The Pitfalls and Best Practices of Single Sign-On (SSO) Implementation

Quick overview of how SSO works, potential risks, and how organizations can mitigate risks.

Single Sign-On (SSO) is an invaluable tool for simplifying user access to multiple platforms in today's fast-paced business environment. From an IT perspective, SSO streamlines user account management while enhancing user experience.

How SSO Works in Practice

The core concept of SSO is to centralise authentication through a trusted Identity Provider (IdP). When a user logs into the IdP, it verifies their identity and issues a token or session recognised by other connected services. This allows seamless access to multiple applications without requiring additional logins, meaning users do not need to memorise or store numerous passwords.

SSO involves three main entities:

Identity Provider (IdP): A system that authenticates users and manages their identity, e.g., Google, Microsoft Azure AD, OneLogin, Okta, etc.
Service Providers (SPs): are the applications or services users want to access, such as Slack, Salesforce, Ajira, ClickUp, Dropbox, HubSpot, etc.
Authentication Protocols: These include SAML, OAuth, and OpenID Connect, which facilitate secure communication between the IdP and SPs.

To put the above into a practical example, when a new employee joins an organisation, the IT team typically creates one primary account (often an email account if Office 365 or Google Workspace - Identity Provider). This account becomes the key to accessing and centralising authentication through other platforms like Slack, Ajira, HubSpot, etc, that the organisation’s employees use to perform their tasks.

When accessing one of these platforms, the user does not need to register a new account. When prompted, they simply click the “Sign in with Google” (Okta, OneLogin, or Microsoft, depending on their organisation) button to use their primary business email. This eliminates the need to remember multiple passwords and centralises authentication through a single, secure account.

Assuming your organization uses Google as its Identity Provider and Trello to manage projects and tasks, the SSO authentication process will generally follow this process.

User Initiates Login: the user tries to access Trello (Service Provider).
Redirect to Identity Provider: Trello redirects the user to the IdP’s login page.
User Authentication: The user inputs their Google credentials - business email and password, on the IdP’s page (if not already logged in - Steps 3 and 4) and requests to complete Multifactor Authentication (if enabled).
Token Issuance: After the user successfully authenticates on the IdP Authentication Server, the IdP issues a token for the user to use in Trello (Steps 6 and 7).
Token Validation: Trello double-checks and validates the issued token against the IdP authentication server (Step 8), then grants the user access once it has been successfully validated (Steps 9 and 10).

The Identity Provider maintains the authenticated session/token, allowing the user to continue accessing the application without re-authenticating, provided the token has not expired.

Benefits of SSO

Organisation IT teams implement SSO with the following benefits in mind:

Improved User Experience: Users do not need to remember multiple passwords, thus reducing password fatigue.
Centralised Management: IT teams can enforce strong security measures (e.g., Multifactor Authentication, password policies, permissions, etc) at the Identity Provider Level.
Simplified User Access Auditing: IT teams can monitor and associate events across all platforms with a single user account.
Simplified Offboarding: IT teams only need to disable the user’s primary account to revoke access across all service provider platforms/systems automatically.
Potential Risks of SSO
While SSO has several benefits, it also has the following disadvantages:
Single Point of Failure:
If the primary user (IdP) account is compromised, all connected service provider applications may be accessed.
If the Identity Provider is compromised, potentially all its clients and authenticated service provider platforms may be at risk—Okta Breach 2023.
Improper Implementation (or Incompatibility): If the organisation’s IT team (or even the Service Provider platform developers) do not correctly implement SSO, they risk exposing sensitive data or allowing unauthorised access.

New Google OAuth Threat

Truffle Security highlighted a more recent security flaw (specifically related to Google’s OAuth Implementation). In summary, threat actors can purchase the domain of a defunct startup and recreate the primary email accounts. While they cannot access old emails, they can use these accounts to log into associated Service Provider accounts and access sensitive data stored on these platforms.

Aside from exploiting SSO to access Service Provider accounts, Truffle Security also confirmed that using the recreated email accounts to reset passwords is possible.

Key Takeaway

SSO is a powerful tool for IT teams, but its effectiveness hinges on proper implementation, thorough monitoring, and robust policies. IT teams will need to implement the following to mitigate these risks:

Robust Offboarding Process:
1. Ensure former employee email accounts are deleted.
2. Transfer data and delete associated Service Provider SSO accounts.
Secure Domain Ownership: To prevent unauthorised use, you should maintain domain control even after shutting down operations.
Implement Enhanced Security Measures:
1. Enforce SSO with MFA, if possible, on the respective identity provider platforms.
2. Enable token/session expiry on the identity and service provider platforms.
3. Regularly audit and review access permissions.
Follow Developer Best Practices:
1. Service provider platform developers should follow best practices when implementing SSO authentication protocols (SAML, OAuth, etc) and authentication features in their applications.
2. Developers and service providers should require additional verification for password resets (One-Time-Passcodes or other unique information).

Cybersecurity for organisations requires a balanced approach to convenience and security to safeguard sensitive data and persons.

Personal Recommendations

While SSO offers several advantages, it does have trade-offs. I avoid using the “Sign in with …” feature for personal accounts. An attacker can access all connected accounts and services if my primary email account is compromised.

Instead, I recommend:

Register and create unique credentials for each service provider platform.
Use a password manager to store and manage these credentials securely.
Enable Multifactor Authentication (MFA) on all accounts, including the password manager, for added security.

References

Cover Image: https://www.normanandozi.com/but-data-security-is-important-right/

SSO Steps: https://techworld-with-milan.com

Page updated

Google Sites

Report abuse