Layer7 Access Management

Expand all | Collapse all

Current best practice for CA SSO - Angular SPAs

Jump to Best Answer
  • 1.  Current best practice for CA SSO - Angular SPAs

    Posted 05-25-2017 12:30 PM

    What is the current best practice for securing script (Like AngularJS) based applications with CA SSO? We have multiple Angular applications that need to be integrated with CA SSO, that make API calls on behalf of the user. Session cookies (set to HTTPONLY) do not seem to be a good fit for these technologies. What tools in the SSO toolbag work best in these situations?

     

    Thanks,

     

    Josh Coffman



  • 2.  Re: Current best practice for CA SSO - Angular SPAs
    Best Answer

    Posted 05-26-2017 11:43 PM

    You may already understand the difference between a typical request/response application versus SPAs.  If not this was a great reference for me - AngularJS Security: defend your Single Page Application 

     

    CA SSO 12.7 now supports OpenID Connect which allows the creation, passing and revoking of an access token (JWT).

     

    Angular-JWT is an interceptor similar as mod_auth_openidc that could be used. 

    I created a runbook for using mod_auth_openidc with CA SSO that may be of interest - CA SSO OpenID Connect Provider - Agentless SSO 

     

    Another approach would be to look at CA API Gateway (formerly Layer7) which secures REST services and is tightly integrated with CA SSO.  This is what we typically see customers doing.

     

    I have personal interest in protecting SPAs with CA SSO so I can certainly post further detail as I get further into my adventure.

     

    HTH



  • 3.  Re: Current best practice for CA SSO - Angular SPAs

    Posted 05-29-2017 06:52 PM

    In addition to what Jack posted there are several other things to keep in mind.

     

    If the cookie already exists in the browser, even if it is HTTPOnly it is still sent on requests within the same cookie domain. So while you may not be able to specifically access it, your API request will contain the cookie if it was already in the browser.

     

    Enhanced settings around dealing with web clients have been introduced that give you a range of options in dealing with those API calls and can be found here.

     

    There is also an excellent blog here that discusses some of the strategies we are using for customers with SPAs. You can find it here.