"Securing SSO Authentication: Strategies to eliminate vulnerabilities", Oleh Oliushkevych.pdf
fwdays
145 views
31 slides
Jul 20, 2024
Slide 1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
About This Presentation
We love developing applications, but sometimes we overlook critical security aspects, especially in the authentication. This oversight can lead to serious consequences. In this session, we'll explore the vulnerabilities that arise when authentication methods are weak, particularly in large-scale...
Slide Content
Agenda
The importance of secure authentication
Understanding SSO Authentication
Implementation of the SSO flow on .NET
SAML request/response
SAML configuration errors & vulnerabilities
The importance of secure authentication
Understanding SSO Authentication
Implementation of the SSO flow on .NET
SAML request/response
SAML configuration errors & vulnerabilities
Authentication VS Authorization
AuthorizationAuthentication
Whoareyou? What are you allowed to do?
Identity verification
Confirmsuser identity
Credential-based
Usespasswords, biometrics,tokens
InitialStep
Precedes authorization
Accesscontrol
Manages resourcepermissions
Permission-based
Depends onroles, policies, accesslists
Post-authentication
Followsidentityverification
AuthorizationAuthentication
Whoareyou? What are you allowed to do?
Identity verification
Confirmsuser identity
Credential-based
Usespasswords, biometrics,tokens
InitialStep
Precedes authorization
Accesscontrol
Manages resourcepermissions
Permission-based
Depends onroles, policies, accesslists
Post-authentication
Followsidentityverification
Why is the security of authentication
methods so important?
Financial loss:
Sony PlayStation network hack in 2011 resulted in a loss of $171 million
Cause:exploitation of weak network security and lack of two-factorauthentication (2FA)
Reputation damage:
Target data breach in 2013 led to compromise personal and credit card information
approximately of 40 million customers
Cause: compromised3rd-party credentials
Legal consequences:
Uber data breach in 2017 led to lawsuits from affected users and shareholders
seekingdamages for privacy violations
Cause:lack of robust authentication mechanisms for access controls
methods so important?
Financial loss:
Sony PlayStation network hack in 2011 resulted in a loss of $171 million
Cause:exploitation of weak network security and lack of two-factorauthentication (2FA)
Reputation damage:
Target data breach in 2013 led to compromise personal and credit card information
approximately of 40 million customers
Cause: compromised3rd-party credentials
Legal consequences:
Uber data breach in 2017 led to lawsuits from affected users and shareholders
seekingdamages for privacy violations
Cause:lack of robust authentication mechanisms for access controls
Current types of authentication
Password-Based Authentication
familiar to users, easy to implement vulnerable to password-related attacks
Multi-Factor Authentication (MFA), One-time pwd(OTP)
additional layers of verification may increase user actions
Single Sign-On (SSO)
reduces password fatigue central point of failure
Password-Based Authentication
familiar to users, easy to implement vulnerable to password-related attacks
Multi-Factor Authentication (MFA), One-time pwd(OTP)
additional layers of verification may increase user actions
Single Sign-On (SSO)
reduces password fatigue central point of failure
Single Sign-On (SSO)
Enhanced User Experience
Improved Security
Simplified Management
Compatibility
Scalability and flexibility
Benefits:
SSO: acentralized authentication method allowing users
to access multiple applications with one set of credentials.
Enhanced User Experience
Improved Security
Simplified Management
Compatibility
Scalability and flexibility
Benefits:
SSO: acentralized authentication method allowing users
to access multiple applications with one set of credentials.
But, what's the difference
between SSO and OAuth
SSO focuses on
authentication, allowing
users to log in once and
access multiple
applications
OAuthfocuses
onauthorization,
enablingthird-party
applications toaccess user
data stored onother services
between SSO and OAuth
SSO focuses on
authentication, allowing
users to log in once and
access multiple
applications
OAuthfocuses
onauthorization,
enablingthird-party
applications toaccess user
data stored onother services
Howdoes it work?
Common SSO protocols/standards
SAML(Security Assertion Markup Language)
XML-based protocol used for exchanging authentication and
authorization data between parties, particularly between an Identity
Provider (IdP) and a Service Provider (SP)
OIDC (OpenId Connect)
Authentication layer built on top of OAuth 2.0, allowing clients to verify
user identity using JSON Web Tokens (JWT). Users can log in to multiple
sites (Relying Parties) using a third-party service (Identity Provider, IdP)
SAML(Security Assertion Markup Language)
XML-based protocol used for exchanging authentication and
authorization data between parties, particularly between an Identity
Provider (IdP) and a Service Provider (SP)
OIDC (OpenId Connect)
Authentication layer built on top of OAuth 2.0, allowing clients to verify
user identity using JSON Web Tokens (JWT). Users can log in to multiple
sites (Relying Parties) using a third-party service (Identity Provider, IdP)
SAML
SAML is an XML-based framework used for exchanging
authentication and authorization data between an Identity
Provider (IdP) and a Service Provider (SP)
Role: facilitates secure and efficient SSO implementations in web
applications
is a widely adopted standard for enterprise applications
SAML is an XML-based framework used for exchanging
authentication and authorization data between an Identity
Provider (IdP) and a Service Provider (SP)
Role: facilitates secure and efficient SSO implementations in web
applications
is a widely adopted standard for enterprise applications
Let's elaborate on SAML
Integration into web app
Setup
Configure the Identity Provider (IdP) and Service Providers (SPs)
Define trust relationships between IdP and SPs
Implementation
Use SAML libraries and tools to integrate with web app
Ensure secure transmission and validation of SAML assertion
Setup
Configure the Identity Provider (IdP) and Service Providers (SPs)
Define trust relationships between IdP and SPs
Implementation
Use SAML libraries and tools to integrate with web app
Ensure secure transmission and validation of SAML assertion
Implementation of the SAML
SSO flow on .NET
SSO flow on .NET
Is there a built-in solution in .NET
for handling SAML?
.NET framework and .NET Core do not include
built-in SAML handling libraries
Direct support for SAML protocols is not
integrated into the core .NET libraries
For now:
for handling SAML?
.NET framework and .NET Core do not include
built-in SAML handling libraries
Direct support for SAML protocols is not
integrated into the core .NET libraries
For now:
Open-source libraries for
SAML SSO handling
Sustainsys.Saml2
A popular open-source library for implementing SAML2 authentication in
ASP.NET applications, compatible with both .NET Framework and .NET Core
Sustainsys/Saml2
ITfoxtecIdentity SAML2
An open-source SAML2 library designed to be simple and
flexible,compatible with both .NET Framework and .NET Core
ITfoxtec.Identity.Saml2
SAML SSO handling
Sustainsys.Saml2
A popular open-source library for implementing SAML2 authentication in
ASP.NET applications, compatible with both .NET Framework and .NET Core
Sustainsys/Saml2
ITfoxtecIdentity SAML2
An open-source SAML2 library designed to be simple and
flexible,compatible with both .NET Framework and .NET Core
ITfoxtec.Identity.Saml2
Commercial libraries for SSO handling
ComponentSpace SAML*
The most popular library providing full SAML 2.0 support for .NET
applications
Complete SAML 2.0 Implementation: covers all aspects of SAML
authentication and authorization.
Extensive examples: sample code and detailed guides for easy
integration.
Enterprise support: offers commercial support and services
*price startsfrom 190$/year
ComponentSpace SAML*
The most popular library providing full SAML 2.0 support for .NET
applications
Complete SAML 2.0 Implementation: covers all aspects of SAML
authentication and authorization.
Extensive examples: sample code and detailed guides for easy
integration.
Enterprise support: offers commercial support and services
*price startsfrom 190$/year
Integration using ComponentSpace
Initiate SP SSO flow
Initiate SP SSO flow
Integration using ComponentSpace
Handling SAML response
Handling SAML response
SSO login SAML Request
ID:Unique identifier for the request.
Version:SAML version (typically "2.0")
IssueInstant:Timestamp indicatingwhen the request was issued
Destination:URL of the IdP where therequest is sent
AssertionConsumerServiceURL :URLwhere the IdP should send the SAMLresponse
Issuer: Identifies the entity that generated the request (SP)
Version:SAML version (typically "2.0")
IssueInstant:Timestamp indicatingwhen the request was issued
Destination:URL of the IdP where therequest is sent
AssertionConsumerServiceURL :URLwhere the IdP should send the SAMLresponse
Issuer: Identifies the entity that generated the request (SP)
SSO login SAML Response
InResponseTo: ID of the corresponding authentication request
Status: Indicates the success or failure of the authentication request
StatusCode: Primary status code (e.g., Success, Requester, Responder)
Assertion: Contains the actual authentication statement
Status: Indicates the success or failure of the authentication request
StatusCode: Primary status code (e.g., Success, Requester, Responder)
Assertion: Contains the actual authentication statement
Signature:containsthedigitalsignature
informationensuringSAMLassertion
SignatureMethod:
algorithmusedforcreatingthesignature
ReferenceURI:pointsto theid of the
signeddata
DigestValue:the digest(hash) ofsigned
datato ensure the integrity
SignatureValue:the actualdigital signature
value(base64)
KeyInfo: information about the key used for
signing:
X509Certificate: the actual certificate
data(base64)
Subject: includes the user identifier.
NameID: user's unique identifier
SubjectConfirmation: information to
confirm the subject
informationensuringSAMLassertion
SignatureMethod:
algorithmusedforcreatingthesignature
ReferenceURI:pointsto theid of the
signeddata
DigestValue:the digest(hash) ofsigned
datato ensure the integrity
SignatureValue:the actualdigital signature
value(base64)
KeyInfo: information about the key used for
signing:
X509Certificate: the actual certificate
data(base64)
Subject: includes the user identifier.
NameID: user's unique identifier
SubjectConfirmation: information to
confirm the subject
Conditions: defines the validity
period and restrictions
AudienceRestriction: limits the
assertion's audience
AttributeStatement: Contains
user attributes
AuthnStatement: authentication
information(timestamp,session)
AuthnContextClassRef:
authentication method used
(password,2FA,etc.)
period and restrictions
AudienceRestriction: limits the
assertion's audience
AttributeStatement: Contains
user attributes
AuthnStatement: authentication
information(timestamp,session)
AuthnContextClassRef:
authentication method used
(password,2FA,etc.)
Debugging SAML req/res
SAML Message Decoder
Chrome web store
This tool helps you to debug
your SAML based SSO/SLO
implementations. It runs in the
background, collecting SAML
messages as they are sent and
received by the browser
SAML Message Decoder
Chrome web store
This tool helps you to debug
your SAML based SSO/SLO
implementations. It runs in the
background, collecting SAML
messages as they are sent and
received by the browser
SAML configuration. Errors and
vulnerabilities
vulnerabilities
Poor SAML configuration example
Disabled validation of
signatures on SP side
Disabled encryption of
assertion data
Lesson learned:
Always verify the signature of SAML assertions against the
IdP's public key and use encryption for SAML assertion data
Attackers can impersonate users
and gain access to sensitive data
and services.
On Breaking SAML: Be Whoever You Want to Be .
Disabled validation of
signatures on SP side
Disabled encryption of
assertion data
Lesson learned:
Always verify the signature of SAML assertions against the
IdP's public key and use encryption for SAML assertion data
Attackers can impersonate users
and gain access to sensitive data
and services.
On Breaking SAML: Be Whoever You Want to Be .
Best practices for secure SAML
SSO configuration
Implement Robust Signature Validation
always validate SAML signatures using the IdP's public key
Use Strong Certificates
use strong cryptographic algorithms, securely manage and store private keys
Encrypt SAML Assertion Data
encrypt SAML assertions using strong encryption algorithms (e.g., AES-256)
ensure both the IdP and SP support and enforce encryption
SSO configuration
Implement Robust Signature Validation
always validate SAML signatures using the IdP's public key
Use Strong Certificates
use strong cryptographic algorithms, securely manage and store private keys
Encrypt SAML Assertion Data
encrypt SAML assertions using strong encryption algorithms (e.g., AES-256)
ensure both the IdP and SP support and enforce encryption
Be updated
On trusted sources:
OWASPSAML Security Cheat Sheet
OWASPTop 10
SANS Institute
NIST (National Institute of Standards and Technology)
CERT (Computer Emergency Response Team)
On up-to-date versions:
of libraries
of frameworks
of OS
On trusted sources:
OWASPSAML Security Cheat Sheet
OWASPTop 10
SANS Institute
NIST (National Institute of Standards and Technology)
CERT (Computer Emergency Response Team)
On up-to-date versions:
of libraries
of frameworks
of OS
Summary
Always use secure authentication methods: make
sure your application uses strong and safe ways for users to
log in
Keep the balance of security and UX: protecting your
application is important, but it should also be easy for users
to access and use
Follow best practices for secure configuration:
configure your application using industry best practices to
enhance security. Regularly review and update your security
settings to stay ahead of potential threat
Always use secure authentication methods: make
sure your application uses strong and safe ways for users to
log in
Keep the balance of security and UX: protecting your
application is important, but it should also be easy for users
to access and use
Follow best practices for secure configuration:
configure your application using industry best practices to
enhance security. Regularly review and update your security
settings to stay ahead of potential threat
Q&A
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 145
- Slides 31
- Age 500 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views