SSO for webserver

Hi Kewin

I discovered that I was able to open a new window in the same browser and hereby bypass the initial APM logon when I was logged on. Please be aware of that this hasn't anything to do with what the user Essouktani ha been writing in my tread here - even though they may be caused by the same problem.

When they logon to the APM SSO form and are logged on they are able to open another window in the same browser and then - if they know the URL - they can enter this and get to the logon screen of the webservers application which has been hidden by the SSO form. Hereby they can logon with an arbitrary user of their choice.

The SSO form is defined as SSO form Client initiated where I make use of some forms send by the webserver and this looks as if it works well. The authentication mechanism used here is a simple form which is authenticated against a MS SQL Servers users where the user fills in username and password in a simple form which then nis authenticated against a SQL serveres users.

I intercept this in the APM module and does a LDAP authentication against the DC in the domain instead and uses the username and password afterwards to do this authentication against the webserver for the user.

The idea here was that we would keep the application as it is (based on a 10 year old framework) and create a SSO form which also would give us possibilities to do token-authentication instead against a radius server. But if I cannot guarantee that the users are locked to the initial session created by the APM module the concept has failed..

What can I do?

best regards /ti