Questions tagged [sso]
Single Sign-On is when a user can use the same set of authentication credentials to access multiple different services.
176 questions
-1
votes
1
answer
122
views
Understand the relationships between SSO, OAuth, OIDC, SAML, Okta
I'm getting confused by those terminologies and how they're related to others. Many articles on the internet don't agree on a single view whether those are categorized as protocols, standards or ...
- 101
1
vote
1
answer
204
views
How do you handle MFA during pentests?
Trying to test behind login pages with MFA or SSO is always a pain. Do you guys request bypass creds or use token capture? Curious what tools or workflows have worked best for you.
- 11
0
votes
0
answers
55
views
client-initiated single logout
I have implemented a Single-Sign-On infrastructure where I own both the OIDC provider and the clients(RPs).
My question is about the single-logout mechanism. at the moment when a user requests a ...
23
votes
4
answers
7k
views
A website asks you to enter a Microsoft/Google/Facebook password. How do you know it is safe?
A website prompts me to log in to my Microsoft Account. In order to perform my task, it requires me to enter that password.
How does the "average user" avoid giving all their login details ...
- 1,043
4
votes
3
answers
2k
views
How secure is the "Remember me" feature in Keycloak?
I am using Keycloak 25 to protect several web applications in our company (Open ID Connect). There is the "Remember me" option in Keycloak, which can be enabled for the entire realm.
...
- 161
4
votes
1
answer
315
views
What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
Context
I've read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it's not clear to me why.
The recommended ...
- 183
1
vote
2
answers
473
views
Keycloak - SSO security best practices
I am using Keycloak as OIDC provider for several web applications. I have approximately 50 users and 5 applications. Some applications contain sensitive data and are used only by the company managers. ...
- 161
19
votes
1
answer
4k
views
How are you supposed to trust SSO popups in desktop and mobile applications?
When I was investigating how to add SSO to a local application to login to google drive, the standard approach seems to be to open a web view window, ask user to log in while also opening a localhost ...
- 1,430
2
votes
2
answers
250
views
What's the point of users having to authorize their SSH keys and tokens they created themselves when SAML single sign-on is enabled on GitHub?
In GitHub's Enterprise Cloud docs it says:
To use an SSH key with an organization that uses SAML single sign-on (SSO), you must first authorize the key.
I understand that organization admins could ...
- 121
1
vote
0
answers
64
views
Leveraging MS SSO for teams tab secure?
I have an app I want to embed as a tab in MS Teams. Users may already have an account outside of teams and I use magic login link to typically to log users in. I want to know if I can leverage teams ...
- 11
6
votes
1
answer
696
views
Is there a method of session revocation for SAML/Single Sign-on applications?
While running a red teaming exercise, we had taken over an account inside an organization's Identity Provider via social engineering attack (specifics of which aren't relevant to this question). Their ...
- 267
2
votes
0
answers
399
views
Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{...
- 21
2
votes
0
answers
337
views
Entra ID issuing expired ID Tokens
We are integrating our application with SSO using Entra ID App Registrations and configuring OIDC.
When our application receives the ID token from Microsoft Entra, the iap and exp values seem invalid. ...
1
vote
2
answers
184
views
Verify user credentials via SAML (E-Signature)
I have a requirement to extend a quality assurance process in the customers CRM system so that when the user enters some data he or she is prompted to a screen with username and password and the ...
- 21
1
vote
0
answers
167
views
What are the risks of SSO and logins in general in relation to privacy?
I recently started using the Brave browser for a little more privacy.
However, I still don't understand much about the risks surrounding SSO and cookies.
As an example, I am logged in to YouTube.com ...
- 121