Section 1.1: How SSO Functions

With SSO, users only need to input their credentials once. Upon logging into an SSO-enabled application, they are redirected to the application’s homepage without needing to re-enter their password for linked services. This streamlined process hinges on whether the user is currently logged into a secure SSO session. If the session has expired, they must log back into a secure SSO application, such as Okta, to continue.

As an example, if a user has validated their identity in an SSO-enabled app and wishes to visit abc.com, they only need to provide their username to log in, bypassing the need for a password due to SSO integration.

SSO offers not just authentication but also authorization. Its implementation can vary, often utilizing protocols like SAML or X.509 certificates to facilitate secure access.

Subsection 1.1.1: SAML and Smart Card Implementations

SAML comprises two principal components: the identity provider and the service provider. For a user to access applications, their identity must be verified by the service provider using information from the identity provider. There are software-based methods for implementing SSO, as well as smart card systems, which allow users to authenticate by simply tapping their card, eliminating the need for password entry.

Section 1.2: The Trust Relationship in SSO

SSO relies on the trust established between the identity provider and service provider. Organizations can create their own infrastructure for identity verification or partner with third-party services like Okta. This trust is foundational during the SSO deployment process, facilitated by certificates that convey necessary information from the identity provider to the service provider, such as user email addresses.

When accessing a service, the user’s data, including session tokens, flows from the service provider to the identity provider for validation. If validated, the identity provider grants access through a token sent back to the service provider.

Section 2.1: The Necessity of Two-Factor Authentication

Although SSO provides a robust level of security, integrating two-factor authentication (2FA) enhances protection against potential breaches. In scenarios where an adversary compromises SSO security, 2FA adds an extra barrier, requiring two layers of verification before access is granted.

Section 2.2: Best Practices for Securing SSO

To maximize SSO security, organizations should implement several best practices:

1. Mandatory 2FA/MFA: Organizations must enforce two-factor or multi-factor authentication across all SSO accounts, as this safeguards against compromised passwords.
2. Principle of Least Privilege: Users should have only the necessary privileges needed for their roles, with regular reviews to revoke any unnecessary access.
3. Vendor Assessments: Before selecting an SSO vendor like OneLogin or Okta, organizations should conduct thorough evaluations to understand the data accessibility implications.
4. Session Management: SSO solutions should be tailored to organizational needs, with shorter session timeouts for sensitive applications compared to less critical ones.
5. Protection Against Replay Attacks: SAML implementations must include mechanisms to prevent replay attacks by ensuring unique assertion IDs for each request.