Artifacts: "Only as Strong as the Weakest Link": On the Security of Brokered Single Sign-On on the Web

User Collection Public

1 Item

Last Updated: 2024-10-02

Single Sign-On (SSO) is an authentication process that allows users to access multiple services with a single set of login credentials. Although SSO improves the user
experience, it poses challenges to developers to implement complex authentication protocols securely. External services, called brokers, simplify the integration of SSO.

In this paper, we shed light on the emerging brokered SSO ecosystem, focusing on the security of the newly introduced actor, the broker. We systematically evaluate the landscape of brokered SSO, uncovering significant blind spots in previous research. Our study reveals that 25% of the websites with SSO integrate brokers for authentication, an area that has not been covered by any previous research.

Through our comprehensive security evaluation, we identify three categories of threats associated with brokered SSO: (1) insufficient validation of redirect chains enabling injection attacks, (2) unauthorized data access enabling account takeovers, and (3) violations of security best current practices.

We expose vulnerabilities in over 50 brokers, compromising the security of more than 2k websites. These findings represent only a lower bound of a critical situation, underscoring the urgent need for improved security measures and protocols to safeguard the integrity of brokered SSO systems.

Collection Details

Total items: 1
Size: unknown
Resource type: Dataset

Works In Collection (1)

1. Identity Broker Analysis

Description:: Single Sign-On (SSO) is an authentication process that allows users to access multiple services with a single set of login credentials. Although SSO improves the user experience, it poses challenges to developers to implement complex authentication protocols securely. External services, called brokers, simplify the integration of SSO. In this paper, we shed light on the emerging brokered SSO ecosystem, focusing on the security of the newly introduced actor, the broker. We systematically evaluate the landscape of brokered SSO, uncovering significant blind spots in previous research. Our study reveals that 25% of the websites with SSO integrate brokers for authentication, an area that has not been covered by any previous research. Through our comprehensive security evaluation, we identify three categories of threats associated with brokered SSO: (1) insufficient validation of redirect chains enabling injection attacks, (2) unauthorized data access enabling account takeovers, and (3) violations of security best current practices. We expose vulnerabilities in over 50 brokers, compromising the security of more than 2k websites. These findings represent only a lower bound of a critical situation, underscoring the urgent need for improved security measures and protocols to safeguard the integrity of brokered SSO systems.
Keyword:: Single Sign-On and Identity Broker
Subject:: IT Security, Single Sign-On, Authorization and Authentication, and Identity Brokers
Depositor:: Louis Jannett
Owner:: Publication Manager
Publisher:
Language:: English
Date Uploaded:: 2024-10-02
Date Modified:: 2024-10-08
License:: MIT License
Resource Type:: Dataset