Question

2
Replies
187
Views
Chunzhi_Hong Member since 2013 137 posts
PEGA
Posted: 5 years ago
Last activity: 5 years 3 months ago
Closed
Solved

How does PRPC prevent spoofing attack ?

With the PegaAcademy online course: Lead System Architect (7.1) > Security > Authenticating using SSO >

There are two lessons describing how to write an SSO authentication activity, however these lessons don't explain how PRPC prevent spoofing attack.

It sounds like anyone, who knows the "URL" returned by external access control system, could login to PRPC application.

Below is the excerpt from the online course.

How to Write a Single Sign-On Authentication Activity

In addition to establishing an operator, authentication activities can also do the following:

  • Verify a token passed through from an access control system used for single sign-on. Specifically, with respect to SSO, the credential information must be passed from the external system to PRPC. This is done either through the query string portion of the URL or with custom HTTP headers..

How to Setup Single Sign-On Token Security

Let’s explain token generation and verification, and then revisit our token security authentication activity.

The token is generated in the external access control system, and then verified in PRPC.

The external system takes a password, one that is also known to PRPC, and combines it with a query string and the timestamp, to make a single string.

A hash is generated from this string; this hash represents the token.

The external system passes the token, the query string, and sender time to PRPC using either the URL or custom headers, as discussed earlier.

PRPC then checks the Sender Time and ensures that the request is recent. If not, the verification fails. If it is considered recent, PRPC then continues and generates its own copy of the token, forming it.

The same way as the external application.

The Query String, the sender time, and its own copy of the password are combined, to create a single string.

A hash is generated from this, thus creating the token.

If the tokens match, the verification passes.

A PRPC “Application ID” instance plays a critical role in this process.

For clarity, Application ID instances are not the same as “Application” rules, which control the ruleset stack and other settings for the PRPC application you are developing.

“Application ID” data instances are specifically used for token verification. They store the password that is used, as well as the lag time, in seconds, that is considered acceptable for evaluating whether a request is considered recent.

Let’s look at an example URL that is generated by the external website to show how these values are passed to PRPC.

http://localhost:8080/prweb/SSOServlet?UserId=singlesignon%40samples.com&UserName=SSO+User&Email=singlesignon%40samples.com&DeptNumber=4321&From=SSOSampleAppID&pyActivity=&SenderTime=20141008022516&pw=5df2ff78d656114085c96f1a0bd2271d

The “From” parameter indicates the Application ID instance, “SenderTime” is the time that the token was created, and “pw” represents the token. Do not be confused by the fact that this parameter is called “pw”. It is not the password; it is the token, which, as discussed earlier, includes the password.

***Updated by moderator: Lochan to close post***
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Security
Moderation Team has archived post
Share this page LinkedIn