Collaborate Disseminate
So it’s unclear how much more security needs to happen at the ACS point.
I can see that the IDP signs a signature that involves a certificate and private key.
The SP can verify the signature with the copy of the certificate it holds. Is th… Continue reading SSO SAML2: validating/verifying the SAMLResponse at the ACS
The requirement: have a user, existing in an IDP, be automatically authenticated on a Resource server. IDP app can then provide web view for resource server user.
OAuth 2.0 Approach:
IDP nudges resource server saying they want a user to b… Continue reading OAuth 2.0: programmatically authenticate Resource Server user after Authorization Code grant
Very simply we have a ton of websites at our company behind SSO.
I am having a hard time figuring out what security issues there are if we open cross-site sharing between these sites but wanted to get a broader view. This is really a res… Continue reading Are there security issues around controlled cross site sharing behind SSO?
I have three domains but the same code base (Domain X, Domain Y, Domain Z) and
Accounts website A
If a user tries to sign in accounts from domain X, I wanted to SSO in the other two domains (Browser Scenario: third party cookies blocked)…. Continue reading Cookie set from a server to a client with different domain(via XHR), but not recognized by Client domain
Is normal that a web site which uses OpenID as SSO sends all the cookie without samesite header?
Is this required in order to make OpenID work correctly?
I run an instance of a log aggregation product in the cloud, installed on a VM. I’ve strictly configured it’s networking settings, internal firewall, internal port redirection, strong admin password, valid HTTPS certificate, etc. The web i… Continue reading Verifying the security of SAML SSO
So, I know how public-private key encryption works. I understand how/why certificates are required. I understand how a SSO flow (IdP initiated) works. But, I do not understand how the three of them happen together. I am confused about what… Continue reading How does encryption, certificates in an end to end SSO flow?
I’m in need of an authentication & authorization service that can manage our app’s pool of users. I stumbled upon Keycloak and have been checking it for the past few days, but I’m wondering why Keycloak doesn’t provide an API for a cli… Continue reading Why doesn’t Keycloak allow user sign-up and sign-in through a client?
i have used SSO for many years and never experience this behavior.
Using URL https://example.html i have successfully passed authentication through Single SignOn page.
Clicked on logout link, which redirects me to custom.aspx page where a… Continue reading SSO logout / logon unusual behavior [closed]
I work for a company where we give customer (hundreds/thousands of users) access to 2 sites. One owned by a 3rd party SaaS and one owned by us. Customers spend alot of time registering for both sites and we also spend alot of time removing… Continue reading OAuth2, SAML, OpenID connect – Which one to use for my scenario?