If your website needs SSO login, don't be overwhelmed by all kinds of libraries and protocol documents. Try SVAuth. It may save you tons of time and effort, and save your website from several types of security bugs!
Goal: To support all major web languages to integrate all major SSO services in the world.
Status:
- Supported programming languages include ASP.NET, PHP, and Python.
- Supported SSO solutions include Facebook, Microsoft, Microsoft Azure AD, Google, Yahoo, LinkedIn, Weibo, and CILogon (which supports nearly a thousand InCommon participants). The list will grow.
See the instruction. If you want a little more details, here is a short paper. Also, welcome to email us if you decide to use SVAuth. We can help.
Matt McCutchen, Phuong Cao, and Shuo Chen.
Welcome to join us! Email the contact below .
See [Microsoft Privacy Statement] (https://go.microsoft.com/fwlink/?LinkId=521839)
SVAuth uses a technique called self-verifying execution (SVX) to prove the fundamental security properties of SSO systems: an attacker cannot log in to an innocent user's account, and an innocent user cannot be forced to log in to an attacker's account. This technique would catch bugs in the core SSO logic that have occurred in other implementations, such as forgetting to verify the signature on an identity token or that the token is addressed to the current relying party. However, like other verification technologies, the verification is based on assumptions and has limitations, such as:
- It does not cover certain parts of the system, including message parsing, the implementation of crypto operations, and the website adapters;
- The verified properties do not cover some things that one may consider as "security related", such as privacy and freshness of credentials;
- The soundness of the SVX mechanism itself has not been rigorously proved starting from lower-level assumptions.
Because of these limitations, we do not guarantee the solution to be free of all security bugs.