top of page

Single Sign-On & Secure SAML Integrations

Updated: Jul 5, 2022

Single Sign-On is an authentication process that allows an end user to leverage the identity from one system to authenticate to another. The beauty of this technology is that a user logs in once and that credential is used for several other connected apps resulting in a seamless and friction-less user experience. Single sign-on is typically the most prevalent and most discussed solution when addressing modernizing authentication within the domain of Identity and Access Management (IAM).


Though “SSO” it is a commonly used term, the anatomy of what enables single sign-on to deliver a transparent authentication flow is a bit more complex. The mechanics of a SAML-based SP-Initiated single sign-on flow can be found below:



Security Assertion Markup Language, or SAML, is an XML-based open standard for exchanging authentication and authorization data between two parties. Though SAML is a common way to enable single sign-on, it does come with its own security threats and best practice configurations.


Threats


Threats common to SAML integrations consists of Eavesdropping, Theft of User Authentication Information, Theft of Bearer Token, Message Deletion, Message Modification, and Man-in-the-Middle (MITM) attacks.


Major elements of the SAML Threat Model are listed below and sourced from SAML documentation:

  • Denial-of-Service Attacks

    • The prevention of authorized access to a system resource or the delaying of system operations and functions.

  • Man-in-the-Middle Attacks

    • A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.

  • Replay Attacks

    • An attack in which valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack.

  • Session Hijacking

    • A form of active wiretapping in which the attacker seizes control of a previously established communication association.


Best Practices for Hygienic and Secure SAML Integrations


The best practices below are ideal and should be deployed if possible. In some scenarios, such as Service Provider application limitations, there will inevitably be a configuration that isn’t feasible. In such scenarios, the residual risk should be taken into consideration of the overall solution.

  • Identity Provider (IdP) Considerations

    • Validate X.509 Certificate for algorithm compatibility, strength of encryption, export restrictions

    • Validate Strong Authentication options for generating the SAML token

    • Use/Trust Root CAs whenever possible

    • Synchronize to a common Internet time source

    • Define levels of assurance for identity verification

    • Prefer asymmetric identifiers for identity assertions over personally identifiable information (e.g. SSNs, etc)

    • Sign each individual Assertion or the entire Response element

  • Service Provider (SP) Considerations

    • Validating session state for the user

    • Level of granularity in setting authorization context when consuming SAML token (do you use groups, roles, attributes)

    • Ensure each Assertion or the entire Response element is signed

    • Validate if signed by authorized IdP

    • Validate IdP certificates for expiration and revocation against CRL/OCSP

    • Validate NotBefore and NotOnorAfter

    • Exchange assertions only over secure transports

    • Define criteria for session management

    • Verify user identities obtained from SAML ticket assertions whenever possible

  • Application Authentication and Authorization (if possible)

    • Leverage IP Filtering

    • Leverage UEBA, or risk-based, controls

    • Disable non-SSO login and/or form-based authentication

    • Create a “break glass” account for redundancy against SSO service failure

    • Mandate multifactor authentication (MFA)

    • Disable persistent sessions and limit session length

    • Disable IdP-initiated SSO to prevent replay and open-redirect attacks


How can Rapid Strategy Help?


Rapid Strategy aims to partner with you on your journey to provide fast and effective risk reduction strategies and controls to your environment. Rapid Strategy can quickly assess the state of your IAM architecture and single sign-on strategies to provide you with a strategic and targeted risk-based IAM control advisory. Contact us to accelerate your cybersecurity.


Recent Posts

See All

Comments


Commenting has been turned off.
bottom of page