Collaborate Disseminate
Cross-IdP impersonation – a technique that enables attackers to hijack the single sign-on (SSO) process to gain unauthorized access to downstream software-as-a-service (SaaS) applications without compromising a company’s primary identity pr… Continue reading Cross-IdP impersonation bypasses SSO protections
In this Help Net Security interview, Brian Pontarelli, CEO at FusionAuth, discusses the evolving authentication challenges posed by the rise of hybrid and remote workforces. He advocates for zero trust strategies, including MFA and behavioral biometric… Continue reading How hybrid workforces are reshaping authentication strategies
In this Help Net Security interview, Omer Cohen, Chief Security Officer at Descope, discusses the impact of identity federation on organizational security and user experience. He explains how this approach streamlines credential management and enhances… Continue reading Reducing credential complexity with identity federation
I am using Keycloak 25 to protect several web applications in our company (Open ID Connect). There is the "Remember me" option in Keycloak, which can be enabled for the entire realm.
Currently, I have this option disabled, which … Continue reading How secure is the "Remember me" feature in Keycloak?
Context
I’ve read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it’s not clear to me why.
The recommended approach seems to be using aud and sub claims … Continue reading What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
I am using Keycloak as OIDC provider for several web applications. I have approximately 50 users and 5 applications. Some applications contain sensitive data and are used only by the company managers. Other applications are not so critical… Continue reading Keycloak – SSO security best practices
When I was investigating how to add SSO to a local application to login to google drive, the standard approach seems to be to open a web view window, ask user to log in while also opening a localhost webserver which will be pinged with the… Continue reading How are you supposed to trust SSO popups in desktop and mobile applications?
GitHub patches a trio of security defects in the GitHub Enterprise Server product and recommends urgent patching for corporate users.
The post Critical Authentication Flaw Haunts GitHub Enterprise Server appeared first on SecurityWeek.
Continue reading Critical Authentication Flaw Haunts GitHub Enterprise Server
In this Help Net Security interview, David Cottingham, President at rf IDEAS, discusses the key benefits organizations can expect when implementing passkeys. Cottingham addresses the misconceptions surrounding the adoption of passkeys, particularly in … Continue reading How passkeys eliminate password management headaches
In GitHub’s Enterprise Cloud docs it says:
To use an SSH key with an organization that uses SAML single sign-on (SSO), you must first authorize the key.
I understand that organization admins could have the power to invalidate individual … Continue reading What’s the point of users having to authorize their SSH keys and tokens they created themselves when SAML single sign-on is enabled on GitHub?