Beginner's guide to SSO (mis)configuration | Omnipresent Biometric Surveillance

Dear folks,

late happy new year!

We'll present another event, taking place @ New Work (formerly known as XING).

We present two talks; Adina will talk about intricacies of SSO and IdPs. Matthias will present useful insights on his research and privacy implications on several aspects of facial recognition. Both talks will be held in English.

Doors are open on 18:00 CEST on and we will begin with the presentations at 18:30 CEST!

In a nutshell
Location: Strandkai 1, 20457 Hamburg
Start: Doors open @ 6:00 CEST, February 7th. 6:30 pm sharp start the talks
Title: A beginner's guide to SSO (mis)configuration by Adina Bogert-O'Brien
Title: Omnipresent Biometric Surveillance by Matthias Marx
Networking: Stay there or depending on our mood we'll have an after-talk beer somewhere in the vicinity of the venue

Abstract: A beginner's guide to SSO (mis)configuration
SSO is sold as a way to

• centralize managing your organization’s users,
• make life easier for your colleagues, and
• enforce consistent security standards.

But SSO protocols are just ways for an identity provider to share information about an authenticated identity with another service. Me having a way to tell my vendor “yeah, that’s Bob” doesn’t tell me what the vendor does with this information, or if the vendor always asks me who’s coming in the door.
A bad SSO implementation can make you think you’re safer, while hiding all the new and fun things that have gone wrong.
To get the most out of implementing SSO, I need to know what I’m trying to accomplish and what steps I need to follow to get there. To illustrate why SSO needs to be set up carefully, for each of the things you need to do right, I’ll give you some fun examples of creative ways you and your vendor can do this wrong. We all learn from failure, right???
I’m sharing this info because this year I got deeply involved in the SSO setup for several vendors at work. It turns out that I’m good at asking weird questions, and it’s an extremely valuable thing to do. If you know how things should be, then you know where they could be broken, and you can ask your vendors (and your colleagues!) “weird questions” before an adversary does.
I'm especially interested in what the OWASP Hamburg group has to say about these misconfigurations: how does OWASP documentation cover things like this?

Abstract: Omnipresent Biometric Surveillance
Biometric surveillance is ever-present in Germany and many of us have not realized this. Facial recognition search engines like Clearview AI and Pimeyes feed our faces to their gigantic search indexes without our explicit consent. Matthias shares his experiences attempting to uphold privacy through GDPR, shedding light on the associated challenges.

Our OWASP "Stammtisch"
Our meeting is about web applications and their (in)security and/or about IT security in general. People come together who care as a hobby or in their job about information security: developers, managers, pen testers and everybody else who's interested. The atmosphere is open and relaxed. Who's coming to sell products or services: Move on, this is not the right place. OWASP is about education and sharing (mostly) technical information. Feel free to forward our meetup URL to your colleagues or friends. They are welcome, too. Participation is free and open -- as the O in OWASP.

Cheers, Dirk & Björn