GitXplorerGitXplorer
c

SVAuth

public
4 stars
0 forks
0 issues

Commits

List of commits on branch master.
Unverified
c46e6b4f5591e872d07ce313c6ab0047e9bd0b14

UseCachedTheoremsOnly

ppmcao committed 7 years ago
Unverified
ed20bad77f6ed29b724e3110568312722edc0732

use verifyIfNotInCache setting to return immediately on Linux if SVAuth cannot verify a symbolic transaction

ppmcao committed 7 years ago
Unverified
159d08155f3ec2560446697e69d13fa7700846b8

donot use cache on linux; adjust cache setting on agent_config

ppmcao committed 7 years ago
Unverified
9e703211981cc785d27d42bce93b809b7450428d

added a user content step for the public agent scenario

committed 7 years ago
Unverified
b9214c800ee71cebc5c3f436e20320911f722064

setting the LandingUrl cookie properly for the public agent

committed 7 years ago
Unverified
14ef84f1f4d62c0683600aad9f82ff773ad2941d

2-9-2018

committed 7 years ago

README

The README file for this repository.

SVAuth: Self-verifying single-sign-on solutions

SVAuth tries to provide the simplest and the most secure integration solution for a website to integrate single-sign-on (SSO) services. It is so simple that a website programmer doesn't need to know anything about SSO protocols or implementations. It is secure because every user login is formally proved for the correctness of its core logic by the state-of-the-art program verifier.

If your website needs SSO login, don't be overwhelmed by all kinds of libraries and protocol documents. Try SVAuth. It may save you tons of time and effort, and save your website from several types of security bugs!

Goal and status

Goal: To support all major web languages to integrate all major SSO services in the world.

Status:

  • Supported programming languages include ASP.NET, PHP, and Python.
  • Supported SSO solutions include Facebook, Microsoft, Microsoft Azure AD, Google, Yahoo, LinkedIn, Weibo, and CILogon (which supports nearly a thousand InCommon participants). The list will grow.

Demos

MediaWiki with Facebook login

HotCRP with Facebook login

How to use

See the instruction. If you want a little more details, here is a short paper. Also, welcome to email us if you decide to use SVAuth. We can help.

Developers

Matt McCutchen, Phuong Cao, and Shuo Chen.

Welcome to join us! Email the contact below .

Primary contact

Shuo Chen

Privacy & Cookies

See [Microsoft Privacy Statement] (https://go.microsoft.com/fwlink/?LinkId=521839)

Disclaimer

SVAuth uses a technique called self-verifying execution (SVX) to prove the fundamental security properties of SSO systems: an attacker cannot log in to an innocent user's account, and an innocent user cannot be forced to log in to an attacker's account. This technique would catch bugs in the core SSO logic that have occurred in other implementations, such as forgetting to verify the signature on an identity token or that the token is addressed to the current relying party. However, like other verification technologies, the verification is based on assumptions and has limitations, such as:

  1. It does not cover certain parts of the system, including message parsing, the implementation of crypto operations, and the website adapters;
  2. The verified properties do not cover some things that one may consider as "security related", such as privacy and freshness of credentials;
  3. The soundness of the SVX mechanism itself has not been rigorously proved starting from lower-level assumptions.

Because of these limitations, we do not guarantee the solution to be free of all security bugs.

Earlier repositories (discontinued)