We hate asking a corporation we’re serving to safe to pay the one sign-on (SSO) tax. For these not aware of the phrase, it refers back to the license improve payment that many cloud software program functions cost for unlocking the performance wanted to combine with an SSO supplier. See: The SSO Wall of Disgrace for a protracted however not exhaustive listing.
Sadly, what occurs subsequent is worse. After you pay that tax, you do not at all times get what you thought you had been shopping for, and attackers have figured that out. Session administration past your SSO is corresponding to the Wild West — and that’s not simply restricted to eventualities such because the Okta HAR information debacle, but additionally account compromises brought on by risk actors leveraging phishing assaults and EvilProxy and different infostealer malware.
It’s only while you dig into the functioning of authentication tokens in observe that you simply uncover that cloud software program utility suppliers are complicit in these assaults. Some utility suppliers cost you the tax however do not truly make investments that payment in implementing the SSO expertise that you simply anticipate in return. Throughout testing, we discovered that some utility suppliers that allow SAML integrations with SSO suppliers do not present the safety controls we believed could be in place. They power us to pay additional to combine their utility with our SSO platform however go away us susceptible to account theft in methods we didn’t anticipate.
What is meant to occur with single sign-on behind the scenes
Most enterprises have adopted an SSO resolution and educated their staff to log into firm functions solely via that portal. Blue teamers cringe at paying the SSO tax however have finally accepted that paying is a mandatory value of improved safety. SSO simplifies the end-user expertise of logging into plenty of totally different functions straight, reduces the danger of dangerous password practices, and centralizes the authentication course of that represents the door most risk actors enter via.
With SSO in place, we will do issues akin to insisting that authentication be performed via a FIDO2 multifactor authentication (MFA) choice, dictate the size of authentication periods (to power customers to reauthenticate after a selected time period), and we will power a logout of all periods (akin to when an individual is not an worker of a corporation). These are highly effective controls we now have been led to imagine come out of the field after we deploy an SSO resolution.
As an worker logs into an SSO platform, a collection of steps happen behind the scenes to authenticate the consumer and grant entry to approved functions. These steps contain the alternate of authentication tokens between the consumer’s browser, the SSO platform, and the applying being accessed.
