Advertisement

Single Sign-on Implementation: Leveraging Browser Storage for Handling Tabbed Browsing Sign-outs

  • Lokesh RamamoorthiEmail author
  • Dilip Sarkar
Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 152)

Abstract

Organizations provide multiple web-based services to its users. To manage easy provisioning and deprovisioning of users, they offer single sign-on (SSO) service as an access control mechanism. To access any SSO service, users need to remember only one set of credentials. These credentials are managed by organization’s identity and access management system (IAM). The identity provider (IDP) is the federated identity management platform to authenticate users, for service providers (SPs), to access and use the services. Users may access the services provided by organization via web browsers. Modern web browsers provide a feature called tabbed browsing, where tabs are widgets within the browser window, so that the users can stay organized when browsing multiple Web sites. In this paper, we analyzed how SSO works in a tabbed browsing environment. Our analysis shows that, in some scenarios, a user may not sign out from some services that he or she was using. This situation may lead to information security attacks. Also, we propose a solution that can be implemented on the browser to ensure a safe sign-out process.

Keywords

Information security Access control Federated identity management Authentication Authorization Identity provider Service provider Browser security 

References

  1. 1.
    Hardt, D.: The OAuth 2.0 authorization framework, RFC 6749. Internet Engineering Task Force (2012). https://tools.ietf.org/html/rfc6749
  2. 2.
    Kemp, J., Cantor, S., Mishra, P., Philpott, R., Maler, E.: Assertions and protocols for the OASIS security assertion markup language (SAML) v2.0. OASIS (2015). http://saml.xml.org/saml-specifications
  3. 3.
    Ramamoorthi, L., Sarkar, D.: Single sign-on demystified: security considerations for developers and users. In: Rocha, Á., Adeli, H., Reis, L.P., Costanzo, S. (eds.) Trends and Advances in Information Systems and Technologies, pp. 185–196. Springer International Publishing, Cham (2018)CrossRefGoogle Scholar
  4. 4.
    Dubroy, P., Balakrishnan, R.: A study of tabbed browsing among Mozilla Firefox users. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10, pp. 673–682. ACM, New York, NY, USA (2010)Google Scholar
  5. 5.
    Mozilla developer network - web storage API. https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
  6. 6.
    W3c docs - web cryptography API (2017). https://www.w3.org/TR/WebCryptoAPI/
  7. 7.
    Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on?: An empirical investigation of openid. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS ’11, pp. 4:1–4:20. ACM, New York, NY, USA (2011)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  1. 1.University of MiamiCoral GablesUSA

Personalised recommendations