Q: An SSO token is a master key to get access to multiple systems/applications with a "single" login. Therefore, it is very important to protect the master key from theft, spoofing, or forgery. What are the typical methods to protect an SSO token from various threats?

A Invalidate the SSO token on server-side for subsequent use after the user logs off from any of the SSO-enabled applications/systems, that is, after Single Sign-Off.
B Digitally sign the SSO token to protect against man-in-the- middle manipulations, and encrypt the token with a time-variant encryption key/algorithm. Exchange the token over SSL.
C If the SSO token is being exchanged using an HTTP cookie, set the "HttpOnly" attribute of the cookie to prevent cookie access via client-side Javascript.
D All the above options

Answer: D

Explanation:

Correct option:
All the above options

Explanation:
To protect an SSO token from theft, spoofing, or forgery, multiple methods are typically employed:

Invalidate the SSO token on server-side after logout: This ensures that the token cannot be used for subsequent authentication once the user logs off, preventing unauthorized access.
Digitally sign and encrypt the token: Digital signing helps protect the token against man-in-the-middle (MITM) attacks by ensuring its integrity, while encryption adds an additional layer of protection, especially by using time-variant encryption that changes over time.
Set the "HttpOnly" attribute for cookies: This prevents client-side JavaScript from accessing the token stored in cookies, reducing the risk of cross-site scripting (XSS) attacks.

All of these methods collectively help ensure the security of the SSO token.

‹ Previous Next ›

Write your comment