InfoconDB

Presented at BruCON 0x07 (2015), Oct. 8, 2015, 4:30 p.m. (60 minutes)

It's 2015 and single sign on systems have been around for over 15 years now. Despite the years of opportunity SSO is still really hard to do with any level of effectiveness. The advent of federation systems has, if anything, made things even harder. Sure there are standards like SAML which are supposed to help, but SAML options are like Tannenbaum's line about standards. There are so many to choose from. Basically no two SAML implementations ever work out of the box and often require significant engineering efforts to address. On the other hand, OAuth does better on that front, but it's not actually an SSO system and versions of 2.0 and 3.0 are actually less secure than the first version. I'll talk about the assorted ways that SSO works and doesn't work and how fundamental features like Single Log Out are generally not available. I'll close out with some thoughts on future direction on how we might be able to make things better.

Presenters:

David Mortman
David Mortman has been doing Information Security for over 20 years. He is currently Chief Security Architect and Distinguished Engineer at Dell Software, as well as a Contributing Analyst at Securosis. Most recently, he was the Director of Security and Operations at C3. Previously, Mortman was the CISO at Siebel Systems and the Manager of Global Security at Network Associates. He speaks regularly at BruCon, DEF CON, RSA and other conferences. Additionally, he blogs at [emergentchaos.com](http://emergentchaos.com), [newschoolsecurity.com](http://newschoolsecurity.com) and [securosis.com](http://securosis.com). He sits on a variety of advisory boards, including Qualys, Lookout and Kenna Security. He holds a B.S. in Chemistry from the University of Chicago.

SSO: It’s the SAML SAML Situation (With Apologies to Mötley Crüe)

Presenters:

Links:

Similar Presentations: