Single Sign On Research Papers (original) (raw)

Browser-based Single Sign-On (SSO) is replacing conventional solutions based on multiple, domain-specific credentials by offering an improved user experience: clients log on to their company system once and are then able to access all... more

Browser-based Single Sign-On (SSO) is replacing conventional solutions based on multiple, domain-specific credentials by offering an improved user experience: clients log on to their company system once and are then able to access all services offered by the company’s partners. By focusing on the emerging SAML standard, in this paper we show that the prototypical browser-based SSO use case suffers from an authentication flaw that allows a malicious service provider to hijack a client authentication attempt and force the latter to access a resource without its consent or intention. This may have serious consequences, as evidenced by a Cross-Site Scripting attack that we have identified in the SAML-based SSO for Google Apps: the attack allowed a malicious web server to impersonate a user on any Google application. We also describe solutions that can be used to mitigate and even solve the problem.

The OAuth 2.0 is an authorization protocol gives authorization on the Web. Popular social networks like Facebook, Google and Twitter make their APIs based on the OAuth protocol to increase user experience of SSO and social sharing. It is... more

The OAuth 2.0 is an authorization protocol gives authorization on the Web. Popular social networks like Facebook, Google and Twitter make their APIs based on the OAuth protocol to increase user experience of SSO and social sharing. It is an open standard for authorization and gives a process for third-party applications to obtain users' resources on the resource servers without sharing their login credentials. Single sign-on (SSO) is an identification method that makes allowance for websites to use other, rely on sites to confirm users. OAuth 2.0 is broadly used in Single Sign-On (SSO) service because of its simple implementation and coherence with a diversity of the third-party applications. It has been proved secure in different formal methods, but some vulnerabilities are revealed in practice. In this paper, we mention a general approach to improve the security of OAuth based SSO service for packaged web app. This paper proposes a modified method to execute OAuth flow from such applications with the help of Single sign-on (SSO) manages the life cycle of these applications.

The trend in businesses is moving towards a single browser tool on portable devices to access cloud applications which would increase portability but at the same time would introduce security vulnerabilities. This resulted in the need for... more

The trend in businesses is moving towards a single browser tool on portable devices to access cloud applications which would increase portability but at the same time would introduce security vulnerabilities. This resulted in the need for several layers of password authentications for cloud applications access. Single Sign-On (SSO) is a tool of access control of multiple software systems. This research explores the effects and implications of SSO solutions on cloud applications. We utilize a new framework of different attributes developed by acquiring IT experts’ opinions through extensive interviews to expand significant strategic parameters at the workplace. The framework was further tested using data collected from a sample of 400+ users in the UAE.

Abstrak Aplikasi single sign-on (SSO) adalah sebuah sistem otentikasi login yang mengizinkan bagi seorang pengguna dapat mengakses banyak sistem hanya dengan satu akun aja. Dengan sistem single sign-on (SSO) tersebut, seorang user sistem... more

Abstrak Aplikasi single sign-on (SSO) adalah sebuah sistem otentikasi login yang mengizinkan bagi seorang pengguna dapat mengakses banyak sistem hanya dengan satu akun aja. Dengan sistem single sign-on (SSO) tersebut, seorang user sistem aplikasi hanya cukup melakukan otentikasi sekali saja untuk masuk ke semua layanan yang terdapat pada dalam sistem aplikasi. Otentikasi login berbasis teks pada sistem single sign-on (SSO) yang sudah ada saat ini, mempunyai kelemahan, salah satunya adalah pencurian password dengan aplikasi keylogger. Perancangan aplikasi sistem single sign-on (SSO) yang dikembangkan dengan mencoba menambahkan otentikasi menggunakan gambar. Gambar yang digunakan telah diberikan sebuah keamanan yaitu menggunakan teknik steganografi dengan metode Least Significant Bit. Abstract Single sign-on (SSO) application is a login authentication system that allows a user to access multiple systems with just one account. With a single sign-on (SSO) system, an application system user only just authenticates once to log in to all services contained in the application system. Text-based login authentication on existing single sign-on (SSO) systems, has a weakness, one of which is password theft with keylogger apps. The design of single sign-on (SSO) system applications developed by trying to add authentication using images. The image used has been given a security that is using steganography technique with a method of the Least Significant Bit. .

In the networked economy, strategic partnerships and collaboration are an important way to develop and maintain competitive advantages. At the same time, enterprises also need to reduce costs, increase revenues and seize new business... more

In the networked economy, strategic partnerships and collaboration are an important way to develop and maintain competitive advantages. At the same time, enterprises also need to reduce costs, increase revenues and seize new business opportunities. This demands enterprises to enable convenient and secure business interactions with internal and external stakeholders, and create relationships to trust the electronic identities to access

Cloud is a relatively new concept, so it is unsurprising that the security of information and data Protection concerns, network security and privacy still need to be addressed fully. The cloud allows clients to avoid hardware and software... more

Cloud is a relatively new concept, so it is unsurprising that the security of information and data Protection concerns, network security and privacy still need to be addressed fully. The cloud allows clients to avoid hardware and software in Investments, gain flexibility, and cooperation with others, and to take advantage of sophisticated Services. However, security is a big problem for cloud clients especially access control; client profiles management and access services provided by public cloud environment. This article we are proposing an authentication model for cloud based on the Kerberos V5 protocol to provide single sign-on and to prevent against DDOS attacks in the access control system. This model could benefit by filtering against unauthorized access and to reduce the burden, computation and memory usage of cloud against authentication checks for each client. It acts as a trust third party between cloud servers and clients to allow secure access to cloud services. In this paper we will see some of the related work for cloud access control security issues and attacks. Then in next section we will discuss the proposed architecture.

The advances in pervasive, ubiquitous and context-aware applications bring new challenges and opportunities for new authentication systems and protocols. Nowadays mobile devices have features that enable richer interaction models,... more

The advances in pervasive, ubiquitous and context-aware applications bring new challenges and opportunities for new authentication systems and protocols. Nowadays mobile devices have features that enable richer interaction models, providing pervasive and ubiquitous multi-factor authentication mechanisms that can be combined in a context-aware and multi-factor authentication environment. State-of-art single sign-on systems and authentication protocols are not well suited for a

The term ”grid” in the Virtual Observatory context has mainly been used to indicate a set of interoperable services. This is rather different from the approach other scientific communities are taking mainly based on using the grid for... more

The term ”grid” in the Virtual Observatory context has mainly been used to indicate a set of interoperable services. This is rather different from the approach other scientific communities are taking mainly based on using the grid for computational tasks. Within this framework, it appears as extremely important to interconnect the Virtual Observatory and the computational grid infrastructures. Harmonisation of the Virtual Observatory infrastructure and user tools with the developments being carried out within the various national and European grid projects is an important goal to achieve. We present the point of view of followed in the framework of the EuroVO Data Centre Alliance project, that we will propose to the International Virtual Observatory Alliance as a successful example of interoperability.

ABSTRAK Perkembangan teknologi di bidang jaringan komputer berkembang pesat untuk meningkatkan kenyamanan dan efisiensi dari penggunaan sumber daya bersama melalui internet, dengan aspek penting yang digunakan yaitu sistem autentikasi.... more

ABSTRAK Perkembangan teknologi di bidang jaringan komputer berkembang pesat untuk meningkatkan kenyamanan dan efisiensi dari penggunaan sumber daya bersama melalui internet, dengan aspek penting yang digunakan yaitu sistem autentikasi. Hal tersebut harus diimbangi dengan keamanan yang baik untuk meminimalkan resiko serangan, karena data yang terkirim ketika melakukan login merupakan data credential pengguna. Dengan banyaknya aplikasi jaringan yang ada, dibutuhkan sistem autentikasi yang handal dan aman serta mampu mengakses beberapa aplikasi jaringan cukup melakukan satu kali autentikasi sehingga lebih efisien. Single Sign-On yaitu sistem yang mampu mengakses beberapa layanan dalam jaringan menggunakan satu akun pengguna dengan cara memusatkan proses autentikasi. Penelitian ini membandingkan dua protokol jaringan yaitu Lightweight Directory Access Protocol (LDAP) dan Remote Authentication Dial-In User Service (RADIUS). Pada password pengguna dienkripsi menggunakan kriptografi SHA256 dan aplikasi web autentikasi menggunakan protokol HTTPS. Hasil pengujian antara LDAP dan RADIUS, perbedaan pemakaian CPU 0,22% dan pemakaian RAM 25,65 kB. Perbedaan Throughput 12,0 req/sec dan Response Time 0,37 sec. Pengujian Stress Load terdapat perbedaan signifikan yaitu 894,45 milisec. Ketika melakukan sniffing yang didapatkan yaitu nilai hash, karena nilai asli password sudah dikonversi pada client-side. Ketika melakukan dictionary attack, didapatkan hasil serangan tidak berhasil karena password disimpan pada database berupa nilai hash 32-bit (SHA256). ABSTRACT Technological developments in the field of computer networks rapidly growing to improve the comfort and efficiency use of resources shared via the Internet, with the important aspect that is used is the authentication system. This must be balanced with good security to minimize the risk of attack, because the sent data when doing login is the data credential. With many existing network applications, authentication system needs reliable and secure and be able to access to multiple network applications simply do once the authentication process so that more efficient. Single Sign-On is a system that is capable of accessing multiple services in a network using single user account in centralized authentication process. This study compared two network protocols are Lightweight Directory Access Protocol (LDAP) and Remote Authentication Dial-In User Service (RADIUS). At the user's password is encrypted using SHA256 cryptographic and authentication web application using HTTPS protocol. The test results between LDAP and RADIUS, a difference of CPU usage 0.22% and RAM usage 25.65 kB. Difference of Throughput 12.0 req/sec and Response Time 0.37 sec. Load Stress testing occur significant difference 894.45 milisec. When doing sniffing obtained hash value, because the value of the original password has been converted in the client-side. When performing a dictionary attack, showed the attack was unsuccessful because the password is stored in a database form 32-bit hash value (SHA256).

Abstrak Penelitian ini membahas tentang implementasi metode Single Sign On (SSO). SSO adalah teknologi yang mengizinkan pengguna jaringan agar dapat mengakses aplikasi hanya dengan menggunakan satu akun pengguna saja, dengan sekali login... more

Abstrak Penelitian ini membahas tentang implementasi metode Single Sign On (SSO). SSO adalah teknologi yang mengizinkan pengguna jaringan agar dapat mengakses aplikasi hanya dengan menggunakan satu akun pengguna saja, dengan sekali login seorang user bisa mengakses beberapa aplikasi tanpa harus login di masing-masing aplikasi. Untuk menggabungkan beberapa aplikasi maka dibutukan sebuah site atau web portal. Dengan adanya web portal ini, berarti setiap user hanya perlu memiliki satu username dan password. Tujuan dari implementasi ini adalah menghasilkan aplikasi sistem informasi manajemen user yang dapat mengintegrasikan layanan webmail, sistem informasi (simas), e-learning, hotspot, active directory. Sehingga mahasiswa dan dosen atau karyawan tidak perlu login di masing-masing layanan IT tersebut. Dan memudahkan admin untuk mengelola user dalam hal create atau mereset password user.

Özet: Bu çalışmada yükseköğrenime özelleşmiş, dünya üzerinde yaygın kullanıma sahip ve açık kaynak kodlu bir öğrenme yönetim sistemi olan Sakai'de tek şifre yönetiminin (single sign on) kullanımı hakkında bilgi verilecektir. Çalışmada... more

Özet: Bu çalışmada yükseköğrenime özelleşmiş, dünya üzerinde yaygın kullanıma sahip ve açık kaynak kodlu bir öğrenme yönetim sistemi olan Sakai'de tek şifre yönetiminin (single sign on) kullanımı hakkında bilgi verilecektir. Çalışmada alanyazın taraması yönteminden ve yazarın Sakai deneyimlerinden yararlanılacaktır. Bu bağlamda Sakai öğrenme yönetim sistemine tek şifre yönetiminin bütünleştirilmesi ve bu bütünleştirmenin detayları sunulacaktır. Ayrıca yazar Microsoft Active Directory üzerinde yer alan öğrenci hesaplarının LDAP hizmeti kullanılarak Sakai sistemine entegrasyonu ile ilgili deneyimlerini paylaşacaktır. Abstract: In this paper, information about single sign on services in Sakai learning management system which is open source and widely used in higher education will be given. This study mainly based on authors' Sakai experiences, and literature review method. In this context, single sign on integration of Sakai learning management system and details of this integration will be presented. In addition, author will share integration experiences about Microsoft Active Directory student account integration which are configured to support LDAP on Sakai.

PAPI is a system for providing access control to restricted information resources across the Internet. It intends to keep authentication as an issue local to the organization the user belongs to, while leaving information providers full... more

PAPI is a system for providing access control to restricted information resources across the Internet. It intends to keep authentication as an issue local to the organization the user belongs to, while leaving information providers full control over the resources they offer. The authentication mechanisms are designed to be as flexible as possible, allowing each organization to use its own authentication schema, keeping user privacy, and offering information providers data enough for statistics. Moreover, access control mechanisms are transparent to the user and compatible: with the most commonly employed Web browsers (i.e., Netscape/MSIE/Mozilla/Lynx), with any HTTP based java application solution, and any operating system. This solution is being successfully used in different research organizations in Spain and Europe as a control access system to restricted resources in a transparent and single sign-on way. It is allowing mobile and external users to access to resources that are internal to organizations, contributing to remote participations in results of experiments and inter-institutional resource collaboration.

Federation in identity management has emerged as a key concept for reducing complexity in the companies and offering an improved user experience when accessing services. In this sense, the process of trust establishment is fundamental to... more

Federation in identity management has emerged as a key concept for reducing complexity in the companies and offering an improved user experience when accessing services. In this sense, the process of trust establishment is fundamental to allow rapid and seamless interaction between different trust domains. However, the problem of establishing identity federations in dynamic and open environments that form part

Abstract. The learning management system (LMS) is the most popular e-learning system, which normally provides course centered managements and is rather weak at learner centered managements. The LMS normally does not manage school register... more

Abstract. The learning management system (LMS) is the most popular e-learning system, which normally provides course centered managements and is rather weak at learner centered managements. The LMS normally does not manage school register and imported ...

1. EXECUTIVE SUMMARY In this paper, we present the status of identity management systems and e-learning standards across Europe, in order to promote the mobility and the sharing of contents and services in higher education institutions.... more

1. EXECUTIVE SUMMARY In this paper, we present the status of identity management systems and e-learning standards across Europe, in order to promote the mobility and the sharing of contents and services in higher education institutions. With new requirements for authentication, authorization and identity management for Web applications, most higher education institutions implement several solutions to address these issues. At

... Jim Basney National Center for Supercomputing Applications, University of Illinois jbasney@ncsa.uiuc.edu ... and the contribution of our own open source WS-Trust [2] implementation • Interoperability, as shown through the successful... more

... Jim Basney National Center for Supercomputing Applications, University of Illinois jbasney@ncsa.uiuc.edu ... and the contribution of our own open source WS-Trust [2] implementation • Interoperability, as shown through the successful interaction of our .NET and Java clients with ...

This paper describes the design and implementation of GridCertLib, a Java library leveraging a Shibboleth-based authentication infrastructure and the SLCS online certificate signing service, to provide short-lived X.509 certificates and... more

This paper describes the design and implementation of GridCertLib, a Java library leveraging a Shibboleth-based authentication infrastructure and the SLCS online certificate signing service, to provide short-lived X.509 certificates and Grid proxies. The main use case envisioned for GridCertLib, is to provide seamless and secure access to Grid/X.509 certificates and proxies in web applications and portals: when a user logs

Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security { or the lack thereof { making the mainstream news. One of the more harmful attacks is cross-site request forgery... more

Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security { or the lack thereof { making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading eect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To ll this gap, this paper makes three con- tributions: rst, a thorough trac analysis on real-world trac quanti- es the amount of cross-domain trac and identies its specic proper- ties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evalu- ation was done using specic

The UNICORE grid technology provides a seamless, secure and intuitive access to distributed grid resources such as computational or storage related resources. In addition, its extensible character through application-specific plug-ins and... more

The UNICORE grid technology provides a seamless, secure and intuitive access to distributed grid resources such as computational or storage related resources. In addition, its extensible character through application-specific plug-ins and its enhancements developed in various European-funded projects leads to the UNICORE technology that is used in daily production at many supercomputer centers and research facilities world-wide today. In this

In this paper, we present an Open Grid Services Architecture (OGSA)-based decentralized allocation enforcement system, developed with an emphasis on a consistent data model and easy integration into existing scheduling, and workload... more

In this paper, we present an Open Grid Services Architecture (OGSA)-based decentralized allocation enforcement system, developed with an emphasis on a consistent data model and easy integration into existing scheduling, and workload management software at six independent high-performance computing centers forming a Grid known as SweGrid. The Swedish National Allocations Committee (SNAC) allocates resource quotas at these centers to research projects requiring substantial computer time. Our system, the SweGrid Accounting System (SGAS), addresses the need for soft real-time allocation enforcement on SweGrid for cross-domain job submission. The SGAS framework is based on state-of-the-art Web and Grid services technologies. The openness and ubiquity of Web services combined with the fine-grained resource control and cross-organizational security models of Grid services proved to be a perfect match for the SweGrid needs. Extensibility and customizability of policy implementations for the...