Hi all ,
I am having a doubt with Single Sign on environment ,
What :- Consider i am having 3 applications in Single Sign on , one is a.ca.com,b.ca.com and c.ca.com
So When user A logs in a.ca.com , he is authenticated and authorized for the application and he gets the a.ca.com cookie along with a's application session and SM session.
Ok So now A trying to access b.ca.com,and he is having a.ca.com cookie and SM session and which is valid[considering] , so the flow will be like web-agent will check the resource which is protected or not and if its protected as the user is having valid session , he will be given green flag so he is authenticated and authorized as he is having the valid session.
So my doubt is what if another malicious user grabs A's session and Cookie .ca.com from his Client machine some how and uses that for Logging into c.ca.com and steals his important data , ?
How will the policy server decides whether its the user A or some other user ?