A Survey of Security Analysis in Federated Identity Management

  • Sean Simpson
  • Thomas GroßEmail author
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 498)


We conduct a systematic survey of security analysis in Federated Identity Management (FIM). We use a categorisation system based off the Malicious and Accidental Fault Tolerance framework (MAFTIA) to categorise security incidents in FIM. When security incidents are categorised, we can paint a picture of the landscape of problems that have been studied in FIM. We outline the security incidents that are happening across FIM protocols and present solutions to those security incidents as proposed by others.


FIM Survey Dependability MAFTIA Microsoft Passport OAuth OpenID Facebook Connect SAML Liberty Alliance 


  1. 1.
    Avizienis, A., Laprie, J.-C., Randell, B., et al.: Fundamental concepts of dependability. Computing Science, University of Newcastle upon Tyne (2001)Google Scholar
  2. 2.
    Ghazizadeh, E., Zamani, M., Pashang, A., et al.: A survey on security issues of federated identity in the cloud computing. In: 2012 IEEE 4th International Conference on Cloud Computing technology and Science (CloudCom 2012), pp. 532–565. IEEE (2012)Google Scholar
  3. 3.
    Powell, D., Stroud, R., et al.: Conceptual model and architecture of maftia. Technical report Series, University of Newcastle Upon Tyne Computing Science (2003)Google Scholar
  4. 4.
    Kitchenham, B.: Procedures for performing systematic reviews. Keele University (2004)Google Scholar
  5. 5.
    Delft, B., Oostdijk, M.: A security analysis of OpenID. In: Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IAICT, vol. 343, pp. 73–84. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17303-5_6 CrossRefGoogle Scholar
  6. 6.
    Pfitzmann, B., Waidner, M.: Federated identity-management protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 153–174. Springer, Heidelberg (2005). doi: 10.1007/11542322_20 CrossRefGoogle Scholar
  7. 7.
    Kormann, D.P., Rubin, A.D.: Risks of the passport single signon protocol. Comput. Netw. 33, 51–58 (2000). ElsevierCrossRefGoogle Scholar
  8. 8.
    Oppliger, R.: passport and identity management. Inf. Secur. Tech. Rep. 9, 26–34 (2004). ElsevierCrossRefGoogle Scholar
  9. 9.
    Alrodhan, W., Mitchell, C.: Improving the security of cardspace. EURASIP J. Inf. Secur. 1 (2009). SpringerGoogle Scholar
  10. 10.
    Gajek, S., Schwenk, J., Steiner, M., Xuan, C.: Risks of the CardSpace protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 278–293. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04474-8_23 CrossRefGoogle Scholar
  11. 11.
    Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390. Springer (2012)Google Scholar
  12. 12.
    Alotaibi, A., Mahmmod, A.: Enhancing OAuth services security by an authentication service with face recognition. In: Systems, Applications and Technology Conference (LISAT), pp. 1–6. IEEE (2015)Google Scholar
  13. 13.
    Ferry, E., Raw, J.O., Curran, K.: Security evaluation of the OAuth 2.0 framework. Inf. Comput. Secur. 23, 73–101 (2015). Emerald Group Publishing LimitedCrossRefGoogle Scholar
  14. 14.
    Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). doi: 10.1007/978-3-319-13257-0_34 Google Scholar
  15. 15.
    Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Cham (2015). doi: 10.1007/978-3-319-20550-2_13 CrossRefGoogle Scholar
  16. 16.
    Yang, R., Li, G., Lau, W., et al.: Model-based security testing: an empirical study on OAuth 2.0 implementations. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 651–662. ACM (2016)Google Scholar
  17. 17.
    Grzonkowski, S., Corcoran, P.M., Coughlin, T.: Security analysis of authentication protocols for next-generation mobile and CE cloud services. In: 2011 IEEE International Conference on Consumer Electronics-Berlin (ICCE-Berlin), pp. 83–87. IEEE (2011)Google Scholar
  18. 18.
    Oh, H.-K., Jin, S.-H.: The security limitations of sso in openid. In: Advanced Communication Technology, pp. 1608–1611. IEEE (2008)Google Scholar
  19. 19.
    Sovis, P., Kohlar, F., Schwenk, J.: Security analysis of OpenID, pp. 329–340. Sicherheit (2010)Google Scholar
  20. 20.
    Feld, S., Pohlmann, N.: Security analysis of OpenID, followed by a reference implementation of an nPA-based OpenID provider. In: Pohlmann, N., Reimer, H., Schneider, W. (eds.) ISSE 2010 Securing Electronic Business Processes, pp. 13–25. Springer, Heidelberg (2011)Google Scholar
  21. 21.
    Sun, S.-T., Hawkey, K., Beznosov, K.: Systematically breaking and fixing OpenID security: formal analysis, semi-automated empirical evaluation, and practical countermeasures. Comput. Secur. 31, 465–483 (2012). ElsevierCrossRefGoogle Scholar
  22. 22.
    Abbas, H., Qaemi, M.M., Kahn, F.A., et al.: Systematically breaking and fixing OpenID security: formal analysis, semi-automated empirical evaluation, and practical countermeasures. Secur. Commun. Netw. (2014). Wiley Online LibraryGoogle Scholar
  23. 23.
    Hsu, F., Chen, H., Machiraju, S.: WebCallerID: leveraging cellular networks for web authentication. J. Comput. Secur. 19, 869–893 (2011). IOS PressCrossRefGoogle Scholar
  24. 24.
    Krolo, J., Marin, Š., Siniša, S.: Security of web level user identity management. In: 32nd International Convention MIPRO 2009 (2009)Google Scholar
  25. 25.
    Li, W., Mitchell, C.J.: Analysing the security of Google’s implementation of OpenID connect. arXiv preprint arXiv:1508.01707 (2015)
  26. 26.
    Mainka, C., Mladenov, V., Schwenk, J.: Do not trust me: using malicious IdPs for analyzing and attacking single sign-on. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 321–336. IEEE (2016)Google Scholar
  27. 27.
    Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1–10. ACM (2008)Google Scholar
  28. 28.
    Groß, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Computer Security Applications Conference, pp. 298–307. IEEE (2003)Google Scholar
  29. 29.
    Kumar, A.: A lightweight formal approach for analyzing security of web protocols. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 192–211. Springer, Cham (2014). doi: 10.1007/978-3-319-11379-1_10 Google Scholar
  30. 30.
    Mayer, A., Niemietz, M., Mladenov, V., et al.: Guardians of the clouds: when identity providers fail. In: Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, pp. 105–116. ACM (2014)Google Scholar
  31. 31.
    Mainka, C., Mladenov, V., Feldmann, F., et al.: Your software at my service: security analysis of saas single sign-on solutions in the cloud. In: Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security, pp. 93–104. ACM (2014)Google Scholar
  32. 32.
    Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. In: IEEE Internet Computing, pp. 38–44. IEEE (2003)Google Scholar
  33. 33.
    Ahmad, Z., Ab Manan, J.-L., Sulaiman, S.: Trusted computing based open environment user authentication model. In: 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE), pp. V6–487. IEEE (2010)Google Scholar
  34. 34.
    Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Browser model for security analysis of browser-based protocols. In: Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005). doi: 10.1007/11555827_28 CrossRefGoogle Scholar
  35. 35.
    Miculan, M., Caterina, U.: Formal analysis of Facebook Connect single sign-on authentication protocol. In: SOFSEM, pp. 22–28 (2009)Google Scholar
  36. 36.
    Urueña, M., Muñoz, A., Larrabeiti, D.: Formal analysis of Facebook Connect single sign-on authentication protocol. In: Multimedia Tools and Applications, pp. 159–176. Springer (2014)Google Scholar
  37. 37.
    Wang, R., Chen, S., Wang, X.F.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: 2012 IEEE Symposium on Security and Privacy, pp. 365–379 (2012)Google Scholar
  38. 38.
    Chadwick, D.W.: Federated identity management. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 96–120. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03829-7_3 CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Newcastle UniversityNewcastle upon TyneUK

Personalised recommendations