How to mitigate AD+SSO vulnerability?

We recently upgraded one of our Gateways to 8.1.17, and successfully re-enabled SSO for our clients, but I was wondering if there is a possibility to be “safe” while using SSO.

SSO can be enabled for the Clients and for the Designer, but the article does not talk specifically about which is vulnerable.

So here I ask.

  1. Are both vulnerable?
  2. Is one “worse” than the other?
  3. Are we “safe” if only SSO for the Designer is disabled?
  4. How can I get a detailed description in order to reproduce within my organization?

Thanks!

Sorry to hijack your thread. But I am having issues re-enabling SSO and it seems that you got it going. I have added the line to the java additional parameters and restarted the service. But I still can’t enable SSO under the AD user source config. Is there something else I need to do?

Thanks.

No worries.

If you were following the instructions from the article, one thing that can be missed is that you’d need to replace the X from wrapper.java.additional.X=-Dignition.enableInsecureAdSso=true to a number as explained here.

E.g. ignition.conf lines 69-73:

# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
#wrapper.java.additional.3=-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=*:8000
wrapper.java.additional.4=-Dignition.enableInsecureAdSso=true
1 Like