Embedded Files
Quick overview of how SSO works, potential risks, and how organizations can mitigate risks.
Single Sign-On (SSO) is an invaluable tool for simplifying user access to multiple platforms in today's fast-paced business environment. From an IT perspective, SSO streamlines user account management while enhancing user experience.
How SSO Works in Practice
How SSO Works in Practice
The core concept of SSO is to centralize authentication through a trusted Identity Provider (IdP). When a user logs into the IdP, it verifies their identity and issues a token or session recognized by other connected services. This allows seamless access to multiple applications without requiring additional logins, meaning users do not need to memorize or store numerous passwords.
SSO involves three main entities:
Identity Provider (IdP): A system that authenticates users and manages their identity, e.g., Google, Microsoft Azure AD, OneLogin, Okta, etc.
Service Providers (SPs): are the applications or services users want to access, such as Slack, Salesforce, Ajira, ClickUp, DropBox, HubSpot, etc.
Authentication Protocols: These include SAML, OAuth, and OpenID Connect, which facilitate secure communication between the IdP and SPs.
To put the above into a practical example, when a new employee joins an organization, the IT team typically creates one primary account (often an email account if Office 365 or Google Workspace - Identity Provider). This account becomes the key to accessing and centralizing authentication through other platforms like Slack, Ajira, HubSpot, etc, that the organization’s employees use to perform their tasks.
When accessing one of these platforms, the user does not need to register a new account. When prompted, they simply click the “Sign in with Google” (Okta, OneLogin, or Microsoft, depending on their organization) button to use their primary business email. This eliminates the need to remember multiple passwords and centralizes authentication through a single, secure account.
Assuming your organization uses Google as its Identity Provider and Trello to manage projects and tasks, the SSO authentication process will generally follow this process.
User Initiates Login: the user tries to access Trello (Service Provider).
Redirect to Identity Provider: Trello redirects the user to the IdP’s login page.
User Authentication: The user inputs their Google credentials - business email and password, on the IdP’s page (if not already logged in - Steps 3 and 4) and requests to complete Multifactor Authentication (if enabled).
Token Issuance: After the user successfully authenticates on the IdP Authentication Server, the IdP issues a token for the user to use in Trello (Steps 6 and 7).
Token Validation: Trello double-checks and validates the issued token against the IdP authentication server (Step 8), then grants the user access once it has been successfully validated (Steps 9 and 10).
The Identity Provider maintains the authenticated session/token, allowing the user to continue accessing the application without re-authenticating, provided the token has not expired.
Benefits of SSO
Benefits of SSO
Organization IT teams implement SSO with the following benefits in mind:
Improved User Experience: Users do not need to remember multiple passwords, thus reducing password fatigue.
Centralized Management: IT teams can enforce strong security measures (e.g., Multifactor Authentication, password policies, permissions, etc) at the Identity Provider Level.
Simplified User Access Auditing: IT teams can monitor and associate events across all platforms with a single user account.
Simplified Offboarding: IT teams only need to disable the user’s primary account to automatically revoke access across all service provider platforms/systems.
Potential Risks of SSO
Potential Risks of SSO
While SSO has several benefits, it also has the following disadvantages:
Single Point of Failure:
If the primary user (IdP) account is compromised, all connected service provider applications may be accessed.
If the Identity Provider is compromised, potentially all its clients and authenticated service provider platforms may be at risk—Okta Breach 2023.
Improper Implementation (or Incompatibility): If the organization’s IT team (or even the Service Provider platform developers) do not correctly implement SSO, they risk exposing sensitive data or allowing unauthorized access.
New Google OAuth Threat
New Google OAuth Threat
Truffle Security highlighted a more recent security flaw (specifically related to Google’s OAuth Implementation). In summary, threat actors can purchase the domain of a defunct startup and recreate the primary email accounts. While they cannot access old emails, they can use these accounts to log into associated Service Provider accounts and access sensitive data stored on these platforms.
Aside from exploiting SSO to access Service Provider accounts, Truffle Security also confirmed that using the recreated email accounts to reset passwords is possible.
Key Takeaway
Key Takeaway
SSO is a powerful tool for IT teams, but its effectiveness hinges on proper implementation, thorough monitoring, and robust policies. IT teams will need to implement the following to mitigate these risks:
Robust Offboarding Process:
Ensure former employee email accounts are deleted.
Transfer data and delete associated Service Provider SSO accounts.
Secure Domain Ownership: To prevent unauthorized use, you should maintain domain control even after shutting down operations.
Implement Enhanced Security Measures:
Enforce SSO with MFA, if possible, on the respective identity provider platforms.
Enable token/session expiry on the identity and service provider platforms.
Regularly audit and review access permissions.
Follow Developer Best Practices:
Service provider platform developers should follow best practices when implementing SSO authentication protocols (SAML, OAuth, etc) and authentication features in their applications.
Developers and service providers should require additional verification for password resets (One-Time-Passcodes or other unique information).
Cyber security for organizations requires a balanced approach to convenience and security to safeguard sensitive data and persons.
Personal Recommendations
Personal Recommendations
While SSO offers several advantages, it does have trade-offs. Personally, I avoid using the “Sign in with …” feature for personal accounts. An attacker can access all connected accounts and services if my primary email account is compromised.
Instead, I recommend:
Register and create unique credentials for each service provider platform.
Use a password manager to store and manage these credentials securely.
Enable Multifactor Authentication (MFA) on all accounts, including the password manager, for added security.
References
References
Cover Image: https://www.normanandozi.com/but-data-security-is-important-right/
Sign in with Google: https://developers.google.com/identity/branding-guidelines
SSO Steps: https://techworld-with-milan.com
Password Absurdity: https://cybersecurityventures.com/cybersecurity-cartoon-archives/
Google Sites
Report abuse