Identity Federation and SSO
Pitfalls to avoid during the development of a Web/Cloud application
Why Authentication and access control should not be handled by Web applications?
When developing a Web application, any design error in authentication handling may lead to bypassing the authentication
mechanism.
Recently, a well-known Web application was exposed to a security flaw. This application was secured by a robust two-factor
authentication. Unfortunately, it was possible to bypass this strong authentication by using web APIs exposed to the mobile Apps.
New pattern designs allow developing seamlessly for Web and mobile applications, by using web APIs exposing the same features to both worlds. Authentication and access control must be correctly adapted and managed, and no security shortcuts must be possible.
- You need to keep track of any security modifications
- You have to develop quickly new services and ensure the security of the whole applications
- As your application evolves, you need to integrate new authentication means
High-skilled developers are the only ones able to develop with all those constraints but even they may introduce weaknesses.
A Web Access Manager integrates the Dynamic Authentication management and the Dynamic Authorization management while protecting and hiding the protected Web application resources. The level of security of the web access will depend only on a single component: the WAM. Web applications are protected without security shortcuts, even if new services are developed and deployed.