SVAuth: Self-verifying single-sign-on solutions
If your website needs SSO login, don't be overwhelmed by all kinds of libraries and protocol documents. Try SVAuth. It may save you tons of time and effort, and save your website from several types of security bugs!
Goal and status
Goal: To support all major web languages to integrate all major SSO services in the world.
- Supported programming languages include ASP.NET, PHP, and Python.
- Supported SSO solutions include Facebook, Microsoft, Microsoft Azure AD, Google, Yahoo, LinkedIn, Weibo, and CILogon (which supports nearly a thousand InCommon participants). The list will grow.
How to use
Welcome to join us! Email the contact below .
Privacy & Cookies
See [Microsoft Privacy Statement] (https://go.microsoft.com/fwlink/?LinkId=521839)
SVAuth uses a technique called self-verifying execution (SVX) to prove the fundamental security properties of SSO systems: an attacker cannot log in to an innocent user's account, and an innocent user cannot be forced to log in to an attacker's account. This technique would catch bugs in the core SSO logic that have occurred in other implementations, such as forgetting to verify the signature on an identity token or that the token is addressed to the current relying party. However, like other verification technologies, the verification is based on assumptions and has limitations, such as:
- It does not cover certain parts of the system, including message parsing, the implementation of crypto operations, and the website adapters;
- The verified properties do not cover some things that one may consider as "security related", such as privacy and freshness of credentials;
- The soundness of the SVX mechanism itself has not been rigorously proved starting from lower-level assumptions.
Because of these limitations, we do not guarantee the solution to be free of all security bugs.