SSO should be more secure

Avatar
  • updated
  • Completed
The SSO mechanism works great -- but it's horribly insecure if the user is on a public WiFi.  It looks like I can set it to HTTPS but the user has to ignore the SSL cert error.

I also think the token should only work once. Or at least that could be an option.  I guess I could accomplish this with a very short expiration date but expiring after user would provide a little more security.

Pinned replies
Avatar
Sergey Stukov co-founder
  • Answer
  • Completed
Please tell us is this feature is critical to start UE evaluation for your company?

1) We able to add option like (expires after first use)
2) Also we consider about making special link for SSL-secured SSO authorization
with following workflow 

and then we will auth and redirect user to your private forum
that placed under http://
Avatar
Sergey Stukov co-founder
  • PINNED
Hello Michael,

We add HTTPS support


Some examples:


For link to your forum:

http://fynydd.userecho.com/forum/4894-general/


You must provide following link:

https://userecho.com/forum/4894-general/?sso_token=your_token


Try and don't hesitate to contact us


PS: Our widget also support SSO + HTTPS now

Avatar
Sergey Stukov co-founder
  • Answer
  • Completed
Please tell us is this feature is critical to start UE evaluation for your company?

1) We able to add option like (expires after first use)
2) Also we consider about making special link for SSL-secured SSO authorization
with following workflow 

and then we will auth and redirect user to your private forum
that placed under http://
Avatar
Sergey Stukov co-founder
  • PINNED
Hello Michael,

We add HTTPS support


Some examples:


For link to your forum:

http://fynydd.userecho.com/forum/4894-general/


You must provide following link:

https://userecho.com/forum/4894-general/?sso_token=your_token


Try and don't hesitate to contact us


PS: Our widget also support SSO + HTTPS now

Avatar
Sergey Stukov co-founder
We planned to add this options, will report here as it's will be ready
Avatar
ronmichael
Sergey, having one of those options available is critical for me.  Option #2 sounds best.  If it was available within the next 30 days or so I'd be able to recommend UserEcho as a solution for my client.

Option #1 would still be "nice to have" but not critical if option #2 was available.