The outbound authentication module provides a method called setRedirectUrl() that allows you to redirect to a third party application. You can also pass parameters with the setUrlParameters() method. This performs an HTTP GET request and puts the parameters in the URL in full view. For example:
www.thirdpartyserver.com/application?userid=bob&role=student§ion=Biology101
There are privacy concerns with sending sensitive information in full view, not to mention the security concerns with the ability for students to modify the request. While the security concerns can be addressed with a shared secret and message authentication code, this does not cover the privacy concerns.
One common "best practice" to solve this problem involves a two step redirect. First the outbound authentication module makes a secure (SSL) web service call to the third party server passing the sensitive information. This web service call returns a unique request Id (i.e. hash code) which can be passed in the HTTP GET redirect in full view without disclosing any sensitive data. For example:
www.thirdpartyserver.com/application?requestId=C5603726587076652AE95C6E281733B5
If a two step redirect is not possible, other integrations simply obscuficate the passed parameters so that they are not human readable in the URL.
 | This article originally authored by Scott Stanley on the WebCT DevNet
|
This page
Other pages
Account
