If your website needs SSO login, don't be overwhelmed by all kinds of libraries and protocol documents. Try SVAuth. It may save you tons of time and effort, and save your website from several types of security bugs!
Goal: To support all major web languages to integrate all major SSO services in the world.
Status: Currently support ASP.NET and PHP. Current SSO solutions include Facebook, Microsoft, Microsoft Azure AD, Google, Yahoo, LinkedIn and Weibo. The list will grow.
The easiest way to use SVAuth is through the "website adapter". See the instruction. REDACTED
REDACTED
REDACTED
SVAuth uses a technique called self-verifying execution (SVX) to prove the fundamental security properties of SSO systems: an attacker cannot log in to an innocent user's account, and an innocent user cannot be forced to log in to an attacker's account. This technique would catch bugs in the core SSO logic that have occurred in other implementations, such as forgetting to verify the signature on an identity token or that the token is addressed to the current relying party. However, like other verification technologies, the verification is based on assumptions and has limitations, such as:
- It does not cover certain parts of the system, including message parsing, the implementation of crypto operations, and the website adapters;
- The verified properties do not cover some things that one may consider as "security related", such as privacy and freshness of credentials;
- The soundness of the SVX mechanism itself has not been rigorously proved starting from lower-level assumptions.
Because of these limitations, we do not guarantee the solution to be free of all security bugs.
REDACTED