Collaborate Disseminate
I have implemented a Single-Sign-On infrastructure where I own both the OIDC provider and the clients(RPs).
My question is about the single-logout mechanism. at the moment when a user requests a logout from one of the clients, the client f… Continue reading client-initiated single logout
Up first, go check your machines for the rsync version, and your servers for an exposed rsync instance. While there are some security fixes for clients in release 3.4.0, the …read more Continue reading This Week in Security: Rsync, SSO, and Pentesting Mushrooms
I’m member of an association that uses Microsoft Office 365. I’m not an administrator.
Now I’m creating a small web application and this is hosted totally independent of our association (diffent hosting, different domain name).
The intenti… Continue reading Integrate Office365 login but allow only users from one specific organisation [migrated]
A website prompts me to log in to my Microsoft Account. In order to perform my task, it requires me to enter that password.
How does the "average user" avoid giving all their login details to a malicious website? What would you… Continue reading A website asks you to enter a Microsoft/Google/Facebook password. How do you know it is safe?
Cross-IdP impersonation – a technique that enables attackers to hijack the single sign-on (SSO) process to gain unauthorized access to downstream software-as-a-service (SaaS) applications without compromising a company’s primary identity pr… Continue reading Cross-IdP impersonation bypasses SSO protections
In this Help Net Security interview, Brian Pontarelli, CEO at FusionAuth, discusses the evolving authentication challenges posed by the rise of hybrid and remote workforces. He advocates for zero trust strategies, including MFA and behavioral biometric… Continue reading How hybrid workforces are reshaping authentication strategies
In this Help Net Security interview, Omer Cohen, Chief Security Officer at Descope, discusses the impact of identity federation on organizational security and user experience. He explains how this approach streamlines credential management and enhances… Continue reading Reducing credential complexity with identity federation
I am using Keycloak 25 to protect several web applications in our company (Open ID Connect). There is the "Remember me" option in Keycloak, which can be enabled for the entire realm.
Currently, I have this option disabled, which … Continue reading How secure is the "Remember me" feature in Keycloak?
Context
I’ve read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it’s not clear to me why.
The recommended approach seems to be using aud and sub claims … Continue reading What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
I am using Keycloak as OIDC provider for several web applications. I have approximately 50 users and 5 applications. Some applications contain sensitive data and are used only by the company managers. Other applications are not so critical… Continue reading Keycloak – SSO security best practices