From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?

Abstract : Browser-based Single Sign-On (SSO) is replacing conventional solutions based on multiple, domain-specific credentials by offering an improved user experience: clients log on to their company system once and are then able to access all services offered by the company’s partners. By focusing on the emerging SAML standard, in this paper we show that the prototypical browser-based SSO use case suffers from an authentication flaw that allows a malicious service provider to hijack a client authentication attempt and force the latter to access a resource without its consent or intention. This may have serious consequences, as evidenced by a Cross-Site Scripting attack that we have identified in the SAML-based SSO for Google Apps: the attack allowed a malicious web server to impersonate a user on any Google application. We also describe solutions that can be used to mitigate and even solve the problem.
Type de document :
Communication dans un congrès
Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.68-79, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_6〉
Liste complète des métadonnées

Littérature citée [14 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01567599
Contributeur : Hal Ifip <>
Soumis le : lundi 24 juillet 2017 - 10:40:19
Dernière modification le : lundi 24 juillet 2017 - 10:42:15

Fichier

978-3-642-21424-0_6_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuellar, Giancarlo Pellegrino, et al.. From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?. Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.68-79, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_6〉. 〈hal-01567599〉

Partager

Métriques

Consultations de la notice

63

Téléchargements de fichiers

23