Microsoft’s Study on Social Single Sign-On Protocols

March 27th, 2012   /     /   Product and Technology

Several of our customers have asked whether Microsoft’s recent report on single sign-on flaws should make them worry about single sign-on in general.

Microsoft’s research paper focuses on the single sign-on protocols Facebook Connect, OpenID and Google ID. These are all social single sign-on systems whose primary objective is to provide convenience to the user rather than very strong security. As an example, when Facebook Connect was first announced, it was positioned as an easy way for third party sites to tap into Facebook’s social graph. Once you are signed into Facebook, sites like Yelp can use your active Facebook session to extract your name and photo as well as make it easy to post your own reviews on your Facebook wall.

Social single sign-on solves a different problem than enterprise single sign-on, which is designed with security as the number one priority. Security Assertion Markup Language (SAML) is the standards-based enterprise single sign-on protocol used by leading SaaS applications like Google Apps, Salesforce and WebEx. SAML’s security uses digital signatures to ensure message integrity and authentication. OneLogin’s SAML implementation uses 2,048-bit keys, which are considered to be impossible to break with the processing power available today and well into the future.

It can be hard for most people to grasp just how strong a 2,048 bit key is, so here is a video that visualizes how long it would take to crack a 2,048 bit key using a modern desktop computer.

    http://www.digicert.com/TimeTravel

If you want to understand the math behind the video, check out the details here.

    http://www.digicert.com/TimeTravel/math.htm

The math itself behind SAML is very strong and when vulnerabilities in enterprise single sign-on are found, they are related to a vendor’s implementation of the protocol and how it is integrated with the rest of their service. For example, a vendor may allow users to sign in with a password even when SAML is turned on, which could be viewed as way of circumventing multi-factor the authentication enforced by the identity provider.

About the Author

Thomas Pedersen, founder and CEO of Onelogin, has more than 15 years of experience in building and selling carrier-grade billing systems for phone companies, initially at Cisco-backed Digiquant in Denmark and later at Intec Telecom Systems in the US. After having helped Zendesk grow to 5,000 customers as VP Business Development, he is now laser-focused on making OneLogin the most widely deployed identity management solution in the cloud.

View all posts by Thomas Pedersen