After about a decade of testing people's web applications, SiteMinder has defnitely emerged as the standard third-party tool for SSO.
Many years ago, it seemed like people were fairly evenly split between Siteminder and another one (I think it was called GetAccess, but the fact that I can barely remember it is probably an indication of it's current popularity).
Siteminder is a good solution (and I've probably tested about ~150 web applications over the years that are using it).
It's caused my attack plan to go from "Let's see how fundamentally broken this company's home-grown SSO solution is" to "Oh good, they use Siteminder. Let's see what areas they haven't implemented it properly in."
That's an important distinction, and the bulk of issues I've found with Siteminder over the years have all been in identifying specific pages or transactions which aren't properly using the SMSESSION. I found a forehead-slapping issue recently where there was one page that wasn't properly validating the SMSESSION (it was just checking to see that it existed). That page happened to be the "reset password" page, and it was possible through a series of redirects to modify anyone's password to whatever you wanted, even if you didn't have a valid account on the system.
And that's kind of the problem, which is that even using someone else's SSO mechanism (which, again, Siteminder is as good as any one I've seen over the years), If you've screwed up the implementation for any transaction or on any page, you're still screwed.
Many years ago, it seemed like people were fairly evenly split between Siteminder and another one (I think it was called GetAccess, but the fact that I can barely remember it is probably an indication of it's current popularity).
Siteminder is a good solution (and I've probably tested about ~150 web applications over the years that are using it).
It's caused my attack plan to go from "Let's see how fundamentally broken this company's home-grown SSO solution is" to "Oh good, they use Siteminder. Let's see what areas they haven't implemented it properly in."
That's an important distinction, and the bulk of issues I've found with Siteminder over the years have all been in identifying specific pages or transactions which aren't properly using the SMSESSION. I found a forehead-slapping issue recently where there was one page that wasn't properly validating the SMSESSION (it was just checking to see that it existed). That page happened to be the "reset password" page, and it was possible through a series of redirects to modify anyone's password to whatever you wanted, even if you didn't have a valid account on the system.
And that's kind of the problem, which is that even using someone else's SSO mechanism (which, again, Siteminder is as good as any one I've seen over the years), If you've screwed up the implementation for any transaction or on any page, you're still screwed.