We hate asking a company we’re serving to safe to pay the only sign-on (SSO) tax. For these not conversant in the phrase, it refers back to the license improve price that many cloud software program functions cost for unlocking the performance wanted to combine with an SSO supplier. See: The SSO Wall of Disgrace for a protracted however not exhaustive listing.
Sadly, what occurs subsequent is worse. After you pay that tax, you do not all the time get what you thought you have been shopping for, and attackers have figured that out. Session administration past your SSO is akin to the Wild West — and that isn’t simply restricted to eventualities such because the Okta HAR recordsdata debacle, but additionally account compromises brought on by menace actors leveraging phishing assaults and EvilProxy and different infostealer malware.
It is just once you dig into the functioning of authentication tokens in observe that you simply uncover that cloud software program software suppliers are complicit in these assaults. Some software suppliers cost you the tax however do not truly make investments that price in implementing the SSO expertise that you simply count on in return. Throughout testing, we discovered that some software suppliers that allow SAML integrations with SSO suppliers do not present the security controls we believed could be in place. They drive us to pay additional to combine their software with our SSO platform however depart us weak to account theft in methods we didn’t count on.
What is meant to occur with single sign-on behind the scenes
Most enterprises have adopted an SSO answer and educated their workers to log into firm functions solely by means of that portal. Blue teamers cringe at paying the SSO tax however have finally accepted that paying is a essential value of improved security. SSO simplifies the end-user expertise of logging into plenty of totally different functions instantly, reduces the chance of unhealthy password practices, and centralizes the authentication course of that represents the door most menace actors enter by means of.
With SSO in place, we will do issues comparable to insisting that authentication be carried out by means of a FIDO2 multifactor authentication (MFA) choice, dictate the size of authentication periods (to drive customers to reauthenticate after a particular time period), and we will drive a logout of all periods (comparable to when an individual is now not an worker of a company). These are highly effective controls we’ve been led to imagine come out of the field once we deploy an SSO answer.
As an worker logs into an SSO platform, a collection of steps happen behind the scenes to authenticate the consumer and grant entry to approved functions. These steps contain the trade of authentication tokens between the consumer’s browser, the SSO platform, and the applying being accessed.
