IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [single-sign-on]

Single Sign On (SSO) is the process of authenticating once against a single system to gain access to multiple (often unrelated) systems.

Single Sign On (SSO) is the process of authenticating once against a single system to gain access to multiple (often unrelated) systems.

SSO is not to be confused with shared authentication systems like Facebook Connect or Open ID - which require you to enter the password for one account once on each site you use it in order to gain access.

49 questions
111
votes
7 answers

What is the difference between Federated Login and Single Sign On?

What is the difference between Federated Login and Single Sign On authentication methods?
c card
  • 1,213
  • 2
  • 9
  • 4
39
votes
2 answers

How do universities and schools securely sync passwords between multiple services?

I'm a student and it seems every school or university I have been to has one password that you set for your user account for logging in to university services, which is also then synced to external services the university use such as blackboard,…
darkniss
  • 501
  • 4
  • 6
6
votes
3 answers

Should I disable TLS 1.0 and TLS 1.1 support on my web servers

Currently, my webserver support TLS 1.0 TLS 1.1 TLS 1.2 One of your single sign-on clients will move to TLS 1.2 on 1st April 2020. Can I remove TLS 1.0 and TLS 1.1 now? Or I need to wait till this client move to TLS 1.2, then only we can…
Avery Lam
  • 61
  • 1
  • 1
  • 2
6
votes
2 answers

Is there any security difference between login via iFrame, Pop-up, or redirect?

There seems to be a number of techniques to authenticate a person on the web. Most commonly there are Javascript Pop-ups (Google, Firefox Persona, Disqus, etc) HTTP Redirects (OAuth, Facebook) IFrames, with sandboxing set as needed. Question Is…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
0 answers

Poor Man's OAuth Grant - Review

A 3rd party company has requested that we implement single sign-on with them using the below approach. I'm familiar with OAuth grants and OIDC flows but this seems rather odd to me. The user has already logged into my application when this flow…
fml
  • 151
  • 2
5
votes
1 answer

Is the idea of Single Sign-On (SSO) a flawed concept without Two-Factor Authentication (2FA)?

Before this gets flagged as a duplicate, I'm not asking a question about the disadvantages of single sign-on, I'm asking if the initial concept is flawed to begin with without enforcing two-factor authentication. Let me explain what I mean: 1. The…
Hawkeye
  • 223
  • 2
  • 8
5
votes
2 answers

Is "sign in with Facebook", "sign in with Google", etc. bad for security?

Is "sign in with Facebook", "sign in with Google", etc. bad for security? A hacker only needs to compromise your Facebook/Google/Yahoo/etc. account, and they'll have access to all of your other accounts that are connected to your Google or Facebook…
clickbait
  • 152
  • 8
4
votes
0 answers

What are appropriate measures to only allow logins from a given trusted OpenID-Provider?

I have a bunch of applications, where users need to log in. Not everyone can be a user, each user has to be approved of by an admin. The authentication should be a SSO solution, where user accounts are created and managed in a central…
Jost
  • 191
  • 9
4
votes
2 answers

Examples of Federated Identity Management, Third Party Identity Services and Single Sign-On

I am studying the domain of Identity and Access Management in CISSP, and I come across the three terms Federated Identity Management (FIM), Third Party Identity Services (3PIS) and Single Sign-On (SSO). After some readings, including What is the…
GreenPenguin
  • 51
  • 2
4
votes
2 answers

Encrypting data and SSO

I provide a service in which users can store data, files, etc in an encrypted form. The service that I have built has two applications for the user's password with which they login to my service: 1) authentication and 2) the password is used as the…
user138172
  • 63
  • 3
4
votes
1 answer

How can I be sure if a webview in a desktop app shows the real web page?

When installing Postman (on Mac), you can log on using your Google account. For this, the logon view from Google is shown in a window (A kind of Webview I assume). How can I be sure this is the real thing and the developers did not just build an…
Wim Deblauwe
  • 549
  • 1
  • 4
  • 7
4
votes
3 answers

How does Single Sign On limit phishing risk

I was reading this article about SSO benefits and this sentence intrigues me : Can reduce phishing – Phishing, a fraudulent process where victims are tricked into giving away sensitive user information, increasing security for you and your…
storm
  • 1,714
  • 4
  • 16
  • 25
2
votes
0 answers

Low-resolution account enumeration with Office365

I am interested in the intersection of account enumeration and single sign-on. Often, there will be SSO-only and non-SSO users alongside each other in an application, and in terms of improved usability the SSO users will need to be redirected to…
Spongeboy
  • 151
  • 3
2
votes
1 answer

How does the browser know windows logged in user id or Kerberos TGT?

My organization uses SSO for its applications i.e. Once a user logs into his Windows 10 workstation, he accesses his web application without login. I was informed that the web applications uses NetIQ Identity Manager(IdP) and Kerberos in the…
ZEE
  • 157
  • 3
2
votes
1 answer

Is providing authentication data for other web applications unsecure?

I started to work on a company whose software engineers tried to reinvent everything. They did not use(or know) industry standarts and for authentication, they use their custom solution. Their "solution" seems to me as very unsecure but I can not…
Ahmet Arslan
  • 849
  • 1
  • 5
  • 9
1
2 3 4