New MJS Article: Extending a Legacy Platform - Providing a Minimalistic, Secure Single-Sign-On-Library
by Bernhard Göschlberger and Sebastian Göttfert
Despite decades of security research and authentication standards there is still a vast amount of systems with custom solutions and embedded user databases. Such systems are typically hard to securely integrate with others. We analysed an existing system of an organisation with approximately 12.000 sensitive user data records and uncovered severe vulnerabilities in their approach. We developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider Library. Therefore this organisation is now able to integrate arbitrary web based systems. Moreover, others can follow the proposed approach and tailor similar solutions at low cost.
This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
The article can be found in the Archive.