Abstract
AbstractSingle Sign-On (SSO) is a mechanism that allows users to seamlessly access multiple services using a single authentication action with an Identity Provider (IdP). OpenID Connect (OIDC) is an authentication and authorization protocol widely used in internet-based environments, and it presents the new standard for SSO. Due to its favorable usability and security, SSO has been widely used for online authentication services. Nevertheless, this technology pose a huge security risk in the case of a compromised IdP account. If an attacker gets to hijack the IdP account, he can easily access and control all the Internet-based services associated with the victim’s hijacked account. Furthermore, SSO technology does not introduce efficient mechanisms to notify services that the centralized IdP account has been compromised, and/or revoke access from all the services in the same login session with it. Thus, it is mandatory to have a mechanism to protect user’s accounts and revoke access in the case of a hijacked IdP account. In this paper, we discuss the authentication and authorization process of SSO, the protocol OIDC, and the IdP accounts compromise threat. Next, we perform a comparative analysis of four OIDC mechanisms that can be used as authentication revocation’ solutions for SSO systems: OIDC Session Management, OIDC Front Channel Logout, OIDC Back-channel Logout, and Single Sign-Off.KeywordsSingle sign-onOpenID connectRevocation accessOIDC session managementOIDC back-channel logoutOIDCFront-channel logoutSingle sign-off
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
