Questions tagged [sso]
Single Sign-On is when a user can use the same set of authentication credentials to access multiple different services.
169
questions
2
votes
0
answers
39
views
What's the point of users having to authorize their SSH keys and tokens they created themselves when SAML single sign-on is enabled on GitHub?
In GitHub's Enterprise Cloud docs it says:
To use an SSH key with an organization that uses SAML single sign-on (SSO), you must first authorize the key.
I understand that organization admins could ...
- 121
1
vote
0
answers
28
views
Leveraging MS SSO for teams tab secure?
I have an app I want to embed as a tab in MS Teams. Users may already have an account outside of teams and I use magic login link to typically to log users in. I want to know if I can leverage teams ...
- 11
6
votes
1
answer
78
views
Is there a method of session revocation for SAML/Single Sign-on applications?
While running a red teaming exercise, we had taken over an account inside an organization's Identity Provider via social engineering attack (specifics of which aren't relevant to this question). Their ...
- 268
2
votes
0
answers
185
views
Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{...
- 21
0
votes
0
answers
58
views
OAuth2 System Design for Single Sign-On | Auto-Detect Session?
I'm working on configuring my suite of services (in different domains) so that they can all be accessed via Single Sign-On. I'm using AWS Cognito as a wrapper around a SAML Idp (Azure AD).
What I ...
2
votes
0
answers
138
views
Entra ID issuing expired ID Tokens
We are integrating our application with SSO using Entra ID App Registrations and configuring OIDC.
When our application receives the ID token from Microsoft Entra, the iap and exp values seem invalid. ...
1
vote
2
answers
124
views
Verify user credentials via SAML (E-Signature)
I have a requirement to extend a quality assurance process in the customers CRM system so that when the user enters some data he or she is prompted to a screen with username and password and the ...
- 21
1
vote
0
answers
108
views
What are the risks of SSO and logins in general in relation to privacy?
I recently started using the Brave browser for a little more privacy.
However, I still don't understand much about the risks surrounding SSO and cookies.
As an example, I am logged in to YouTube.com ...
- 121
1
vote
1
answer
287
views
Oracle Kerberos authentication on Linux host with SSSD
I have Linux servers which are members of AD domain, running SSSD demon.
SSSD is "Kerberized" and I also do want use Kerberos for Oracle db authentication.
NOTE: this is not purely about ...
- 41
1
vote
1
answer
158
views
How to delegate SAML2 authentication between Service Providers (SPs)?
We have an existing SP called S1 that authenticates to multiple Idps. We have another service called S2, I want S2 to delegate authentication to S1 then to Idp, then back and notify S2 when ...
- 111
0
votes
1
answer
98
views
How to store ClientID and ClientSecret in a K8 Env
I am trying integrate our service with SSO. I have generated the ClientID and ClientSecret.
Is it a good security practice to store the ClientID and ClientSecret as a configmap? If not, what are the ...
- 53
1
vote
0
answers
155
views
SSO Using API based login (not through UI redirection)
We have 3 different applications which have the same top level domain.
a.example.com
b.example.com
example.com
We have a login mechanism where the user provides a username + password and logs in. ...
- 303
0
votes
1
answer
680
views
SAML Authentication Across multiple Service providers
I am in the process of building an integration between 2 service providers (SP). I have setup my own Identity Provider, KeyCloak.
What I am trying to achieve is as follows: A user signs into SP1 using ...
- 101
1
vote
2
answers
126
views
Security/Liability Concerns with Sign-In-Provider Account Merging
Assume my solution offers 5 identity providers that users can choose from
Apple
Facebook
Github
Google
Microsoft
These providers all take user identity very seriously. Is there any legitimate ...
- 11
1
vote
0
answers
108
views
SSO and/or JWT: make sure web app's endpoints are protected
Let's say I'm building a web application (let's focus on the backend side) that is B2C. Users should be able to register with my application, using a SSO provider like Google or Facebook. Once they're ...
- 157