An international research team consisting of Tommaso Innocenti, Louis Jannett, Christian Mainka, Vladislav Mladenov and Engin Kirda has published the paper “Only as Strong as the Weakest Link: On the Security of Brokered Single Sign-On on the Web” and revealed critical vulnerabilities in Single Sign-On login procedures. The paper has been accepted for presentation at the IEEE Symposium on Security and Privacy 2025 in San Francisco, which will take place May 12-15, 2025.
What is Single Sign-On (SSO)?
Single Sign-On (SSO) is an authentication method that allows users to log in to different websites with just one login and password. Instead of having to register and remember a password for each service individually, the user logs in once and can then use several websites that accept this login. Well-known providers of such SSO services, so-called Identity Providers (IdPs), are large corporations such as Google, Apple and Facebook, which offer users the option of logging in to third-party websites via their accounts.
Brokered SSO: A New Level in the Authentication Process
In traditional SSO systems, there are three players: the user, the website and the Identity Provider (e.g. Google). The user initiates the login on the website, which then forwards it to the IdP, which handles the authentication and sends the login data back to the website.
In recent years, however, another approach has become established: Brokered SSO. Here, an additional actor, the so-called broker, is added to the process. This broker mediates between the website and the IdP and enables websites to access different IdPs. A broker can thus support several IdPs at the same time and simplifies the connection for website operators, as they only need one interface to the broker and do not have to maintain each IdP integration separately. Well-known brokers include Auth0 and Amazon Cognito.
Security Risks and Discovered Vulnerabilities
While Brokered SSO simplifies integration, it comes with significant security risks, as the research team has uncovered. As the broker is another actor between the IdP and the website, it becomes a potential weak point in the chain. The paper shows that brokered SSO is vulnerable to attacks in many cases, especially if the broker does not sufficiently secure the redirects. The researchers discovered several types of vulnerabilities:
- Redirect Vulnerabilities: The broker can cause incorrect redirects. An attacker could, for example, insert manipulated requests into the login process and thereby access sensitive data.
- Insufficient Access Rights: In some cases, the researchers were able to show that brokers gained access to user data without sufficient authorization. As a result, an attacker can gain unauthorized access to user accounts and data through the broker.
- Security Protocols and Practices: The team found that many brokers disregard security policies, leading to additional attack opportunities.
The research team investigated over 50 brokers and found critical vulnerabilities that jeopardize the security of logins to over 2k websites. These research results show that the increasing use of SSO services increases user-friendliness, but at the same time places high demands on security.