Collaborate Disseminate
CVE-2020-27838 describes that Keycloak has an open endpoint where it’s possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{client_id}
Through other discussions, … Continue reading Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
I’m working on configuring my suite of services (in different domains) so that they can all be accessed via Single Sign-On. I’m using AWS Cognito as a wrapper around a SAML Idp (Azure AD).
What I would like to figure out is: how can I make… Continue reading OAuth2 System Design for Single Sign-On | Auto-Detect Session?
As technology adoption has shifted to be employee-led, IT and security teams are contending with an ever-expanding SaaS attack surface. At the same time, they are often spread thin, meaning they need ways to quickly identify and prioritize the highest-… Continue reading Product showcase: How to track SaaS security best practices with Nudge Security
A new phishing campaign is using fake Okta single sign-on (SSO) pages for the Federal Communications Commission (FCC) and for various cryptocurrency platforms to target users and employees, Lookout researchers have discovered. The phishing campaign By … Continue reading Phishers target FCC, crypto holders via fake Okta SSO pages
I have an application that retrieves and publishes information in an API with GET and UPDATE methods. And this application is under the umbrella of a SSO federated environment.
How would it be possible to get access to this API passing the… Continue reading Access API using SSO with saml2 [closed]
In this Help Net Security interview, Phil Vachon, Head of Infrastructure in the Office of the CTO at Bloomberg, discusses the varying definitions of zero trust among security professionals and companies, emphasizing its broad design philosophy. Vachon … Continue reading Understanding zero-trust design philosophy and principles
We are integrating our application with SSO using Entra ID App Registrations and configuring OIDC.
When our application receives the ID token from Microsoft Entra, the iap and exp values seem invalid. This has been occurring for a few mon… Continue reading Entra ID issuing expired ID Tokens
I have a requirement to extend a quality assurance process in the customers CRM system so that when the user enters some data he or she is prompted to a screen with username and password and the already logged in user is again verified. Yo… Continue reading Verify user credentials via SAML (E-Signature)
I recently started using the Brave browser for a little more privacy.
However, I still don’t understand much about the risks surrounding SSO and cookies.
As an example, I am logged in to YouTube.com with my Google account. As an example, i… Continue reading What are the risks of SSO and logins in general in relation to privacy?
Of the 239 vulnerabilities, 33% (79 out of 239) were associated with authentication, authorization and access control (AAA) — foundational pillars of API security, according to Wallarm. Prioritizing AAA principles Open authentication (OAuth), single-si… Continue reading The new imperative in API security strategy