SSO Implementation
Peter Schober
peter.schober at univie.ac.at
Mon Nov 5 04:20:17 EST 2012
* Raz's <gajula.rajashekhar at gmail.com> [2012-11-05 03:13]:
> Finally we are succeeded our requirement in implementation of SAML on our
> site....now we are going to implement it on our production servers so
> kindly share your valuable suggestions to avoid security breaches /
> necessary things to do before implementing SAML on production servers.
I don't think it's possible to give a short, complete and universally
applicable answer to this. The documentation has this to offer:
https://wiki.shibboleth.net/confluence/display/SHIB2/Productionalization
Managing log files often is neglected.
Having SSL with trustworthy (for your constituency) certificates an
all endpoints should go without saying.
Have a look at
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
as there are a few tunables regarding the session, e.g. inactivity
timeout, probably setting handlerSSL="true" and cookieProps="https".
checkAddress="true" would help but often needs to remain disabled for
reasons stated in the documentation.
Keeping the software, libraries, server, application and OS current
and patched should come as no surprise.
If in doubt ask your local CSO/CISO ;)
-peter
More information about the users
mailing list