SDK exception handling in function SSODecodeToken

Document ID : KB000009139
Last Modified Date : 14/02/2018
Show Technical Document Details

Custom agent decoding SMESSION (SSODecodeToken) that catches exceptions for different events then feeds the different events back to the client can result in leaking information concerning the SMSESSION

Agent API decoding SMSESSION cookie using SSODecodeToken

Two problems 

Client code can be secured by not passing back information on different failure codes (less specific messages)

SSO SDK bug in exception handling must be fixed 


Agent SDK exception handling fix will be addressed in bug DE333103


Additional Information:

Additional steps that can be taken to enhance security even more:

- Use 'dynamic agent keys' to rotate the keys. Switching to 'dynamic agent keys' is seamless and there is no need for users to re-authenticate or for CA SSO to re-encrypt any data.

- Switch to using FIPS Mode (Employs AES cipher, 128-bit key with HMAC-SHA256)