I initially highlighted this shortcoming in #1943110: Need to address interoperability for SSO with other atlassian tools (Crowd Console, Confluence, etc). but have not been able to follow-up on it much. The issue is that the module currently does not pay any attention to "validation factors" when authenticating a user, and only checks that the user's SSO token is active in Crowd. In some respects this could be considered a good thing, as it reduces a common failure point (validation can be tricky for situations that involve proxies, etc.), but I figure it's still worth getting this documented for security purposes.

When a user comes into the site with an SSO token _crowd_process_sso() kicks in which checks to see if just the token itself is active (via crowd_rest_client::crowd_is_logged_in()), and if it is active, it continues to fetch the user's details in Crowd (via crowd_rest_client::user_get()) and then processes a local login. Currently crowd_rest_client::crowd_is_logged_in() does not do any true "validation" on the token, meaning the user's IP address is not tested, etc.

At some point, adding proper validation should be considered as a feature addition... even if it's just a configurable one (such that we can still run the current process for simple applications that don't require IP validation, etc.).

Comments

rjacobs’s picture

Status: Active » Postponed

To address this we would probably need to add a new REST service method (something like crowd_rest_client::crowd_validate_user()) that uses a POST /session/{token} request to Crowd (see: https://developer.atlassian.com/display/CROWDDEV/Crowd+REST+Resources) and calculates/posts the needed validation factors.

This is not an urgent requirements for our case, so I'm personally not sure if/when I'd be able to look into this. If anyone else wants to investigate this a bit that would certainly be appreciated as well.

rjacobs’s picture

Title: Support validation factors (specifically IP address) during authentication. » Check validation factors (specifically IP address) during authentication.

Tweak title.

  • Commit 5ebecf6 on 7.x-2.x by rjacobs:
    Issue #1986258 by rjacobs: Check validation factors during SSO...
rjacobs’s picture

Issue summary: View changes
Status: Postponed » Fixed

I went ahead with a commit on this, following the basic plan I outlined in #1.

Instead of using a method that only checks if a token is active (crowd_service::crowd_is_logged_in()), we now have a method that tests if the token is both active and valid for the current user/IP (crowd_service::validate_session()). This new method has simply been swapped-in everywhere the old method was used, though I've kept the old method in the interface just in case someone out there was also calling it programmatically.

Given that this new behavior is a bit more "restrictive", I thought about making it configurable such that a Drupal admin can decide which method to use for starting SSO-triggered sessions. However, my current thought is that the new behavior (fully validate a session) should really be the native behavior of our integration. It should really be up to the Crowd server to decide how strict to be about the validation, not each app. In this regard, if someone wants to ensure that IP validation is not part of the SSO authentication process, they can configure the Crowd server to ignore the IP validation factor (even though Drupal will now be sending this validation factor all the time).

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.