The vouch-for token

To achieve cross-domain single signon, some user identity information must be transmitted between servers. This sensitive information is handled using a redirect that includes the identity information encrypted as part of the URL. This encrypted data is called a vouch-for token.

• The token contains the vouch-for success or failure status, the user's identity (if successful), the fully qualified name of the server that created the token, the e-community identity, and a creation time value.
• The holder of a valid vouch-for token can use this token to establish a session (and set of credentials) with a server without explicitly authenticating to that server.
• The token is encrypted using a shared triple-DES secret key so that its authenticity can be verified.
• Encrypted token information is not stored on the browser.
• The token is passed only once. The receiving server uses this information to build user credentials in its own cache. The server uses these credentials for future requests by that user during the same session.
• The token has a lifetime (timeout) value that is set in the WebSEAL configuration file. This value can be very short (seconds) to reduce the risk of a replay attack.

Parent topic: E-community single signon concepts