SoK: Single Sign-On Security — An Evaluation of OpenID Connect

Mainka, Christian; Mladenov, Vladislav; Schwenk, Jörg; Wich, Tobias

doi:10.1109/eurosp.2017.32

Cited by 42 publications

(30 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is an authentication mechanism [42], which allows users to access different systems through a single identification instance. In other words, single sign-on (SSO) is a concept to delegate the authentication of an end-user on a service provider (SP) to a third party, the so-called identity provider (IdP) [43]. e behavior proposed by single sign-on is shown in Figure 4.…”

Section: Knowledge Domainmentioning

confidence: 99%

Towards the Construction of a User Unique Authentication Mechanism on LMS Platforms through Model-Driven Engineering (MDE)

Cubides

Gaona-García

Salcedo-Salgado

2019

Scientific Programming

View full text Add to dashboard Cite

In LOD, authentication is a key factor in the security dimension of linked data quality models. is is the case of (a) LMS that manages open educational resources (OERs), in training process, and (b) LMS integrated platforms, which also require authenticating users. Authentication tackles a range of problems such as users forgetting passwords and time consumption in repetitive logins in different applications. In the context of linked OERs that are developed in LMS, it is necessary to design guidelines in order to carry out the authentication process. is process authorizes access to different linked resources platforms. erefore, to provide abstraction methods for this authentication process, it is proposed to work with model-driven architecture (MDA) approach. is paper proposes a security abstraction model on LMS, based on MDA. e proposed metamodel seeks to provide a set of guidelines on how to carry out unified authentication, establishing a common dialogue among stakeholders. Conclusion and future work are proposed in order to generate authentication instances that allow access to resources managed in different platforms.

show abstract

Section: Knowledge Domainmentioning

confidence: 99%

Towards the Construction of a User Unique Authentication Mechanism on LMS Platforms through Model-Driven Engineering (MDE)

Cubides

Gaona-García

Salcedo-Salgado

2019

Scientific Programming

View full text Add to dashboard Cite

show abstract

“…IdP Mix-Up Attacks. In two previously reported attacks [23], [38], the aim was to confuse the RP about the identity of the IdP. In both attacks, the user was tricked into using an honest IdP to authenticate to an honest RP, while the RP is made to believe that the user authenticated to the attacker.…”

Section: A Attacks Mitigations and Guidelinesmentioning

confidence: 99%

“…In OAuth, this configuration data is fixed and assumed to be "correct", greatly limiting the options of the attacker. See, for example, the variant [38] of the IdP Mix-up attack that only works in OIDC (mentioned in Section III-A). Different set of modes: Compared to OAuth, OIDC introduces the hybrid mode, but does not use the resource owner password credentials mode and the client credentials mode.…”

Section: E Comparison To Oauth 20mentioning

confidence: 99%

“…None of these works establish security guarantees for the OIDC standard: In [36], the authors find implementation errors in deployments of Google Sign-In (which, as mentioned before, is based on OIDC). In [38], the authors describe a variant of the IdP Mix-Up attack (see Section III), highlight the possibility of SSRF attacks at RPs, and show some implementation-specific flaws.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Fett

Küsters

Schmitz

2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Abstract-Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis.In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties.In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.

show abstract

“…Thus the risks were mitigated by GIAC Enterprise. OpenId Connect an OAuth based SSO [4] was tested with wellknown SSO protocol attacks and its vulnerability was fixed using a better RFC draft. Thus it was proved that even though Open Id had proper countermeasures to most attacks it still needed a bridge between implementation and specification that is done by PrOfESSOS.…”

Section: Literature Reviewmentioning

confidence: 99%

Implementation of OpenIdconnect and OAuth 2.0 to create SSO for educational institutes

Sujanani¹,

Vinod²

2018

IJET

View full text Add to dashboard Cite

Increase in the number of users is directly proportional to the need of verifying them. This means that any user using any website or application has to be authenticated first; this leads to the creation of multiple credentials of one user. Now if these different websites or applications are connected or belong to one single organization like a college or school, a lot of redundancy of data is there. Along with this, each user has to remember a wide range of credentials for different applications/websites. So in this paper, we address the issue of redundancy and user related problems by introducing SSO using OpenId Connect in educational institutes. We aim to mark the difference between the traditional system and proposed login by testing it on a group of users.

show abstract

SoK: Single Sign-On Security — An Evaluation of OpenID Connect

Cited by 42 publications

References 13 publications

Towards the Construction of a User Unique Authentication Mechanism on LMS Platforms through Model-Driven Engineering (MDE)

Towards the Construction of a User Unique Authentication Mechanism on LMS Platforms through Model-Driven Engineering (MDE)

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Implementation of OpenIdconnect and OAuth 2.0 to create SSO for educational institutes

Contact Info

Product

Resources

About