I became a maintainer of a popular #SAML library for Node.js, "node-saml", which in turn uses "xml-crypto", which in turn is based on XML signatures.

If you are still using SAML for #SSO, be aware there has been string of SAML vulnerabilities related to the fundamentals of how it works and there are likely to be more. You are advised to OIDC instead.

In this thread, I'll discuss some of weaknesses in SAML that have come up repeatedly.

One login to rule them all.

The more tools a company uses, the more passwords employees juggle. Over 65% reuse passwords, creating serious security risks.

That’s why Single Sign-On is essential for modern teams. And with the latest Zammad 6.5 release, it’s now even more powerful: OpenID Connect is officially supported!

We’ve created a practical blog post on what #SSO is, how it works in Zammad, and how to set it up:
https://zammad.com/en/blog/secure-yor-helpdesk-with-single-sign-on

I'm sure there is a simple, totally obvious reason (no trusted central authority problem?) but it seems kind of strange to me that the #Fediverse doesn't allow me to truly use a single login across services via some kind of #FIDO compliant magic, considering that almost everyone is an #infosec person and/or developer. Admittedly, I haven't thought about this too deeply. Also, where's passkey support? #saml #sso

So if I want to host a number of different services (Tandoor, Discourse, Lemmy, GtS) and offer #SelfHosted #SSO, so that I can create a single account for each user and enable or disable specific sites/apps for them, what are my options for that?

No information that could screw with anyone's life will ever be on these sites so I'm not looking for, you know, NSA-busting cryptography or anything. Just a single go-to spot for user management.

#Development #Techniques
Multi-step logins with password manager support · The problem with email-first logins and how to solve it https://ilo.im/163at0

_____
#Logins #Forms #Passwords #PasswordManagers #SSO #Accessibility #Usability #WebDev #Frontend #HTML

It is my considered opinion that all software meant for self-hosting should offer built-in authentication.

I wanted to self host a spreadsheet software and, three days later, find myself configuring an OIDC IdP. This is not something I want to be doing.

Okay, authentik is up! Took a while, I was fighting against flux and the helm release because it deployed with the wrong StorageClass (I forgot to have that configuration ready before release.) Helm wasn't able to modify the PVC because they're immutable, updating the release has to wait for the initial release to succeed (which it won't) or timeout and flux is quiet on the reasons for all of this unless you know where to look lots of learning was had though!

Anyway, admin and personal user accounts created, MFA enabled. Got my first application integrated too! (actual budget)

What next? The world is my oyster... Probably gitea or semaphore. I'm hesitant to integrate services like jellyfin before I have more users onboarded and this gives me an opportunity to experiment with other edge cases like other providers and service accounts and such

LemonLDAP::NG 2.21 is out!

This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.

Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/

@ow2 @worteks_com

Ich empfahl ja neulich auf den #clt2025 den Vortrag über #Passkeys, die man für #2fa oder bei manchen Anbietern auch als einzige Authentifizierungsmethode nutzen kann. Auch den Vortrag könnt Ihr nachschauen. Link und Materialien sind hier: https://chemnitzer.linux-tage.de/2025/de/programm/beitrag/188

Learnings am Wegesrand: Für die Signierung und Verschlüsselung von #SAML-Metadaten nutzt man wegen der häufigen Rotationen und fehlender Automatisierungsmöglichkeit bei Kommunikationspartnern ja meist keine Letsencrypt-Zertifikate. Gestern dachte ich, ach für diesen kurzen Test geht’s mal. Und dann habe ich lange nach dem Fehler gesucht und gemerkt, dass Letsencrypt inzwischen EC-Schlüssel statt RSA generiert,mit denen der #Shibboleth SP nicht signieren kann. #til #sso #singlesignon

The dispute between Oracle and security researchers at CloudSEK has intensified in recent days, with Oracle continuing to deny that hackers accessed sensitive data from the company’s Cloud federated Single Sign-On service.

https://www.computing.co.uk/news/2025/security/oracle-continues-to-dispute-claims-of-major-security-breach

#technews #oracle #cloudsek @infosec @cybersecurity #sso

https://sso.tax/

Was shown this website by our IT manager today during an #InfoSec chat. I always thought single-sign on was a bullshit gated additional cost but seeing the price hike for some of these services is absolutely disgraceful.

Would like to see a list of services that offer SSO for free or on their basic service, too.

𝗠𝗼𝗿𝗴𝗲𝗻 𝗮𝘂𝗳 𝗱𝗲𝗻 𝗖𝗵𝗲𝗺𝗻𝗶𝘁𝘇𝗲𝗿 𝗟𝗶𝗻𝘂𝘅-𝗧𝗮𝗴𝗲𝗻: Antworten auf die wichtigsten Fragen zu Keycloak, MFA und Ausfallsicherheit

Single Sign-on (#SSO) mit Keycloak macht den Zugriff auf Webanwendungen einfacher – aber wie bleibt es ausfallsicher?

𝗠𝗼𝗿𝗴𝗲𝗻 𝘂𝗺 𝟭𝟰 𝗨𝗵𝗿 gibt unsere Kollegin @smeyer Antworten auf die meistgestellten Fragen zu #Keycloak, #MFA, Ausfallsicherheit und der Verbindung mehrerer Identity Provider.

Nicht verpassen – wir freuen uns auf den Austausch!

I'm really excited about the next release of #Ory #Hydra

https://github.com/ory/hydra/pull/3912

it has received device code #oauth2 flow recently (3 weeks to be specific)

the PR came from guys at Canonical
in a nutshell, it is #SSO for clients that do not have possibility for redirects and user input very much, e.g. smart TV, terminal, etc.

it's really powerful

#sre
#openidconnect

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/