish a user session at the asserting party, a session ID cookie is written to the browser. If the cookie is sent over a non-SSL connection, an attacker can obtain the cookie and steal sensitive user information for impersonation or identity theft.
Protect against this vulnerability by setting the Enable Secure Cookies check box in the Deployment Settings of the Administrative UI. The Enable Secure Cookies setting instructs CA SiteMinder® Federation Standalone to generate cookies marked with the "secure" flag. This flag indicates that the browser passes the cookie only over an SSL connection, which increases security. In general, establishing SSL connections for all URLs is recommended.
A Cross Site Scripting (XSS) attack can occur when an application displays input text from a browser (typically, data from a post or data from query parameters on a URL) without filtering for characters that can form an executable script when displayed at the browser. The display of these characters can lead to an unwanted script being executed on the browser.
CA SiteMinder® Federation Standalone provides several JSPs for use with federation functionality. These JSPs check characters in a request to be sure that unsafe information in the output stream is not displayed in the browser.
When CA SiteMinder® Federation Standalone receives a request, the following JSPs scan the decoded values for cross-site scripting characters:
Used at the relying party for Identity Provider Discovery.
Used at the relying party for dynamic account linking.
Used at the IDP to initiate single sign-on. This is a sample application you can use to direct the user first to the SSO Service and then to the custom web application. Typically, you use your own application.
Used at the Account Partner for WS-Federation sign out.
Used for IdP-initiated single sign-on when the user is sent directly to the web application and not initially to the SSO Service.
The pages scan the request for the following characters:
|
Character |
Description |
|---|---|
|
< |
left angle bracket |
|
> |
right angle bracket |
|
‘ |
single quotation mark |
|
“ |
double quotation mark |
|
% |
percent sign |
|
; |
semi-colon |
|
( |
open (left) parenthesis |
|
) |
closed (right) parenthesis |
|
& |
ampersand |
|
+ |
plus sign |
Each CA SiteMinder® Federation Standalone-provided JSP contains a variable that defines the characters to scan. Modify these JSPs to expand the character set.
|
Copyright © 2014 CA.
All rights reserved.
|
|