Skip to main content
SpringerLink
Log in
Book cover

World Conference on Information Systems and Technologies

WorldCIST'18 2018: Trends and Advances in Information Systems and Technologies pp 185–196Cite as

Single Sign-On Demystified: Security Considerations for Developers and Users

  • Conference paper
  • First Online:

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 746))

Abstract

A website of an entity (organization or enterprise) usually provides multiple services to its members. Once a user of the entity signs-on for a service, she can access all services available to her. This is known as single sign-on (SSO). For implementation of SSO, user authentication is separated, at least logically, from services. An identity provider (IDP) authenticates a user and a service provider (SP) delivers each service. Thus, a user has an active IDP session, and one active service session for each SP she is accessing. While SSO eases the life of users and system-administrators, if SSO not implemented carefully, a user may sign-out from all services but still may have an active IDP session, and users might not be aware of existence of the active IDP sessions. In this work, we use state-transition diagrams to trace the steps during a SSO activity, and then show the states that a user’s browser may maintain. We show that even after a user signs-out or timed-out from all service sessions or the IDP server session, active sessions may exist that the user maybe unaware of. This situation may happen because implementer never thought of this possibility or the user is unaware of such possibility or both. We propose some possible remedies to mitigate undesirable information-security situations we have exposed.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Beltran, V.: Characterization of web single sign-on protocols. IEEE Commun. Mag. 54(7), 24–30 (2016). https://doi.org/10.1109/MCOM.2016.7514160

    Article  Google Scholar 

  2. Beltran, V., Skarmeta, A.F.: An overview on delegated authorization for CoAP: authentication and authorization for constrained environments (ACE). In: 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp. 706–710 (2016). https://doi.org/10.1109/WF-IoT.2016.7845482

  3. Clercq, J.D.: Single sign-on architectures. In: Proceedings of the International Conference on Infrastructure Security, InfraSec 2002, pp. 40–58. Springer, London (2002). http://dl.acm.org/citation.cfm?id=647333.722879

  4. Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Longman Publishing Co., Inc., Reading (1995)

    MATH  Google Scholar 

  5. Hardt, D.: The OAuth 2.0 authorization framework, RFC 6749. Internet Engineering Task Force (2012). https://tools.ietf.org/html/rfc6749

  6. Kemp, J., Cantor, S., Mishra, P., Philpott, R., Maler, E.: Assertions and protocols for the OASIS security assertion markup language (SAML) v2.0. OASIS (2015). http://saml.xml.org/saml-specifications

  7. OWASP Foundation: Session timeout. OWASP Foundation (2012). https://www.owasp.org/index.php/Session_Timeout

  8. Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on?: an empirical investigation of openid. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS 2011, pp. 4:1–4:20. ACM (2011). https://doi.org/10.1145/2078827.2078833

  9. Wang, H., Zhang, Y., Li, J., Gu, D.: The achilles heel of OAuth: a multi-platform study of OAuth-based authentication. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 167–176. ACM, New York (2016). https://doi.org/10.1145/2991079.2991105

Download references

Author information

Authors and Affiliations

  1. University of Miami, Coral Gables, FL, 33146, USA

    Lokesh Ramamoorthi & Dilip Sarkar

Authors
  1. Lokesh Ramamoorthi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dilip Sarkar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lokesh Ramamoorthi .

Editor information

Editors and Affiliations

  1. Departamento de Engenharia Informática, Universidade de Coimbra, Coimbra, Portugal

    Álvaro Rocha

  2. College of Engineering, The Ohio State University, Columbus, Ohio, USA

    Hojjat Adeli

  3. DSI/EEUM, Universidade do Minho, Guimarães, Portugal

    Luís Paulo Reis

  4. DIMES, Universita della Calabria, Arcavacata di Rende, Italy

    Sandra Costanzo

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ramamoorthi, L., Sarkar, D. (2018). Single Sign-On Demystified: Security Considerations for Developers and Users. In: Rocha, Á., Adeli, H., Reis, L., Costanzo, S. (eds) Trends and Advances in Information Systems and Technologies. WorldCIST'18 2018. Advances in Intelligent Systems and Computing, vol 746. Springer, Cham. https://doi.org/10.1007/978-3-319-77712-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-77712-2_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-77711-5

  • Online ISBN: 978-3-319-77712-2

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation