How to prevent security vulnerabilities in CA Single Sign On

CA Single Sign On: It’s a property of access control of multiple related, yet independent, systems. With this property, a user with a single ID and password can gain access to a connected system and can seamlessly login into multiple systems.

There are organizations who have many web applications supporting the business. Those web applications must be secured and don’t want everybody to access the application. We can control this using a mechanism that forces each user to login into the application.

There can be many cross site scripting attacks and security breaches happen while launching any web application. CA Single Sign On can prevents these attacks by utilizing some out of box features.

Best Practices in CA Single Sign On to prevent security vulnerabilities : 

1) CSSChecking :  This parameter can be set to Yes to avoid cross site scripting attacks. When this parameter is enabled, characters present under BadCssChars parameter will be blocked and thrown an error while launching any web app with these characters.
E.g. : BadCssChars  -      <,>,%22

2) UseHTTPOnlyCookies :  When this parameter is set to yes, the content of the cookie cannot be read by any script. It instructs the webagent to set up HTTP-only attribute on the cookies it creates. This helps prevent any sensitive information being sent to an unauthorized user.
E.g. :UseHTTPOnlyCookies :     yes

3) UseSecureCookies :  We can set this parameter to yes if we want to send the cookies to web servers using secure HTTPS connection. This will increase the security while sending the cookies between webservers and the browsers.
           Default :   No

4) UseSecureCPCookies :  If we set this parameter to Yes, the cookie provider will send a cookie to an agent in another cookie domain that is also configured to use SecureCookies.
        Default :   No

5) ValidTargetDomain :  It defines the domains to which a credential collector is allowed to redirect users. The redirection is denied if the domain in the URL doesn’t match with the domains set in this parameter.
E.g :   ValidTargetDomain :    abc.com,xyz.com

6) TransientIPCheck/PersistentIPCheck : To prevent a security breach by an unauthorized system, we can enable IP checking with Transient or persistent cookies. If we enable this parameter, it will compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses doesn’t match, the agent denies the request.
• If you enable PersistentCookies, set PersistentIPCheck to yes.
• If you don’t enable PersistentCookies, set TransientIPCheck to yes.

Authored By - Umasankar Bonumaddi
TCS Cyber Security Practice

Rate this article: 
Average: 3 (10 votes)
Article category: