Security in Single Sign-On Web Applications: An Assessment of the Security in and Between Web Applications Sharing a Common Single Sign-On User Session

Abstract

Single Sign-On (SSO) is a solution where the authentication process is taken care of once by a third-party Web site rather than at each of the the Web sites providing services to their users. This new way of separating user identities from the service-providing Web sites leads to different security requirements. As an approach towards assessing the security of Web applications utilizing SSO, this thesis investigates the concepts and functionality of OpenID, a decentralized authentication protocol. The assessment addresses vulnerabilities and threats related to SSO, using real Web applications as examples. Development of an OpenID-enabled Web application is a part of the security assessment. The thesis includes experimenting with various OpenID-enabled Web sites and Identity Providers (IdPs), and observing how they are affected by different kinds of Web security threats. The results of the thesis shows how security weaknesses were discovered at two major IdPs by performing Clickjaking attacks. Also, the thesis outlines some attacks that are threatening the concept of SSO in general.