542:
A newer variation of single-sign-on authentication has been developed using mobile devices as access credentials. Users' mobile devices can be used to automatically log them onto multiple systems, such as building-access-control systems and computer systems, through the use of authentication methods
524:
XML encryption and service-provider–initiated web browser single sign-on exchanges. A user wielding a user agent (usually a web browser) is called the subject in SAML-based single sign-on. The user requests a web resource protected by a SAML service provider. The service provider, wishing to know
204:
Single sign-on also increases dependence on highly-available authentication systems; a loss of their availability can result in denial of access to all systems unified under the SSO. SSO can be configured with session failover capabilities in order to maintain the system operation. Nonetheless, the
192:
As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle"), it increases the negative impact in case the credentials are available to other people and misused. Therefore, single sign-on requires an increased focus on the protection of the user
309:
As originally implemented in
Kerberos and SAML, single sign-on did not give users any choices about releasing their personal information to each new resource that the user visited. This worked well enough within a single enterprise, like MIT where Kerberos was invented, or major corporations where
342:
Single sign-on in theory can work without revealing identifying information such as email addresses to the relying party (credential consumer), but many credential providers do not allow users to configure what information is passed on to the credential consumer. As of 2019, Google and
Facebook
65:
For clarity, a distinction is made between
Directory Server Authentication (same-sign on) and single sign-on: Directory Server Authentication refers to systems requiring authentication for each application but using the same credentials from a directory server, whereas single sign-on refers to
158:
Eliminating multiple passwords also reduces a common source of security breaches—users writing down their passwords. Finally, because of the consolidation of network management information, the administrator can know with certainty that when he disables a user's account, the account is fully
144:
All network management information is stored in a single repository. This means that there is a single, authoritative listing of each user's rights and privileges. This allows the administrator to change a user's privileges and know that the results will propagate network
1016:
560:
A mobile device is "something you have", as opposed to a password which is "something you know", or biometrics (fingerprint, retinal scan, facial recognition, etc.) which is "something you are". Security experts recommend using at least two out of these three factors
99:, offer other services that may require users to make choices during a sign-on to a resource, but can be configured for single sign-on if those other services (such as user consent) are disabled. An increasing number of federated social logons, like
151:
Users are no longer bogged down by multiple logons, nor are they required to remember multiple passwords in order to access network resources. This is also a benefit to Help desk personnel, who need to field fewer requests for forgotten
1173:
268:. Because the researchers informed ID providers and relying party websites prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported.
301:. Another security issue is that if the session used for SSO is stolen (which can be protected with the HttpOnly cookie flag unlike the SSO token), the attacker can access all the websites that are using the SSO system.
525:
the identity of the user, issues an authentication request to a SAML identity provider through the user agent. The identity provider is the one that provides the user credentials. The service provider trusts the
293:
Due to how single sign-on works, by sending a request to the logged-in website to get a SSO token and sending a request with the token to the logged-out website, the token cannot be protected with the
216:
may render third party websites unusable within libraries, schools, or workplaces that block social media sites for productivity reasons. It can also cause difficulties in countries with active
173:
that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once.
387:
systems, use the ticket-granting ticket to acquire service tickets, proving the user's identity to the mail-server / wiki server / etc. without prompting the user to re-enter credentials.
165:
By joining disparate networks, administrative efforts can be consolidated, ensuring that administrative best practices and corporate security policies are being consistently enforced.
351:
allows a user to request a unique relay email address each time the user signs up for a new service, thus reducing the likelihood of account linking by the credential consumer.
440:
also use the smart card, without prompting the user to re-enter credentials. Smart-card-based single sign-on can either use certificates or passwords stored on the smart card.
88:
mechanisms, single sign-on must internally store the credentials used for initial authentication and translate them to the credentials required for the different mechanisms.
287:
275:
was disclosed. It was first reported "Covert
Redirect Vulnerability Related to OAuth 2.0 and OpenID" by its discoverer Wang Jing, a Mathematical PhD student from
205:
risk of system failure may make single sign-on undesirable for systems to which access must be guaranteed at all times, such as security or plant-floor systems.
189:
is impractical in addressing the need for different levels of secure access in the enterprise, and as such more than one authentication server may be necessary.
66:
systems where a single authentication provides access to multiple applications by passing the authentication token seamlessly to configured applications.
103:, do require the user to enter consent choices upon first registration with a new resource, and so are not always single sign-on in the strictest sense.
654:
841:
609:
873:"Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services"
279:, Singapore. In fact, almost all Single sign-on protocols are affected. Covert Redirect takes advantage of third-party clients susceptible to an
594:
138:
SSO-related tasks are performed transparently as part of normal maintenance, using the same tools that are used for other administrative tasks.
892:
48:
311:
763:
810:
470:
604:
501:
1053:
449:
115:
Mitigate risk for access to 3rd-party sites ("federated authentication") because user passwords are not stored or managed externally
481:-based operating systems. The term is most commonly used to refer to the automatically authenticated connections between Microsoft
1142:
Armando, Alessandro; Carbone, Roberto; Compagna, Luca; Cuéllar, Jorge; Pellegrino, Giancarlo; Sorniotti, Alessandro (2013-03-01).
1228:
1218:
409:
276:
228:", where the third party website may not be actively censored, but is effectively blocked if a user's social login is blocked.
579:
297:
cookie flag and thus can be stolen by an attacker if there is an XSS vulnerability on the logged-out website, in order to do
493:
integration vendors have extended the
Integrated Windows Authentication paradigm to Unix (including Mac) and Linux systems.
482:
286:
In
December 2020, flaws in federated authentication systems were discovered to have been utilized by attackers during the
1223:
589:
562:
240:
mechanisms. The authors found 8 serious logic flaws in high-profile ID providers and relying party websites, such as
928:
658:
44:
True single sign-on allows the user to log in once and access services without re-entering authentication factors.
994:
972:
318:
was sent out to affiliated sites not under control of the enterprise that collected the data from the user. Since
1038:
521:
209:
509:
47:
It should not be confused with same-sign on (Directory Server
Authentication), often accomplished by using the
849:
513:
55:
369:
739:
81:) is the property whereby a single action of signing out terminates access to multiple software systems.
950:
574:
225:
170:
85:
437:
413:
280:
915:
767:
1178:
584:
366:
319:
1108:
1078:
330:
have started to become more attractive; for example MIT, the originator of
Kerberos, now supports
1143:
898:
842:"Censorship, external authentication, and other social media lessons from China's Great Firewall"
344:
788:
1118:
888:
486:
462:
421:
391:
298:
198:
818:
1203:
1155:
1113:
880:
599:
526:
490:
395:
384:
119:
100:
1144:"An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations"
701:"OpenID Connect Provider - OpenID Connect Single Sign-On (SSO) - OIDC OAuth Authentication"
398:-aware applications fetch service tickets, so the user is not prompted to re-authenticate.
272:
544:
331:
327:
257:
245:
96:
1212:
343:
sign-in do not require users to share email addresses with the credential consumer. "
315:
193:
credentials, and should ideally be combined with strong authentication methods like
902:
554:
474:
376:
237:
1174:"MicroStrategy's office of the future includes mobile identity and cybersecurity"
700:
59:
1159:
872:
789:"Sun GlassFish Enterprise Server v2.1.1 High Availability Administration Guide"
236:
In March 2012, a research paper reported an extensive study on the security of
41:
with a single ID to any of several related, yet independent, software systems.
478:
433:
310:
all of the resources were internal sites. However, as federated services like
217:
194:
17:
1122:
1054:"Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank"
679:
454:
265:
261:
129:
529:
from the identity provider to provide access to its services or resources.
629:
517:
294:
249:
213:
884:
466:
417:
253:
458:
424:
use service tickets, so the user is not prompted to re-authenticate.
348:
241:
92:
557:
certificate used to identify the mobile device to an access server.
375:
Additional software applications requiring authentication, such as
551:
548:
508:-based method for exchanging user security information between an
405:
221:
38:
1039:"VMware Flaw a Vector in SolarWinds Breach? — Krebs on Security"
401:
380:
323:
951:"Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID"
505:
365:
Initial sign-on prompts the user for credentials, and gets a
125:
Reduce time spent re-entering passwords for the same identity
630:"What's the Difference b/w SSO (Single Sign On) & LDAP?"
412:
modules fetches TGT. Kerberized client applications such as
208:
Furthermore, the use of single-sign-on techniques utilizing
1093:
973:"Math student detects OAuth, OpenID security vulnerability"
721:
1017:"Covert Redirect Flaw in OAuth is Not the Next Heartbleed"
84:
As different applications and resources support different
51:(LDAP) and stored LDAP databases on (directory) servers.
995:"Facebook, Google Users Threatened by New Security Flaw"
929:"Facebook, Google Users Threatened by New Security Flaw"
62:
but only if the sites share a common DNS parent domain.
54:
A simple version of single sign-on can be achieved over
758:
756:
185:(RSO) has been used by some to reflect the fact that
37:) is an authentication scheme that allows a user to
288:2020 United States federal government data breach
122:from different username and password combinations
1109:"App Makers Are Mixed on 'Sign In With Apple'"
916:"OpenID: Vulnerability report, Data confusion"
871:Wang, Rui; Chen, Shuo; Wang, XiaoFeng (2012).
722:"Single sign-on and federated authentication"
322:are now tightening with legislation like the
91:Other shared authentication schemes, such as
8:
877:2012 IEEE Symposium on Security and Privacy
128:Reduce IT costs due to lower number of IT
111:Benefits of using single sign-on include:
766:. Authenticationworld.com. Archived from
657:. Authenticationworld.com. Archived from
469:authentication protocols with respect to
432:Initial sign-on prompts the user for the
394:environment - Windows login fetches TGT.
473:functionality introduced with Microsoft
163:Consolidation of heterogeneous networks.
621:
610:Usability of web authentication systems
716:
714:
595:List of single sign-on implementations
680:"OpenID versus Single-Sign-On Server"
49:Lightweight Directory Access Protocol
7:
538:Mobile devices as access credentials
312:Active Directory Federation Services
1052:Kovacs, Eduard (15 December 2020).
918:- OpenID Foundation, March 14, 2012
271:In May 2014, a vulnerability named
1204:Single sign-on intro with diagrams
605:Security Assertion Markup Language
502:Security Assertion Markup Language
497:Security Assertion Markup Language
408:environment - Login via Kerberos
25:
547:and SAML, in conjunction with an
450:Integrated Windows Authentication
444:Integrated Windows Authentication
277:Nanyang Technological University
840:Chester, Ken (12 August 2013).
809:Laurenson, Lydia (3 May 2014).
764:"Single Sign On Authentication"
1094:"OpenID Connect Authorization"
580:Central Authentication Service
142:Better administrative control.
1:
655:"SSO and LDAP Authentication"
483:Internet Information Services
1107:Goode, Lauren (2019-06-15).
1079:"What Is Session Hijacking?"
682:. alleged.org.uk. 2007-08-13
590:Identity management systems
563:multi-factor authentication
457:products and refers to the
149:Improved user productivity.
1245:
1160:10.1016/j.cose.2012.08.007
453:is a term associated with
210:social networking services
975:. Tech Xplore. 3 May 2014
931:. Tom's Guide. 2 May 2014
326:, the newer methods like
314:proliferated, the user's
1148:Computers & Security
477:and included with later
156:Better network security.
1229:Computer access control
1219:Password authentication
811:"The Censorship Effect"
565:) for best protection.
533:Emerging configurations
169:SSO shares centralized
136:Simpler administration.
1019:. Symantec. 3 May 2014
742:. University of Guelph
510:SAML identity provider
370:ticket-granting ticket
171:authentication servers
953:. Tetraph. 1 May 2014
575:Account pre-hijacking
514:SAML service provider
438:software applications
355:Common configurations
226:Golden Shield Project
132:calls about passwords
27:Authentication scheme
879:. pp. 365–379.
248:and PayPal Access),
1179:The Washington Post
1041:. 19 December 2020.
997:. Yahoo. 2 May 2014
585:Identity management
320:privacy regulations
316:private information
1224:Federated identity
885:10.1109/SP.2012.30
489:. Cross-platform
345:Sign in with Apple
283:or Open Redirect.
1081:. 22 August 2019.
894:978-1-4673-1244-8
852:on March 26, 2014
821:on August 7, 2020
740:"Benefits of SSO"
487:Internet Explorer
299:session hijacking
220:regimes, such as
199:one-time password
16:(Redirected from
1236:
1191:
1190:
1188:
1187:
1170:
1164:
1163:
1139:
1133:
1132:
1130:
1129:
1104:
1098:
1097:
1089:
1083:
1082:
1075:
1069:
1068:
1066:
1064:
1049:
1043:
1042:
1035:
1029:
1028:
1026:
1024:
1013:
1007:
1006:
1004:
1002:
991:
985:
984:
982:
980:
969:
963:
962:
960:
958:
947:
941:
940:
938:
936:
925:
919:
913:
907:
906:
868:
862:
861:
859:
857:
848:. Archived from
837:
831:
830:
828:
826:
817:. Archived from
806:
800:
799:
797:
796:
785:
779:
778:
776:
775:
760:
751:
750:
748:
747:
736:
730:
729:
718:
709:
708:
697:
691:
690:
688:
687:
676:
670:
669:
667:
666:
651:
645:
644:
642:
641:
626:
600:Password manager
527:user information
491:Active Directory
428:Smart-card-based
396:Active Directory
385:revision-control
347:" introduced in
120:password fatigue
101:Facebook Connect
21:
1244:
1243:
1239:
1238:
1237:
1235:
1234:
1233:
1209:
1208:
1200:
1195:
1194:
1185:
1183:
1172:
1171:
1167:
1141:
1140:
1136:
1127:
1125:
1106:
1105:
1101:
1091:
1090:
1086:
1077:
1076:
1072:
1062:
1060:
1051:
1050:
1046:
1037:
1036:
1032:
1022:
1020:
1015:
1014:
1010:
1000:
998:
993:
992:
988:
978:
976:
971:
970:
966:
956:
954:
949:
948:
944:
934:
932:
927:
926:
922:
914:
910:
895:
870:
869:
865:
855:
853:
839:
838:
834:
824:
822:
808:
807:
803:
794:
792:
787:
786:
782:
773:
771:
762:
761:
754:
745:
743:
738:
737:
733:
720:
719:
712:
699:
698:
694:
685:
683:
678:
677:
673:
664:
662:
653:
652:
648:
639:
637:
628:
627:
623:
618:
571:
540:
535:
499:
446:
430:
362:
357:
340:
307:
273:Covert Redirect
234:
183:reduced sign-on
179:
109:
71:single sign-off
28:
23:
22:
15:
12:
11:
5:
1242:
1240:
1232:
1231:
1226:
1221:
1211:
1210:
1207:
1206:
1199:
1198:External links
1196:
1193:
1192:
1165:
1134:
1099:
1084:
1070:
1044:
1030:
1008:
986:
964:
942:
920:
908:
893:
863:
832:
801:
780:
752:
731:
710:
692:
671:
646:
620:
619:
617:
614:
613:
612:
607:
602:
597:
592:
587:
582:
577:
570:
567:
545:OpenID Connect
543:which include
539:
536:
534:
531:
498:
495:
445:
442:
429:
426:
389:
388:
373:
361:
360:Kerberos-based
358:
356:
353:
339:
336:
332:OpenID Connect
328:OpenID Connect
306:
303:
233:
230:
187:single sign-on
178:
175:
167:
166:
160:
153:
146:
139:
133:
126:
123:
116:
108:
105:
97:OpenID Connect
86:authentication
75:single log-out
31:Single sign-on
26:
24:
18:Single Sign-On
14:
13:
10:
9:
6:
4:
3:
2:
1241:
1230:
1227:
1225:
1222:
1220:
1217:
1216:
1214:
1205:
1202:
1201:
1197:
1181:
1180:
1175:
1169:
1166:
1161:
1157:
1153:
1149:
1145:
1138:
1135:
1124:
1120:
1116:
1115:
1110:
1103:
1100:
1095:
1088:
1085:
1080:
1074:
1071:
1059:
1058:Security Week
1055:
1048:
1045:
1040:
1034:
1031:
1018:
1012:
1009:
996:
990:
987:
974:
968:
965:
952:
946:
943:
930:
924:
921:
917:
912:
909:
904:
900:
896:
890:
886:
882:
878:
874:
867:
864:
851:
847:
843:
836:
833:
820:
816:
812:
805:
802:
790:
784:
781:
770:on 2014-03-15
769:
765:
759:
757:
753:
741:
735:
732:
727:
723:
717:
715:
711:
706:
702:
696:
693:
681:
675:
672:
661:on 2014-05-23
660:
656:
650:
647:
635:
631:
625:
622:
615:
611:
608:
606:
603:
601:
598:
596:
593:
591:
588:
586:
583:
581:
578:
576:
573:
572:
568:
566:
564:
558:
556:
553:
550:
546:
537:
532:
530:
528:
523:
519:
515:
511:
507:
504:(SAML) is an
503:
496:
494:
492:
488:
484:
480:
476:
472:
468:
464:
460:
456:
452:
451:
443:
441:
439:
436:. Additional
435:
427:
425:
423:
419:
415:
411:
407:
403:
399:
397:
393:
386:
382:
378:
377:email clients
374:
371:
368:
364:
363:
359:
354:
352:
350:
346:
338:Email address
337:
335:
333:
329:
325:
321:
317:
313:
304:
302:
300:
296:
291:
289:
284:
282:
278:
274:
269:
267:
263:
259:
255:
251:
247:
243:
239:
231:
229:
227:
223:
219:
215:
211:
206:
202:
200:
196:
190:
188:
184:
176:
174:
172:
164:
161:
157:
154:
150:
147:
143:
140:
137:
134:
131:
127:
124:
121:
117:
114:
113:
112:
106:
104:
102:
98:
94:
89:
87:
82:
80:
76:
72:
67:
63:
61:
57:
52:
50:
45:
42:
40:
36:
32:
19:
1184:. Retrieved
1182:. 2014-04-14
1177:
1168:
1151:
1147:
1137:
1126:. Retrieved
1112:
1102:
1087:
1073:
1061:. Retrieved
1057:
1047:
1033:
1021:. Retrieved
1011:
999:. Retrieved
989:
977:. Retrieved
967:
955:. Retrieved
945:
933:. Retrieved
923:
911:
876:
866:
854:. Retrieved
850:the original
846:Tech in Asia
845:
835:
823:. Retrieved
819:the original
814:
804:
793:. Retrieved
791:. Oracle.com
783:
772:. Retrieved
768:the original
744:. Retrieved
734:
725:
704:
695:
684:. Retrieved
674:
663:. Retrieved
659:the original
649:
638:. Retrieved
636:. 2019-05-14
633:
624:
559:
555:cryptography
541:
500:
475:Windows 2000
448:
447:
431:
400:
390:
341:
308:
292:
285:
270:
238:social login
235:
207:
203:
191:
186:
182:
180:
168:
162:
155:
148:
141:
135:
110:
90:
83:
78:
74:
70:
69:Conversely,
68:
64:
53:
46:
43:
34:
30:
29:
1063:19 December
1023:10 November
1001:10 November
979:10 November
957:10 November
935:11 November
825:27 February
244:(including
195:smart cards
56:IP networks
1213:Categories
1186:2014-03-30
1128:2019-06-15
815:TechCrunch
795:2013-05-28
774:2013-05-28
746:2014-05-23
686:2014-05-23
665:2014-05-23
640:2020-10-27
616:References
479:Windows NT
434:smart card
258:Freelancer
218:censorship
152:passwords.
1154:: 41–58.
1123:1059-1028
1092:MIT IST.
726:kb.iu.edu
634:JumpCloud
520:supports
455:Microsoft
414:Evolution
266:Sears.com
262:FarmVille
246:Google ID
224:and its "
181:The term
177:Criticism
159:disabled.
130:help desk
705:OneLogin
569:See also
518:SAML 2.0
463:Kerberos
367:Kerberos
295:HttpOnly
250:Facebook
232:Security
214:Facebook
212:such as
201:tokens.
107:Benefits
903:1679661
856:9 March
467:NTLMSSP
418:Firefox
392:Windows
305:Privacy
254:Janrain
118:Reduce
60:cookies
1121:
901:
891:
512:and a
465:, and
459:SPNEGO
420:, and
383:, and
372:(TGT).
349:iOS 13
264:, and
242:OpenID
93:OpenID
58:using
39:log in
1114:Wired
899:S2CID
552:ITU-T
549:X.509
406:Linux
381:wikis
222:China
145:wide.
1119:ISSN
1065:2020
1025:2014
1003:2014
981:2014
959:2014
937:2014
889:ISBN
858:2016
827:2015
485:and
471:SSPI
402:Unix
324:GDPR
197:and
95:and
1156:doi
881:doi
522:W3C
506:XML
422:SVN
410:PAM
281:XSS
79:SLO
73:or
35:SSO
1215::
1176:.
1152:33
1150:.
1146:.
1117:.
1111:.
1056:.
897:.
887:.
875:.
844:.
813:.
755:^
724:.
713:^
703:.
632:.
516:.
461:,
416:,
379:,
334:.
290:.
260:,
256:,
252:,
1189:.
1162:.
1158::
1131:.
1096:.
1067:.
1027:.
1005:.
983:.
961:.
939:.
905:.
883::
860:.
829:.
798:.
777:.
749:.
728:.
707:.
689:.
668:.
643:.
561:(
404:/
77:(
33:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.