Question

91
Views
Max Toedtemeier (FrenchyMaxwell)
Computershare

Computershare
US
FrenchyMaxwell Member since 2018 7 posts
Computershare
Posted: November 20, 2019
Last activity: November 20, 2019
Posted: 20 Nov 2019 14:02 EST
Last activity: 20 Nov 2019 14:02 EST
Closed

Passing credentials to Pega Authentication via formdata instead of querystring.

We currently use a redirect via one of our other applications to login to pega via SSO using login credentials in querystring. For example
https://companypega.net/prweb/SSOServlet/<sessionhash>/!STANDARD?UserId=12345&UserName=Bob+User&Email=Bob.User@company.com&From=SSOApp&SenderTime=20191001043429&Env=QA&pw=<pwhash>

This was brought up as a security finding during one of our recent audits. We are researching how to move the data from querystring to formdata.

Has anyone attempted this? My test have shown that pega does accept formdata parameters but doesn't seem to map them to anything on the clipboard on temporary pages. I am trying to find any other spot where this might be stored.

Low-Code App Development Enterprise Application Development Dev/Designer Studio Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.