|Professional Services||Second Signal||Presentations||Andrew's Blog||Support|
As I get ready to release NCT Simple Signon into the wild, I have some concern over allowing a sample agent to come with it that will log on virtually anyone under virtually any name if they know the syntax of the command.
Normally, you'd use this product as part of a planned security schema, and data passed to the signon agent would be encrypted and validated.
In fact, a full implementation of just such a schema is provided, along with a standards based encryption algorithm and an instruction document meant to be given to the owners of whatever site will be passing you user information.
For testing and demo purposes, however, it can be useful to have a "wide open" simple version to see how it works. If you leave it open, however, you're leaving your server wide open.
The best compromise I could come up with, is to create the agent but disable it in the code itself. Anyone who wants to enable it could simply comment out the one line and be running, but to do that they'd need high enough level access on the server to save agents which run with unrestricted access. Presumably, that means they're an administrator level person and able to make this decision. Here's what the warning looks like -- you tell me if you think its enough.
Please wait while your document is saved.