Mayer, AndreasMladenov, VladislavSchwenk, JörgKatzenbeisser, StefanLotz, VolkmarWeippl, Edgar2019-01-252019-01-252014978-3-88579-622-0https://dl.gi.de/handle/20.500.12116/20069Web Single Sign-On (SSO) is a valuable point of attack because it provides access to multiple resources once a user has initially authenticated. Therefore, the security of Web SSO is crucial. In this context, the SAML-based Holder-of-Key (HoK) SSO Profile is a cryptographically strong authentication protocol that is used in highly critical scenarios. We show that HoK is susceptible to a previously published attack by Armando et al. [ACC+11] that combines logical flaws with cross-site scripting. To fix this vulnerability, we propose to enhance HoK and call our novel approach HoK+. We have implemented HoK+ in the popular open source framework SimpleSAMLphp.enOn the security of Hölder-of-key single sign-onText/Conference Paper1617-5468