38C3 Community Stages

OMG WTF SSO - A beginner's guide to SSO (mis)configuration
2024-12-30 , Stage HUFF
Language: English

A couple years ago I knew basically nothing about Single Sign-On but now I'm talking at 38c3 about it! Come find out how you too can go from beginner to the question-asker who protects your hackerspace/company/etc. from bad SSO implementations.


Single Sign-On (SSO) is sold as a way to
• centralize managing your organization’s users,
• make life easier for your colleagues, and
• enforce consistent security standards.
But SSO protocols are just ways for an identity provider to share information about an authenticated identity with another service. Me having a way to tell my vendor “yeah, that’s Bob” doesn’t tell me what the vendor does with this information, or if the vendor always asks me who’s coming in the door.
A bad SSO implementation can make you think you’re safer, while hiding all the new and fun things that have gone wrong.
To get the most out of implementing SSO, I need to know what I’m trying to accomplish and what steps I need to follow to get there. To illustrate why SSO needs to be set up carefully, for each of the things you need to do right, I’ll give you some fun examples of creative ways you and your vendor can do this wrong. We all learn from failure, right???
I’m sharing this info because this year I got deeply involved in the SSO setup for several vendors at work. It turns out that I’m good at asking weird questions, and it’s an extremely valuable thing to do. If you know how things should be, then you know where they could be broken, and you can ask your vendors (and your colleagues!) “weird questions” before an adversary does.

Question asker, tinkerer, hacker, language learner, I love being a beginner. There are no stupid questions, only mean answers.