We hate asking a corporation we’re serving to safe to pay the only sign-on (SSO) tax. For these not conversant in the phrase, it refers back to the license improve price that many cloud software program functions cost for unlocking the performance wanted to combine with an SSO supplier. See: The SSO Wall of Shame for an extended however not exhaustive checklist.
Sadly, what occurs subsequent is worse. After you pay that tax, you do not all the time get what you thought you had been shopping for, and attackers have figured that out. Session administration past your SSO is akin to the Wild West — and that’s not simply restricted to eventualities corresponding to the Okta HAR files debacle, but additionally account compromises brought on by risk actors leveraging phishing assaults and EvilProxy and different infostealer malware.
It’s only once you dig into the functioning of authentication tokens in follow that you just uncover that cloud software program software suppliers are complicit in these assaults. Some software suppliers cost you the tax however do not really make investments that price in implementing the SSO expertise that you just count on in return. Throughout testing, we discovered that some software suppliers that allow SAML integrations with SSO suppliers do not present the safety controls we believed could be in place. They pressure us to pay additional to combine their software with our SSO platform however depart us weak to account theft in methods we didn’t count on.
What is meant to occur with single sign-on behind the scenes
Most enterprises have adopted an SSO answer and educated their workers to log into firm functions solely by way of that portal. Blue teamers cringe at paying the SSO tax however have finally accepted that paying is a vital value of improved safety. SSO simplifies the end-user expertise of logging into a number of totally different functions instantly, reduces the danger of unhealthy password practices, and centralizes the authentication course of that represents the door most risk actors enter by way of.
With SSO in place, we will do issues corresponding to insisting that authentication be performed by way of a FIDO2 multifactor authentication (MFA) possibility, dictate the size of authentication classes (to pressure customers to reauthenticate after a selected time frame), and we will pressure a logout of all classes (corresponding to when an individual is not an worker of a corporation). These are highly effective controls we’ve got been led to imagine come out of the field once we deploy an SSO answer.
As an worker logs into an SSO platform, a collection of steps happen behind the scenes to authenticate the consumer and grant entry to licensed functions. These steps contain the trade of authentication tokens between the consumer’s browser, the SSO platform, and the appliance being accessed.