Skip to main content
WorldCist'18 - 6th World Conference on Information Systems and Technologies

Full Program »

Single Sign-on Demystified: Security Considerations for Developers and Users

A website of an entity (organization or enterprise) usually provides multiple services to its members. Once a user of the entity signs-on for a service, she can access all services available to her. This is known as single sign-on (SSO). For implementation of SSO, user authentication is separated, at least logically, from services. An identity provider (IDP) authenticates a user and a service provider (SP) delivers each service. Thus, a user has an active IDP session, and one active service session for each SP she is accessing. While SSO eases the life of users and system-administrators, if SSO not implemented carefully, a user may sign-out from all services but still may have an active IDP session, and users might not be aware of existence of the active IDP sessions. In this work, we use state-transition diagrams to trace the steps during a SSO activity, and then show the states that a user's browser may maintain. We show that even after a user signs-out or timed-out from all service sessions or the IDP server session, active sessions may exist that the user maybe unaware of. This situation may happen because implementer never thought of this possibility or the user is unaware of such possibility or both. We propose some possible remedies to mitigate undesirable information-security situations we have exposed.

Lokesh Ramamoorthi
University of Miami
United States

Dilip Sarkar
University of Miami
United States

 

Powered by OpenConf®
Copyright ©2002-2017 Zakon Group LLC