Modern cross-domain access and single sign-on (SSO) mechanisms commonly rely on the signing private key held by an Identity Provider (IdP) to guarantee the authenticity and integrity of issued credentials. Once this signing key is leaked, attackers may forge SAML assertions or JSON Web Tokens (JWTs) that can still pass conventional verification at the Service Provider (SP). To mitigate this single-point key-leakage risk, this paper proposes KSDAuth, a distributed authorization mechanism based on private-key sharding. KSDAuth replaces the conventional single-key signing process with a 3-of-3 collaborative signing process involving the SP, the Authenticator (Auth), and the Token Issuer (Issuer). Each participant holds a distinct private-key share and signs the same canonicalized identity context, which includes user identity, privilege set, issuer, audience, session identifier, request identifier, nonce, and validity period. The SP then reconstructs and verifies the aggregated signature using the original public key. Unlike a drop-in replacement for existing SSO systems, KSDAuth preserves the semantic structure of JWT/SAML identity claims while requiring additional protocol extensions for partial signing, identity-context binding, secure share transmission, and aggregate verification. Under the defined threat model, the security analysis shows that a single compromised key share is insufficient to generate a valid credential, and that inconsistent identity contexts can be detected during aggregate verification. The paper further discusses two-share compromise, replay attempts, original-key leakage, and deployment limitations. The analysis suggests that KSDAuth can reduce credential-forgery risks under clearly stated assumptions, but its practical deployment still depends on secure initialization, authenticated communication channels, SP-side state validation, and further performance and interoperability evaluation.

distributed authorization, private key sharding, credential forgery, cross-domain access, single sign-on