https://connect.hyland.com/t5/alfresco-archive/alfresco-4-1-external-sso-security/m-p/268824#M221954 <HTML><HEAD></HEAD><BODY><SPAN>I'm hoping someone here has an answer for me, I'm working on enabling the external authentication subsystem and had some questions about security.</SPAN><BR /><BR /><SPAN>It seems that once the system is enabled, all Alfresco needs for SSO is a header. If that Alfresco was outward facing, anyone with malicious intent, could simply insert add the Remote-User header with the value admin and have at the repository. Is there a way to ensure that the header was included from my authenticating app and not otherwise injected?</SPAN><BR /><BR /><SPAN>If not, would my next step be to write a custom authentication subsystem?</SPAN><BR /><BR /><SPAN>Thanks in advance.</SPAN></BODY></HTML> Fri, 18 Jan 2013 17:34:00 GMT mstein 2013-01-18T17:34:00Z https://connect.hyland.com/t5/alfresco-archive/alfresco-4-1-external-sso-security/m-p/268824#M221954 I'm hoping someone here has an answer for me, I'm working on enabling the external authentication subsystem and had some questions about security.It seems that once the system is enabled, all Alfresco needs for SSO is a header. If that Alfresco was outward facing, anyone with malicious intent, could Fri, 18 Jan 2013 17:34:00 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-4-1-external-sso-security/m-p/268824#M221954 mstein 2013-01-18T17:34:00Z https://connect.hyland.com/t5/alfresco-archive/alfresco-4-1-external-sso-security/m-p/268825#M221955 <HTML><HEAD></HEAD><BODY><SPAN>You need to make sure there is protection for your authentication tokens.&nbsp;&nbsp; So alfresco should probably be behind a firewall that rips off any malicious tokens.</SPAN></BODY></HTML> Fri, 18 Jan 2013 18:30:27 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-4-1-external-sso-security/m-p/268825#M221955 mrogers 2013-01-18T18:30:27Z