Specify if the server should enforce HTTPS. This option is enabled by default and recommended.

In some cases, you may require your SSO Server to be provided insecurely through HTTP. For example, when proxying over CloudFlare or your own reverse proxy, and you have no choice but to use flexible connection type. In that situation, you may consider switching to HTTP to suit your requirements on your own risk.

Security Configuration

Enable or Disable CORS (Cross-Origin Resource Sharing) on API call.

Don't enable this unless you are self-assured. This may enable browsers to call SSOfy APIs through the web browser.

Enabling CORS on Web allows for the SSO server to accept requests from other domains, which can be useful in certain scenarios like when embedding the SSO in an IFrame (not recommended).

SSOfy uses the "Sign and Verify" technique to secure communications between the api client and server and ensure that the request originated from the authorized source.

Requests to the SSOfy server must contain the Signature attribute in the request headers.

Yet, there are situations when you may need to disable the signature verification, particularly for Test and Debugging purposes.

Make sure to reactivate the verification once you've finished your testing.

Choose the engine that will be used to deliver the captcha security challenge. SSOfy supports both the popular reCaptcha and hCaptcha.

Additionally, SSOfy offers a self-rendered captcha engine dubbed Simple captcha, which generates a classic illustration of a combination of numbers and letters. Some people may find this more clear and familiar for their application.

You can limit the allowed referrer domains provided in the list to increase the security by preventing accesses and redirections which have been coming from unknown domains.

Assume your SSO server is at sso.example.com and you regularly initiate login operations from example.com. website.x impersonates your login button and refers users to sso.example.com. The process should be blocked here since the referrer (website.x) is not trustworthy.

ssofy Knowledge Base
At our core, we believe that staying up-to-date with the latest trends and advancements in Authentication and related areas is essential. That's why we take great pride in keeping you informed with the latest insights, updates, and news in this rapidly evolving landscape.

Do you need support?
SSOfy is by Cubelet Ltd.
Copyright © 2024 Cubelet Ltd. All rights reserved.