Questions tagged [federation]

48 questions
111
votes
7 answers

What is the difference between Federated Login and Single Sign On?

What is the difference between Federated Login and Single Sign On authentication methods?
c card
  • 1,213
  • 2
  • 9
  • 4
45
votes
5 answers

What are the downsides of BrowserID/Persona compared to OpenID/OAuth/Facebook?

Mozilla went live with a new service called BrowserID/Persona (announcement, background). It is intended to replace current single-sign-on solutions such as OpenID, OAuth and Facebook. One advantage is that a future integration into the browsers…
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
40
votes
2 answers

Role Based Authorization vs. Claim Based Authorization

What is the difference between "role based authorization" and "claim based authorization"? Under which circumstances would it be appropriate to implement each of these authorization models?
user960567
  • 2,461
  • 4
  • 16
  • 16
23
votes
4 answers

How does using OpenID affect webapp security?

Using OpenID for authenticating users grows in popularity and, in fact, makes a webapp easier to use. But what are the security considerations one should bear in mind when deciding whether to implement an OpenID or not? Is it suitable for any kind…
rem
  • 2,017
  • 2
  • 19
  • 27
21
votes
3 answers

What are the main advantages and disadvantages of webid compared to browserid?

What are the main advantages and disadvantages of webid compared to browserid? This question is inspired by this answer which got a number of upvotes despite being very vague on the topic of that question. Webid is basically a fancy name for SSL…
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
21
votes
3 answers

Isn't openid with http an issue?

Many openid enabled sites default to http identifiers, even if the openid provider supports https (such as myopenid.com). Does this pose a threat beside the identity being exposed? The second step of the openid authentication includes a verification…
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
19
votes
2 answers

Essential things to think about before outsourcing authentication with OpenID, OAuth, or SAML

It's clear there there is no consistent set of features among any of the popular authentication providers. Below is an attempt to aggregate the similarities and differences I've noticed, but I would appreciate your advice on what additional…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
16
votes
4 answers

Are malicious relying parties able to abuse OpenID logins?

if I logon with OpenID into a website (crafted by attackers/hackers) I want to know how much damage can they do to me? Are they able to steal my contact info, name, etc (assuming I'm using Gmail OpenId)
Pacerier
  • 3,253
  • 6
  • 34
  • 61
12
votes
1 answer

What encryption prevents the tampering of Windows Identity Foundation (WIF) FedAuth cookies?

It occurred to me that the WIF FedAuth cookies contain identity information, that if tampered with, could permit someone to assume the identity of another user. Fortunately, WIF does cryptographically Authenticate the message, but I don't…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
12
votes
2 answers

How does openid implement Single sign on?

I'm wondering which security model is behind the OpenID. Is it anything like kerberos?
user705414
9
votes
2 answers

Storing third-party auth info securely

Suppose there's a multi-user web application that requires access to user's mailbox (on third-party service, like gmail, etc.). This access needs to be persistent. Which means we'd have to store user password. Which creates a vulnerability point -…
StasM
  • 1,841
  • 2
  • 15
  • 23
9
votes
1 answer

What were the specific security flaws with OAuth 1.0? How are they being addressed in 2.0?

I read an article documenting Twitter abruptly pulling its OAuth support back in April 2009. The article said it wouldn't specify the hole for security reasons, but mentioned "social engineering" is involved. I'm guessing that the hole is that a…
7
votes
2 answers

How to safely store bearer tokens on server?

Imagine you're running a service that implements an OAuth 2.0 flow to allow your end users to log into 3rd party apps, and authorize those apps to consume your service's data through some API. Upon successfully authenticating a 3rd party app through…
derabbink
  • 241
  • 2
  • 7
7
votes
2 answers

What is the exact difference between SAMLp and WS-Trust?

They seem to be similar on the surface, but I'm not sure how deep the differences are. Can someone explain to me the difference between SAMLp and WS-Trust? ADFSv2 gives me a choice between these options and I'm not sure which to choose.
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
7
votes
2 answers

How does external authentication work?

For example, I can log in to stackexchange websites by logging in to external websites such as OpenID, Yahoo, etc. How does this work? How do the websites (SE and Yahoo!, for example) communicate? How does Yahoo! know that it's really stackexchange?…
Fitri
  • 395
  • 3
  • 9
1
2 3 4