SoK: Single Sign-On Security — An Evaluation of OpenID Connect

  title={SoK: Single Sign-On Security — An Evaluation of OpenID Connect},
  author={Christian Mainka and Vladislav Mladenov and J{\"o}rg Schwenk and Tobias Wich},
  journal={2017 IEEE European Symposium on Security and Privacy (EuroS&P)},
OpenID Connect is the OAuth 2.0-based replacement for OpenID 2.0 (OpenID) andone of the most important Single Sign-On (SSO) protocols used for delegatedauthentication. It is used by companies like Amazon, Google, Microsoft, andPayPal. In this paper, we systematically analyze well-known attacks on SSOprotocols and adapt these on OpenID Connect. Additionally, we introduce twonovel attacks on OpenID Connect, Identity Provider Confusion and MaliciousEndpoints Attack, abusing flaws in the current… CONTINUE READING
8 Citations
34 References
Similar Papers


Publications referenced by this paper.
Showing 1-10 of 34 references

Automated testing of web applications for single sign-on vulnerabilities

  • David Evans Yuchen Zhou
  • In USENIX Security Symposium,
  • 2014
Highly Influential
8 Excerpts

Oauth 2.0 mix-up mitigation draft

  • J. Bradley M. Jones
  • IETF, Internet Draft, January
  • 2016
Highly Influential
5 Excerpts

Identity provider discovery service protocol and profile, March 2008. URL download.php/28049/sstc-saml-idp-discovery-cs-01

  • Scott Cantor, Rod Widdowson
  • 2008
Highly Influential
9 Excerpts

Cve- 2016-5385 Cve-2016-5386 Cve-2016-5387 Cve- 2016-5388

  • Dominic Scheirlinck, Scott Geary
  • CVE-2016-1000109 CVE-2016-1000110,
  • 2016
2 Excerpts

Similar Papers

Loading similar papers…