I’d like to know if it is possible to have a secure single sign-on across two webservices of which 1 is more secure than the other. To be more specific, less secure would be vbulletin forum and the more secure one a webservice, where real money is earned, withdrawn etc. For the sake of convenience for the users I would like to implement a secure single sign-on, but looking at the vbulletin’s security track record, especially xss vulnerabilities, even sql injection, then I’m not sure if sso will be a viable option if it would degrades security of the more secure service.
Share
It may be permissible to use a high-assurance credential to authenticate to a low-assurance system provided that long-term shared authentication secrets are not revealed to the low-assurance system (see, e.g., NIST Special Publication 800-63, Level-2 and above). This generally requires an assertion (e.g., SAML) from the Credential Service Provider to the Relying Party. The CSP, which is trusted, accepts the credential and asserts its authenticity, and possibly other attributes associated with the Subscriber, to the relying party (the application), which is not trusted. Since secret tokens associated with the credential (e.g., a password) are never sent to the relying party, a breach in that service would not provide an attacker with useful knowledge to attack the high-assurance system. There are a number of industry standards, such as OpenID and OATH, for credential federation in this manner.