Single Sign-on System Research Articles

Implementasi Single Sign-On Menggunakan Protokol Openid Connect (OIDC) Pada Virtual Private Server (VPS)

Single Sign-On (SSO) is an authentication method that allows users to access multiple website services using one account and one login process. OpenID Connect (OIDC) is a protocol based on OAuth 2.0 and provides user identity information through JWT (JSON Web Token) tokens. Virtual Private Server (VPS) is a service that can be configured according to user needs. Internet users have many accounts needed to access various online services such as email, social media, online shopping, and many more. Each online service usually has a different username and password. Users often find it difficult to remember each password needed. In addition, using the same password on each online service is also not recommended because it can increase security risks. Based on this problem, an SSO system is needed that is useful for helping users in logging in. The SSO system will be tested with two Dummy Students and Dummy Elearning clients using Black Box Testing with the Equivalence Partitioning technique. From the test results, it was obtained that the SSO system showed that 83% of the test scenarios were successfully carried out

An Implementation of a Web-based Application with Personalized Learning Path and Seamless Single Sign-On for Self-paced Learning

<p>Abstract—Innovation is what enables humans to thrive.<br />History will repeat itself without innovation, and humanity’s<br />history is far from ideal. One thing humans do have is the choice<br />of a bright future. It is up to us, the future leaders, to earn and<br />achieve this future. This is why education is so important.<br />Education brings more innovations and wisdom to the world. As<br />prospective leaders, it is a must to do whatever it takes to make<br />education more accessible, enjoyable, exciting, and engaging,<br />allowing students to feel the joy of learning as we do. Our<br />research explores methods for the system design of an e-learning<br />platform, focusing on integrating personalized learning path<br />management and the seamless Single Sign-On authentication<br />system. This paper contributes to the advancement of the field<br />of educational technology by proposing a solution aimed at<br />revolutionizing the learning experience. By proposing<br />personalized learning paths and the integration of a seamless<br />Single Sign-On (SSO) system, this paper addresses the critical<br />challenges surrounding conventional educational approaches</p>

Attribute-based Single Sign-On: Secure, Private, and Efficient

A Single Sign-On (SSO) system allows users to access different remote services while authenticating only once. SSO can greatly improve the usability and security of online activities by dispensing with the need to securely remember or store tens or hundreds of authentication secrets. On the downside, today's SSO providers can track users' online behavior, and collect personal data that service providers want to see asserted before letting a user access their resources. In this work, we propose a new policy-based Single Sign-On service, i.e., a system that produces access tokens that are conditioned on the user's attributes fulfilling a specified policy. Our solution is based on multi-party computation and threshold cryptography, and generates access tokens of standardized format. The central idea is to distribute the role of the SSO provider among several entities, in order to shield user attributes and access patterns from each individual entity. We provide a formal security model and analysis in the Universal Composability framework, against proactive adversaries. Our implementation and benchmarking show the practicality of our system for many real-world use cases.

Single Sign On Using Keycloak Integrated Public Key Infrastructure for User Authentication In Indonesia’s Electronic Based Government System

The government in carrying out its function as a public administration servant is regulated in law of the Republic of Indonesia number 25/2009 on public services. In this regulated about electronic government (e-government), many individuals use various web applications that require users to authenticate themselves to access each application. Many entities require various web- based applications for operational activities. This makes centralized access management for web-based applications very much needed. Currently, access management is often implemented using Single Sign On (SSO) with password authentication method. Security considerations arise against the use of passwords. This is because passwords have a vulnerability to brute forcing using a password list, and human nature often uses repeated or uncomplicated passwords. There is an alternative authentication method, namely Mutual TLS which utilizes Public Key Infrastructure (PKI). Users authenticate with X.509 digital certificates, so the authentication factor becomes something you have. This research aims to implement an integrated PKI SSO system and RBAC access automation. The approach of this project is research, design, implementation, and testing. The entire system is built with open-source software and implemented on a cloud infrastructure. The system has three subsystems, namely registration, login and RBAC access automation. All subsystems are tested according to the specified flow. The test results show that the registration subsystem has been successfully carried out as evidenced by the success of filling in personal data, approval flow, and downloading of certificates. The login subsystem was also successfully implemented, as evidenced by the existence of mTLS authentication with certificate validation. In testing the RBAC access automation subsystem, it is shown that the script created can perform access checks and access remediation if needed.

Implementasi Single Sign-On Menggunakan Google Identity, REST dan OAuth 2.0 Berbasis Scrum

Single Sign-On (SSO) is a technology that can support user convenience in accessing a system. By using SSO, a user only needs to authenticate once to get access to a system. OAuth 2.0 is one of the protocols that can be implemented on the SSO system. Currently, many Application Service Providers (ASP) support the OAuth 2.0 protocol thus providing convenience in the development of a more standard SSO system. Google Identity is one of the services provided by Google that can be used to build SSO systems using the OAuth 2.0 protocol. Application of the request and response methods provided by the protocol specification OAuth 2.0 and Representational State Transfer (REST) architecture of the system implementation can also make SSO systems more secure. In its implementation, the use of an agile system development methodology with the Scrum framework is used to increase speed and flexibility. The results of this research show that the use of Google Identity, REST, and OAuth 2.0 can provide easy user access, guarantee access validity, accelerate client-server data exchange and simplify the SSO implementation process.

EL PASSO: Efficient and Lightweight Privacy-preserving Single Sign On

Abstract Anonymous credentials are a solid foundation for privacy-preserving Single Sign-On (SSO). They enable unlinkable authentication across domains and allow users to prove their identity without revealing more than necessary. Unfortunately, anonymous credentials schemes remain difficult to use and complex to deploy. They require installation and use of complex software at the user side, suffer from poor performance, and do not support security features that are now common, such as two-factor authentication, secret recovery, or support for multiple devices. In contrast, Open ID Connect (OIDC), the de facto standard for SSO is widely deployed and used despite its lack of concern for users’ privacy. We present EL PASSO, a privacy-preserving SSO system based on anonymous credentials that does not trade security for usability, and can be incrementally deployed at scale alongside Open ID Connect with no significant changes to end-user operations. EL PASSO client-side operations leverage a WebAssembly module that can be downloaded on the fly and cached by users’ browsers, requiring no prior software installation or specific hardware. We develop automated procedures for managing cryptographic material, supporting multi-device support, secret recovery, and privacy-preserving two-factor authentication using only the built-in features of common Web browsers. Our implementation using PS Signatures achieves 39x to 180x lower computational cost than previous anonymous credentials schemes, similar or lower sign-on latency than Open ID Connect and is amenable for use on mobile devices.

The Authentication Landscape in 2019: One Does Not Simply Walk into Order

ABSTRACT Over the last decade, access authentication has rapidly evolved. An overview of various e-resource access management types, including Internet Protocol (IP) authentication, referring and embedded URLS, barcode patterns, and user accounts with publishers, shows that though IP authentication has dominated the authentication landscape, it creates many security problems and does not offer a pleasant user experience. The standardization of single sign-on solutions as formulated by the National Information Standards Organization’s (NISO) initiative, Resource Access for the 21st Century (RA21), and continued by the Seamless Access Coalition since June 2019, seeks to improve both the discovery experience and security protocols. Two case studies, one from the University of North Carolina, Charlotte and the other from Eastern Carolina University, explore the benefits, pitfalls, and practical realities of moving from an IP authentication system, EZproxy, to a single sign-on system, OpenAthens.

Business Process Analysis and Academic Information System Audit of Helpdesk Application using Genetic Algorithms a Process Mining Approach

The purpose of making an Academic Information System is to support the process of academic activities effectively and efficiently. Telkom University is an institution that already has an Academic Information System called Integrated Academic Information System or I-Gracias. I-Gracias uses a single sign-on system which means one user for all applications. The Helpdesk application is one application that supports this institution. The Helpdesk application has 4 categories of complaints, namely Serial Number License, Website / Subdomain, Academic I-Gracias, and Non-Academic I-Gracias. With the various complaints categories in the Helpdesk application, Helpdesk application actually promises time with the same service standards, its 3 days for a maximum by filling in the same format in each category. The time is considered not enough to describe the process of handling the services of the Helpdesk application. Therefore, to find out the student activities in the Helpdesk application, a modeling process is carried out to find activities that have the longest time. To find out the time of each activity by the user, an audit process is to find out activities that have the longest time by the process mining approach to obtain modeling. Identification of the modeling process using process mining approach by utilizing the event log on i-Gracias. This modeling process uses a genetic algorithm because it is considered capable of making business process modeling accurately. After obtaining a process model, an audit is carried out by analyzing the bottleneck for each activity. The results show that the resulting process model is good with fitness values, precision and structure are 0.9994142, 0.7653061 and 1 respectively. Modeling in performance analysis shows the bottleneck in two activities, Input Ticket and See Ticket Progress. Bottlenecks show that business processes in the Helpdesk application has problems in resolving complaints through academic information systems.

A Longitudinal Study of Unauthorized Access Attempts on Information Systems: The Role of Opportunity Contexts

This study investigates employee behavior of unauthorized access attempts on information systems (IS) applications in a financial institution and examines how opportunity contexts facilitate such behavior. By contextualizing multilevel criminal opportunity theory, we develop a model that considers both employee- and department-level opportunity contexts. At the employee level, we hypothesize that the scope and data value of the applications that an employee has legitimately accessed, together with the time when and location where the employee initiates access, affect the likelihood of the employee making unauthorized access attempts. At the department level, we hypothesize that department size moderates the impact of employee-level contextual variables on the likelihood of an employee making unauthorized attempts. To test these hypotheses, we collected six months of access log data from an enterprise single sign-on system of a financial institution. We find the hypothesized main effects of all employee-level contextual variables and department size are supported. In addition, department size reinforces the effects of data value, off-hour access, off-site access, and their interaction term, except for that of scope, on the outcome variable. Robustness analyses indicate that the proposed model does not align with those employees who might not know the systems well enough or who might make honest mistakes. We also discuss the theoretical and practical implications of the study.

1st INCF Workshop on Cyberinfrastructure for Neuroinformatics

The goal of a global computational infrastructure for neuroscience is becoming increasingly important as data sharing and integration grows in importance and data sets and analysis grow in scale and complexity. The scale of the problem makes it intractable to solve at once, and smaller scale solutions have appeared to address subsets of the problem in subdomains of neuroscience. This makes any effort to reach an integrative solution more important; indeed, it is vital that we address this now to align and coordinate efforts. The purpose of this workshop was to discuss high-level requirements and technical needs for a global neuroinformatics infrastructure and to set down a road map for its implementation. Although an agenda was proposed for initial structure to the workshop, it provided only loose guidance in which ideas could flow freely: high-level requirements were discussed both in general and in the context of the Digital Atlasing Program’s efforts, and existing solutions to the general problem (iRODS, dCACHE, EUDAT) were presented. It was agreed to move ahead with an infrastructure for data publication and sharing that supports searching and discovery, working across institutions and subfields. User authentication and authorization must be supported, preferably using a single sign-on system. Ultimately it should be as easy to use as a user’s familiar personal machine, and support existing solutions (databases and infrastructures). While the system is distributed as much as possible, the INCF can provide technical coordination. The proposed road map for actual development is broken into two parts: building the foundation of the system and iteratively building functionality on top of that. Setting up the foundation will require securing node resources, ensuring connections between nodes, and setting up management systems, including testing and monitoring environments. Once this is in place, a basic services stack will be built on top of the basic infrastructure to support cataloging, discovery, analysis, automatic metadata extraction, and visualization, and use cases will be developed to validate the system, and maintenance will be addressed, including monitoring, auditing, governance model.

ANALISA KECEPATAN TRANSFER DATA PADA PERANCAGAN HOTSPOT SEDERHANA DENGAN SYSTEM SINGLE SIGN-ON DI PERKANTORAN

Permasalahan perkantoran dalam pemanfatan teknologi wireless telah banyak digunakan namun terkadang tanpa memperhitungkan besar dan banyaknya user sehingga tidak mangkus. Untuk penggunaan perkantoran kecil dapat digunakan sistem jaringan wireless sederhana. Sebagian besar kantor telah menerapkan layanan hotspot tetapi layanan hotspot yang diterapkan dengan system lama yaitu penggunaan satu account untuk semua orang yang mengakses jaringan internet kantor. Single sign-on adalah sistem layanan hotspot yang menerapkan satu account untuk satu user, masing-masing user mendapatkan username dan password yang berbeda. Metode yang digunakan pada penelitian ini adalah studi pustaka, analisa kebutuhan, perancangan, implementasi, pengujian dan analisa kecepatan transfer data. Pembuatan layanan hotspot dengan sistem single sign-on dibutuhkan mikrotik , dan access point yang terhubung dengan perangkat jaringan yang terdpat pada kantor. Konfigurasi dilakukan dengan menggunakan aplikasi winbox. Perancangan system dilanjutkan dengan dilakukan pengujian dengan analisa terhadap kecepatan transfer data (throughput) terhadap upload data menggunakan tools wireshark. Hasil yang didapatkan dari penelitan ini adalah layanan hotspot dengan system single sign-on dan diketahui kecepatan transfer data jenis file word lebih besar dibandingkan tipe file PDF dan PPT.
 Kata kunci : hotspot, mikrotik, throughput, dan single sign-on.

Analisa Kecepatan Transfer Data Pada Perancangan Hotspot Sederhana Dengan System Single Sign On Di Perkantoran

The problems office in the utilization of wireless technology has widely used but sometimes without take into the number of users, so it is not mangkus. The networking system for small office can be use wireless simple system. Most of the office has applied hotspot but that is old system, one account for all people using internet access. Single sign-on is a system services of hotspot, this system verifying an account for each user so people have different and username dan a password. The methodology used is literature review, analysis, design, implementation, testing and analysis of the data transfer rate. The hotspot with a single sign-on system using mikrotik, and access point, the connected with networking devices in the office. Winbox tools is used to configuration. Testing with the user had been connected to the hotspot system single sign on. Methods of test to user login on the system single sign-on is the black box texting. Testing the speed of data transfer is used staff user and guest user who uploaded three types of files to the drive with diffrent bandwidth. Then the network sniffing is used tools wireshark. The results from this study is simple hotspot service with single sign-on system for office and from the analysis of the data transfer rate was known the data transfer rate on the staff user and guest user to the three types of file is a type of word files greater than PDF and PPT.

Identity Authentication Research and Design in Single Sign-on System

The core problem of the single sign-on (SSO) is a identity authentication problem between different systems. Early single sign-on system way of solving this problem is to use static password login, Static password uses trival and security is not high. The article on enterprise portal puts forward the design scheme of the dynamic password authentication in the unified information platform among each system, This paper presents the design schemes of client for the single sign on system, achieves the unified login problem of different accounts and password of the different systems, and realizes the coordination and unification of the system in dynamic session management mechanism.

A privacy-enhanced access log management mechanism in SSO systems from nominative signatures

In online services, a service provider (SP) manages access logs containing customers' buying histories. Therefore, user's information is revealed from the exposed logs if each customer can be linked. In fact, such information exposure has occurred due to the popularisation of online services. To cope with this problem, SPs may only have to delete access logs, but then no illegitimate users will be traced from the logs. In this paper, we propose a log management mechanism of solving problems. Specifically, we consider single sign on (SSO) systems, since plural access logs might be connected by one account. We construct our privacy-enhanced access log management mechanism based on the Wang-Wang-Susilo SSO system (TrustCom, 2013) which applies the Schuldt-Hanaoka nominative signature scheme (ACNS, 2011). Finally, we estimte the efficiency of the proposed system, computation time is at most just over 80 milliseconds on a PC, which seems sufficiently practical.

Implementation of a single sign-on system between practice, research and learning systems.

Multiple specialized electronic medical systems are utilized in the health enterprise. Each of these systems has their own user management, authentication and authorization process, which makes it a complex web for navigation and use without a coherent process workflow. Users often have to remember multiple passwords, login/logout between systems that disrupt their clinical workflow. Challenges exist in managing permissions for various cadres of health care providers. This case report describes our experience of implementing a single sign-on system, used between an electronic medical records system and a learning management system at a large academic institution with an informatics department responsible for student education and a medical school affiliated with a hospital system caring for patients and conducting research. At our institution, we use OpenMRS for research registry tracking of interventional radiology patients as well as to provide access to medical records to students studying health informatics. To provide authentication across different users of the system with different permissions, we developed a Central Authentication Service (CAS) module for OpenMRS, released under the Mozilla Public License and deployed it for single sign-on across the academic enterprise. The module has been in implementation since August 2015 to present, and we assessed usability of the registry and education system before and after implementation of the CAS module. 54 students and 3 researchers were interviewed. The module authenticates users with appropriate privileges in the medical records system, providing secure access with minimal disruption to their workflow. No passwords requests were sent and users reported ease of use, with streamlined workflow. The project demonstrates that enterprise-wide single sign-on systems should be used in healthcare to reduce complexity like "password hell", improve usability and user navigation. We plan to extend this to work with other systems used in the health care enterprise.

Lowering the barriers for online cross-media usage: Scenarios for a Belgian single sign-on solution

The digitization has led to an ecosystem in which an online media portal has become an essential extension of traditional media and users are enabled to consume news and entertainment via different platforms. These evolutions pose some challenges for the media companies in terms of shifting business models, but they also bring them new possibilities in managing their relations with users. An important first step here is to identify the online users and turn anonymous users into registered ones. Today, however, there is a myriad of logins and passwords one needs when surfing the web, which can make the management of these logins a challenge for users. The Belgian media industry seeks to deal with this challenge by introducing a collaborative nation-wide single sign-on (SSO) system across their digital platforms, called Media ID. This paper provides four scenarios describing the potential outcomes in terms of user adoption and hence market potential of the integration of a SSO service into a regional media system. The scenarios are built upon focus group interviews with media users and in-depth interviews with the stakeholders from the involved media companies. They describe to what extent the innovative service can influence user’s online media consumption behaviour but also to what extent the media companies can implement it, two factors that mutually shape each other. In the discussion of the scenarios, requirements to ensure the broad applicability of a SSO service by both media users and media organizations are identified.

ANALISIS DAN IMPLEMENTASI MIKROTIK ROUTER BOARD RB450G UNTUK MANAJEMEN JARINGAN (STUDI KASUS : BADAN PENGKAJIAN DAN PENERAPAN TEKNOLOGI SUB BALAI BESAR TEKNOLOGI ENERGI (B2TE-BPPT) SERPONG)

The importance of a management of the network in B2TE and optimize use of existing network devices. During this time, the network system that is running can’t be managed properly. There are still problems, especially related to topology, traffic network system, bandwidth, access rights, and the login process. On the basis of these, carried out an analysis and implementation of development using Network Development Live Cycle (NDLC) with activity analysis, design, prototype simulation, implementation, monitoring, and management. Development method is applied to solve problems that occur. Data collection methods used are the methods of observation and interviews with the B2TE and do a similar study. To resolve issues related to topology, topology implemented using the router board. For traffic network system, load balancing system implemented by the method of Per Connection Classifier (PCC). Queue tree with Hierarcial Token Bucket (HTB) method and Per Connection Queue (PCQ) and hotspot system is applied to solve problems related to bandwidth and permissions. Single sign-on system (SSO) with Open LDAP and RADIUS functioned to minimize the use of username and password during the login process. From the test results of the implemented system, the selection router board it is appropriate to handle the problem topology. Load balancing with the PCC method, queue tree with HTB and PCQ methods and systems hotspot capable of answering traffic problems on the issue of network systems, bandwidth, and permissions. While the system SSO is capable of handling problems login process. For further development, it is expected that the system has been running for bandwidth management rule can be added to separate the local and international bandwidth. Then, for security, made ​​the policy in terms of access to the IP address and port. In terms of permissions, can be applied to the scheduling of access to certain sites. For the development of SSO, can be applied SSO system that can access multiple applications. DOI: 10.15408/ess.v4i1.1960

Single Sign-On Research and Expansion Based On CAS

With the new application systems integrated with existing systems, many problems have arisen, such as system integration difficultly and audit function loss. Hence, Single Sign-on has become an important solution for popular enter- prise business integration at present. According to the research and exploration of SSO system which is based on Yale- CAS authentication protocol, this paper introduced the integration of application systems using user-mapping with making the least amount of modifications. In addition, this paper has provided a complete security audit function for the single sign-on system, so a more comprehensive system security can be provided.

Logout in single sign-on systems: Problems and solutions

Web single sign-on (SSO) systems enable users to authenticate themselves to multiple online services with one authentication credential and mechanism offered by an identity provider. The topic is widely studied and many solutions exist. However, logging out of a service using SSO has received less attention. While previous studies note that users want single logout when using SSO, most of the existing services do not offer it, and the identity providers do not even keep track of the open sessions. This article describes challenges related to logout in federated identity management and analyzes unexpected behavior in logout situations. The examples are from the Shibboleth SSO system. Based on the analysis, we give guidelines for implementing reliable logout and describe a polling-based solution for creating a system-wide logout mechanisms that only requires minor changes to the existing code and does not burden the identity provider excessively. In addition to the system-wide logout, our solution gives users the option to log out of only one service. A usability test was conducted to evaluate the solution. The results show that the users liked the ability to choose between the two logout options, but they did not understand the words used to describe them. Another observation was that a majority of the users do not log out of the services at all; they just close the browser window, which should be taken into account in the design of web SSO systems.

A Secure Dynamic Identity based Single Sign-On Authentication Protocol

In the current Internet world, most of the Internet services are based on the single server model and use the password identity authentication to provide application service for the users, this means that the user must enter the identity and password, before his/her wants to login in the application service server. It is extremely hard for user to remember the different ID and password, so the single sign-on (SSO) system has been proposed to solve this problem. There many Authentication protocol proposed for the SSO system. In this paper, we first introduced the SSO system and expounded the importance of the authentication protocol in the SSO system. Then we researched on some authentication protocols which can be used in the SSO system, but there are some serious secure problems in their schemes. So we propose a secure dynamic identify based Single Sign-On authentication protocol using smart card. Our protocol can resist several kinds of attacks, such as replay attack, impersonation attack, stolen smart card attack, leak-of-verifier attack and can provide user's anonymity. In our proposed protocol, it removes the aforementioned weaknesses of their protocols and only uses the one-way hash functions and XOR operations which make the protocol very effectively. Index Terms—Single sign-on, Authentication, Dynamic identity, Smart card, Password