2017 IEEE European Symposium on Security and Privacy (EuroS&P) 2017
DOI: 10.1109/eurosp.2017.32
|View full text |Cite
|
Sign up to set email alerts
|

SoK: Single Sign-On Security — An Evaluation of OpenID Connect

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
30
0

Year Published

2017
2017
2022
2022

Publication Types

Select...
5
2
1

Relationship

0
8

Authors

Journals

citations
Cited by 41 publications
(30 citation statements)
references
References 13 publications
0
30
0
Order By: Relevance
“…It is an authentication mechanism [42], which allows users to access different systems through a single identification instance. In other words, single sign-on (SSO) is a concept to delegate the authentication of an end-user on a service provider (SP) to a third party, the so-called identity provider (IdP) [43]. e behavior proposed by single sign-on is shown in Figure 4.…”
Section: Knowledge Domainmentioning
confidence: 99%
“…It is an authentication mechanism [42], which allows users to access different systems through a single identification instance. In other words, single sign-on (SSO) is a concept to delegate the authentication of an end-user on a service provider (SP) to a third party, the so-called identity provider (IdP) [43]. e behavior proposed by single sign-on is shown in Figure 4.…”
Section: Knowledge Domainmentioning
confidence: 99%
“…IdP Mix-Up Attacks. In two previously reported attacks [23], [38], the aim was to confuse the RP about the identity of the IdP. In both attacks, the user was tricked into using an honest IdP to authenticate to an honest RP, while the RP is made to believe that the user authenticated to the attacker.…”
Section: A Attacks Mitigations and Guidelinesmentioning
confidence: 99%
“…In OAuth, this configuration data is fixed and assumed to be "correct", greatly limiting the options of the attacker. See, for example, the variant [38] of the IdP Mix-up attack that only works in OIDC (mentioned in Section III-A). Different set of modes: Compared to OAuth, OIDC introduces the hybrid mode, but does not use the resource owner password credentials mode and the client credentials mode.…”
Section: E Comparison To Oauth 20mentioning
confidence: 99%
See 1 more Smart Citation
“…Thus the risks were mitigated by GIAC Enterprise. OpenId Connect an OAuth based SSO [4] was tested with wellknown SSO protocol attacks and its vulnerability was fixed using a better RFC draft. Thus it was proved that even though Open Id had proper countermeasures to most attacks it still needed a bridge between implementation and specification that is done by PrOfESSOS.…”
Section: Literature Reviewmentioning
confidence: 99%