When using Crowd for single sign-on (SSO), you can specify that the 'secure' flag is set on the SSO cookie. This will enforce a secured connection, such as SSL, for all SSO requests.
To specify the secure flag on the SSO cookie,
- Log in to the Crowd Administration Console.
- Click the 'Administration' tab in the top navigation bar.
- The 'General Options' screen will appear. Tick or untick the 'Secure SSO Cookie' checkbox as required:
- Ticked — The 'secure' attribute will be included on the SSO cookie. A secured connection, such as SSL or TLS, is required for all SSO requests. Unsecured connections will be refused.
- Not ticked — This is the default. The 'secure' attribute will not be included on the SSO cookie. This means that the SSO cookie may be transmitted over an unsecured connection.
- Click the 'Update' button.
Screenshot: Secure SSO Cookie in Crowd General Options