Single Sign-On is an authentication process that allows an end user to leverage the identity from one system to authenticate to another. The beauty of this technology is that a user logs in once and that credential is used for several other connected apps resulting in a seamless and friction-less user experience. Single sign-on is typically the most prevalent and most discussed solution when addressing modernizing authentication within the domain of Identity and Access Management (IAM).
Though “SSO” it is a commonly used term, the anatomy of what enables single sign-on to deliver a transparent authentication flow is a bit more complex. The mechanics of a SAML-based SP-Initiated single sign-on flow can be found below:
Security Assertion Markup Language, or SAML, is an XML-based open standard for exchanging authentication and authorization data between two parties. Though SAML is a common way to enable single sign-on, it does come with its own security threats and best practice configurations.
Threats
Threats common to SAML integrations consists of Eavesdropping, Theft of User Authentication Information, Theft of Bearer Token, Message Deletion, Message Modification, and Man-in-the-Middle (MITM) attacks.
Major elements of the SAML Threat Model are listed below and sourced from SAML documentation:
Denial-of-Service Attacks
The prevention of authorized access to a system resource or the delaying of system operations and functions.
Man-in-the-Middle Attacks
A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.
Replay Attacks
An attack in which valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack.
Session Hijacking
A form of active wiretapping in which the attacker seizes control of a previously established communication association.
Best Practices for Hygienic and Secure SAML Integrations
The best practices below are ideal and should be deployed if possible. In some scenarios, such as Service Provider application limitations, there will inevitably be a configuration that isn’t feasible. In such scenarios, the residual risk should be taken into consideration of the overall solution.
Identity Provider (IdP) Considerations
Validate X.509 Certificate for algorithm compatibility, strength of encryption, export restrictions
Validate Strong Authentication options for generating the SAML token
Use/Trust Root CAs whenever possible
Synchronize to a common Internet time source
Define levels of assurance for identity verification
Prefer asymmetric identifiers for identity assertions over personally identifiable information (e.g. SSNs, etc)
Sign each individual Assertion or the entire Response element
Service Provider (SP) Considerations
Validating session state for the user
Level of granularity in setting authorization context when consuming SAML token (do you use groups, roles, attributes)
Ensure each Assertion or the entire Response element is signed
Validate if signed by authorized IdP
Validate IdP certificates for expiration and revocation against CRL/OCSP
Validate NotBefore and NotOnorAfter
Exchange assertions only over secure transports
Define criteria for session management
Verify user identities obtained from SAML ticket assertions whenever possible
Application Authentication and Authorization (if possible)
Leverage IP Filtering
Leverage UEBA, or risk-based, controls
Disable non-SSO login and/or form-based authentication
Create a “break glass” account for redundancy against SSO service failure
Mandate multifactor authentication (MFA)
Disable persistent sessions and limit session length
Disable IdP-initiated SSO to prevent replay and open-redirect attacks
How can Rapid Strategy Help?
Rapid Strategy aims to partner with you on your journey to provide fast and effective risk reduction strategies and controls to your environment. Rapid Strategy can quickly assess the state of your IAM architecture and single sign-on strategies to provide you with a strategic and targeted risk-based IAM control advisory. Contact us to accelerate your cybersecurity.
Comments