IMPLEMENTATION OF SINGLE SIGN-ON (SSO) SYSTEMS TO IMPROVE CYBERSECURITY

Abstract

In today's digital environment, where the security of users and their data is a priority, Single Sign-On (SSO) systems
play a key role in simplifying the authentication process and increasing the level of cybersecurity. This article is devoted to the
research, development and implementation of a centralized authorization system based on the OAuth2.0 (Open Authorization)
and OpenID Connect (OIDC) standards. The authors analyze modern approaches to user identity management, and also consider
the advantages of implementing an authorization server with support for JSON Web Token (JWT) and the PKCE (Proof Key
for Code Exchange) mechanism to increase the security of client applications. The main attention in the article is paid to the
implementation of an authentication server that provides centralized user verification and transfer of access tokens between
services. Security Assertion Markup Language (SAML), OAuth2.0 and OIDC are considered as the main standards for
identification and access management. The authors examined the advantages and disadvantages of each approach, emphasizing
the importance of using Authorization Code Flow with PKCE to increase resistance to attacks such as "client spoofing" and
"token theft". The paper also examines in detail the mechanisms for protecting against cross-site scripting (XSS), attacks on
browser applications, and secure storage of access tokens. Particular attention is paid to the issues of local token validation to
reduce the load on the authorization server and increase system performance. The result of the research is a functional SSO
model that supports OAuth 2.0, OIDC, JWT and provides authentication for public and confidential clients. The proposed
solution can be used in corporate and commercial environments to protect resources and simplify access management. The
results obtained have both theoretical and practical significance, as they contribute to the development of secure digital
identification systems and improve user protection in the Internet environment.
Keywords: Single Sign-On (SSO), authentication, authorization, cybersecurity, OAuth2.0, OpenID Connect (OIDC),
JSON Web Token (JWT), Security Assertion Markup Language (SAML), PKCE (Proof Key for Code Exchange), local token
validation, cross-site scripting (XSS), secure token storage, access control, authentication server, digital identity.

References
1. Чирський Ю.В. Запровадження системи електронного документообігу в Україні. Режим доступу:
http://old.minjust.gov.ua/7546.
2. Morkonda S. G., Chiasson S., van Oorschot P. C. Influences of displaying permission-related information on
web single sign-on login decisions / Srivathsan G. Morkonda, Sonia Chiasson, Paul C. van Oorschot // Computers &
Security. - April 2024. - Vol. 139. - P. 103666. - Available online 20 December 2023. - DOI:
https://doi.org/10.1016/j.cose.2023.103666
3. Wilson Y., Hingnikar A. Single Sign-On. In: Solving Identity Management in Modern Applications / Y.
Wilson, A. Hingnikar. – Berkeley, CA: Apress, 2023. – DOI: https://doi.org/10.1007/978-1-4842-8261-8_11
4. Suoranta S., Manzoor K., Tontti A., Ruuskanen J., Aura T. Logout in single sign-on systems: Problems and
solutions / Sanna Suoranta, Kamran Manzoor, Asko Tontti, Joonas Ruuskanen, Tuomas Aura // Journal of Information
Security and Applications. – February 2014. – Vol. 19, Issue 1. – P. 61-77. – DOI:
https://doi.org/10.1016/j.jisa.2014.03.005
5. Surya M., Anithadevi N. Single Sign-on Mechanism Using Attribute-Based Encryption in Distributed
Computer Networks / M. Surya, N. Anithadevi // Procedia Computer Science. – 2015. – Vol. 47. – P. 441-451. – DOI:
https://doi.org/10.1016/j.procs.2015.03.228
6. Heckle R. R., Lutters W. G. Tensions of network security and collaborative work practice: Understanding a
single sign-on deployment in a regional hospital / Rosa R. Heckle, Wayne G. Lutters // International Journal of Medical
Informatics. – August 2011. – Vol. 80, Issue 8. – P. e49-e61. – DOI: https://doi.org/10.1016/j.ijmedinf.2011.02.001
7. Cusack B., Ghazizadeh E. Evaluating single sign-on security failure in cloud services / Brian Cusack, Eghbal
Ghazizadeh // Business Horizons. – November–December 2016. – Vol. 59, Issue 6. – P. 605-614. – DOI:
https://doi.org/10.1016/j.bushor.2016.08.002
8. Pérez Méndez A., Marín López R., López Millán G. Providing efficient SSO to cloud service access in AAAbased identity federations / Alejandro Pérez Méndez, Rafael Marín López, Gabriel López Millán // Future Generation
Computer Systems. – May 2016. – Vol. 58. – P. 13-28. – DOI: https://doi.org/10.1016/j.future.2015.12.002
9. Фединишин Т., Михайлова О., Опірський І. Метод визначення потенційно небезпечних осіб по даних
Bluetooth // Ukrainian Scientific Journal of Information Security. – 2023. – Том 29, Випуск 3. – С. 5.
10. Yevseiev, S., Hryshchuk, R., Molodetska, K., et al. (2022). Modeling of Security Systems for Critical
Infrastructure Facilities. PC Technology Center. Available at: [Link or URL if available, e.g., polissiauniver.edu.ua]
11. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., & Strub, P.-Y. (2014). Triple handshakes and
cookie cutters: Breaking and fixing authentication over TLS. IEEE Symposium on Security and Privacy (SP), 98–113.
https://doi.org/10.1109/SP.2014.15
12. Cantor, S., Kemp, J., Philpott, R., & Maler, E. (2005). Assertions and Protocols for the OASIS Security
Assertion Markup Language (SAML) v2.0. OASIS Standard. Retrieved from https://www.oasis-open.org
13. Choudhary, A., & Kesswani, N. (2022). A comparative analysis of OAuth 2.0 and OpenID Connect security
protocols. Future Generation Computer Systems, 130, 254–266. https://doi.org/10.1016/j.future.2022.01.018
14. Cusack, B., & Ghazizadeh, E. (2016). Evaluating single sign-on security failure in cloud services. Business
Horizons, 59(6), 605–614. https://doi.org/10.1016/j.bushor.2016.08.002
15. Hardt, D. (2012). The OAuth 2.0 Authorization Framework. Internet Engineering Task Force (IETF).
https://tools.ietf.org/html/rfc6749.