Single sign-on demystified

Security considerations for developers and users

Lokesh Ramamoorthi, Dilip Sarkar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

A website of an entity (organization or enterprise) usually provides multiple services to its members. Once a user of the entity signs-on for a service, she can access all services available to her. This is known as single sign-on (SSO). For implementation of SSO, user authentication is separated, at least logically, from services. An identity provider (IDP) authenticates a user and a service provider (SP) delivers each service. Thus, a user has an active IDP session, and one active service session for each SP she is accessing. While SSO eases the life of users and system-administrators, if SSO not implemented carefully, a user may sign-out from all services but still may have an active IDP session, and users might not be aware of existence of the active IDP sessions. In this work, we use state-transition diagrams to trace the steps during a SSO activity, and then show the states that a user’s browser may maintain. We show that even after a user signs-out or timed-out from all service sessions or the IDP server session, active sessions may exist that the user maybe unaware of. This situation may happen because implementer never thought of this possibility or the user is unaware of such possibility or both. We propose some possible remedies to mitigate undesirable information-security situations we have exposed.

Original languageEnglish (US)
Title of host publicationTrends and Advances in Information Systems and Technologies
EditorsLuis Paulo Reis, Alvaro Rocha, Sandra Costanzo, Hojjat Adeli
PublisherSpringer Verlag
Pages185-196
Number of pages12
ISBN (Print)9783319777115
DOIs
StatePublished - Jan 1 2018
Event6th World Conference on Information Systems and Technologies, WorldCIST 2018 - Naples, Italy
Duration: Mar 27 2018Mar 29 2018

Publication series

NameAdvances in Intelligent Systems and Computing
Volume746
ISSN (Print)2194-5357

Other

Other6th World Conference on Information Systems and Technologies, WorldCIST 2018
CountryItaly
CityNaples
Period3/27/183/29/18

Fingerprint

Security of data
Authentication
Websites
Servers
Industry

Keywords

  • Authentication
  • Authorization
  • Identity provider
  • Security
  • Service provider
  • Single sign-on

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Computer Science(all)

Cite this

Ramamoorthi, L., & Sarkar, D. (2018). Single sign-on demystified: Security considerations for developers and users. In L. P. Reis, A. Rocha, S. Costanzo, & H. Adeli (Eds.), Trends and Advances in Information Systems and Technologies (pp. 185-196). (Advances in Intelligent Systems and Computing; Vol. 746). Springer Verlag. https://doi.org/10.1007/978-3-319-77712-2_18

Single sign-on demystified : Security considerations for developers and users. / Ramamoorthi, Lokesh; Sarkar, Dilip.

Trends and Advances in Information Systems and Technologies. ed. / Luis Paulo Reis; Alvaro Rocha; Sandra Costanzo; Hojjat Adeli. Springer Verlag, 2018. p. 185-196 (Advances in Intelligent Systems and Computing; Vol. 746).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Ramamoorthi, L & Sarkar, D 2018, Single sign-on demystified: Security considerations for developers and users. in LP Reis, A Rocha, S Costanzo & H Adeli (eds), Trends and Advances in Information Systems and Technologies. Advances in Intelligent Systems and Computing, vol. 746, Springer Verlag, pp. 185-196, 6th World Conference on Information Systems and Technologies, WorldCIST 2018, Naples, Italy, 3/27/18. https://doi.org/10.1007/978-3-319-77712-2_18
Ramamoorthi L, Sarkar D. Single sign-on demystified: Security considerations for developers and users. In Reis LP, Rocha A, Costanzo S, Adeli H, editors, Trends and Advances in Information Systems and Technologies. Springer Verlag. 2018. p. 185-196. (Advances in Intelligent Systems and Computing). https://doi.org/10.1007/978-3-319-77712-2_18
Ramamoorthi, Lokesh ; Sarkar, Dilip. / Single sign-on demystified : Security considerations for developers and users. Trends and Advances in Information Systems and Technologies. editor / Luis Paulo Reis ; Alvaro Rocha ; Sandra Costanzo ; Hojjat Adeli. Springer Verlag, 2018. pp. 185-196 (Advances in Intelligent Systems and Computing).
@inproceedings{0c4267a377674afab01108f9b9dc108c,
title = "Single sign-on demystified: Security considerations for developers and users",
abstract = "A website of an entity (organization or enterprise) usually provides multiple services to its members. Once a user of the entity signs-on for a service, she can access all services available to her. This is known as single sign-on (SSO). For implementation of SSO, user authentication is separated, at least logically, from services. An identity provider (IDP) authenticates a user and a service provider (SP) delivers each service. Thus, a user has an active IDP session, and one active service session for each SP she is accessing. While SSO eases the life of users and system-administrators, if SSO not implemented carefully, a user may sign-out from all services but still may have an active IDP session, and users might not be aware of existence of the active IDP sessions. In this work, we use state-transition diagrams to trace the steps during a SSO activity, and then show the states that a user’s browser may maintain. We show that even after a user signs-out or timed-out from all service sessions or the IDP server session, active sessions may exist that the user maybe unaware of. This situation may happen because implementer never thought of this possibility or the user is unaware of such possibility or both. We propose some possible remedies to mitigate undesirable information-security situations we have exposed.",
keywords = "Authentication, Authorization, Identity provider, Security, Service provider, Single sign-on",
author = "Lokesh Ramamoorthi and Dilip Sarkar",
year = "2018",
month = "1",
day = "1",
doi = "10.1007/978-3-319-77712-2_18",
language = "English (US)",
isbn = "9783319777115",
series = "Advances in Intelligent Systems and Computing",
publisher = "Springer Verlag",
pages = "185--196",
editor = "Reis, {Luis Paulo} and Alvaro Rocha and Sandra Costanzo and Hojjat Adeli",
booktitle = "Trends and Advances in Information Systems and Technologies",
address = "Germany",

}

TY - GEN

T1 - Single sign-on demystified

T2 - Security considerations for developers and users

AU - Ramamoorthi, Lokesh

AU - Sarkar, Dilip

PY - 2018/1/1

Y1 - 2018/1/1

N2 - A website of an entity (organization or enterprise) usually provides multiple services to its members. Once a user of the entity signs-on for a service, she can access all services available to her. This is known as single sign-on (SSO). For implementation of SSO, user authentication is separated, at least logically, from services. An identity provider (IDP) authenticates a user and a service provider (SP) delivers each service. Thus, a user has an active IDP session, and one active service session for each SP she is accessing. While SSO eases the life of users and system-administrators, if SSO not implemented carefully, a user may sign-out from all services but still may have an active IDP session, and users might not be aware of existence of the active IDP sessions. In this work, we use state-transition diagrams to trace the steps during a SSO activity, and then show the states that a user’s browser may maintain. We show that even after a user signs-out or timed-out from all service sessions or the IDP server session, active sessions may exist that the user maybe unaware of. This situation may happen because implementer never thought of this possibility or the user is unaware of such possibility or both. We propose some possible remedies to mitigate undesirable information-security situations we have exposed.

AB - A website of an entity (organization or enterprise) usually provides multiple services to its members. Once a user of the entity signs-on for a service, she can access all services available to her. This is known as single sign-on (SSO). For implementation of SSO, user authentication is separated, at least logically, from services. An identity provider (IDP) authenticates a user and a service provider (SP) delivers each service. Thus, a user has an active IDP session, and one active service session for each SP she is accessing. While SSO eases the life of users and system-administrators, if SSO not implemented carefully, a user may sign-out from all services but still may have an active IDP session, and users might not be aware of existence of the active IDP sessions. In this work, we use state-transition diagrams to trace the steps during a SSO activity, and then show the states that a user’s browser may maintain. We show that even after a user signs-out or timed-out from all service sessions or the IDP server session, active sessions may exist that the user maybe unaware of. This situation may happen because implementer never thought of this possibility or the user is unaware of such possibility or both. We propose some possible remedies to mitigate undesirable information-security situations we have exposed.

KW - Authentication

KW - Authorization

KW - Identity provider

KW - Security

KW - Service provider

KW - Single sign-on

UR - http://www.scopus.com/inward/record.url?scp=85045304667&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85045304667&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-77712-2_18

DO - 10.1007/978-3-319-77712-2_18

M3 - Conference contribution

SN - 9783319777115

T3 - Advances in Intelligent Systems and Computing

SP - 185

EP - 196

BT - Trends and Advances in Information Systems and Technologies

A2 - Reis, Luis Paulo

A2 - Rocha, Alvaro

A2 - Costanzo, Sandra

A2 - Adeli, Hojjat

PB - Springer Verlag

ER -