Are there security issues around controlled cross site sharing behind SSO?
Very simply we have a ton of websites at our company behind SSO.
I am having a hard time figuring out what security issues there are if we open cross-site sharing between these sites but wanted to get a broader view. This is really a result of browser updates around cross site sharing in iframes in chrome and IE a few months back. With those security features disabled at the browser level (yes we will not have users do that) iframing within our sites work fine.
Let me give you context of the specific problem:
- example.com - main site
- subdomain1.example.com - subdomain we have a ton
- subdomain2.example.com - another sub
- example.login.com - SSO server we authenticate to
- example.cms.com - random vendor that uses our SSO
So right now as long as the servers in 1, 2, and 3 allow cross site sharing iframes work... as long as your cookie/token is already active. If it is not active then it just errors out trying to connect to example.login.com.
We are discussing changing the CORS/sharing settings on the login server and others brought up possible security issues. I just don't see how there are issues with clickjacking or anything else when we control all of the sites ourselves. Am I missing something here? Are there security issues with sharing between controlled tenets? Let me know if I need to provide anymore info.
