sso vs … not

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

slartibartphast

New member
Sep 30, 2020
3
0
my parent corp is big on okta and sso including vpn.

in my division we’ve got gmail, windows ad sone old ldap linux and aws stuff.

me, i’m paranoid about having an account for email get compromised and boom you got vpn ssh etc. it seems to me sso puts never use the same password idea out the window.

plus with these web sso ir seems the danger of phishing is way higher even with 2fa.

opinions?
 

PHolder

Well-known member
Sep 16, 2020
773
2
359
Ontario, Canada
I presume your thinking is that having multiple passwords is better? That doesn't make a lot of sense to me. It's like the difference between having one front versus many fronts in a war. You're usually better off to focus your attention protecting one thing really well, rather than trying, and usually failing, to have good protection for many things. If you're the kind of person to get phished or otherwise likely to lose your password, having more ways to cause you to do it is just more ways to fail.
 

EdwinG

Well-known member
Sep 24, 2020
54
16
It’s a double-edged sword.

Some of the things we can do with SSO is ensure that the all the services require multiple factors for authentication, even if the service itself has absolutely no support for it. Another benefit is that if the account gets compromised or the individual leaves, we can quickly disable the account — even automatically. Also, it is easier to have one strong password, than multiple small ones.

Yes, they are cons, like lateral movement between SSO secured services. All of it will be part of the company’s risk assessment.

In summary, SSO is more closer to being a single service, with the third-party keeping an identifier and no password. They receive a signed assertion signed with the service-specific identity provider issued certificate at sign-on time instead (SAML), or cryptographic token (Kerberos).
 
Last edited:

Dave New

Active member
Nov 23, 2020
34
9
I suppose you could imagine SSO for an enterprise is like an individual using a password vault, like LastPass. Either of them enables adding MFA to accounts that don't support it, and requires a single, strong password for the user to protect what amounts to SSO tokens or generated complex passwords for LastPass protected sites,

As an individual, I choose NOT to use SSO solutions that are offered me by various sites ("sign in with Google, FB, or Twitter, etc), as I cannot control how secure those solutions are. An enterprise SSO solution on the other hand, supposedly has a lot of attention paid to the plumbing.

On the other hand, I'm a real believer in using LastPass, as I find it indispensable for managing logins for 200+ different web sites. I protect my LastPass account with Yubikeys. On a personal note, I use LastPass Families, especially for the 'dead man' feature, where my spouse can gain access to my logins, if she requests it, and I don't block the request within so many days. If you've ever had to deal with losing a loved one, and not being able to access any of their online accounts without a LOT of mumbo-jumbo, you will appreciate this feature.
 

Lob

What could possibly go wrong?
Nov 7, 2020
99
20
I think "Strong Authentication" is a must. We use smartcards and certificates to achieve this goal - which is very important for us when you consider both internal and external service authentication. It's especially important, in my opinion, when using Cloud-based services where we demand our own tenant, HSM-based encryption management and certificate-based authentication to profiles and roles that we deliver as a basis for authorisation to the service.

The biggest user-facing advantage is that we subsequentally block access to such Cloud-based services for our people from non-authorised, non-enrolled devices (such as personal PCs). SAML and Kerberos are king and bring a seamless and integrated authentication

In an enterprise like us, LastPass and the like would not work; we have designed Temporary Priveleged Access mechanisms for most platforms that are driven on a request, time-limited basis. It also then leverages the same certificate, negating the need for access to a separate credential but, at the same time, having that identity working in their daily environment (endpoint) as a non-admin.
 

slartibartphast

New member
Sep 30, 2020
3
0
I suppose having a per device cert would really lock down the scope.
I’m also leery of roles keeping people out of certain systems. For example we have some pci stuff in aws with totally different credentials. That way some admin can’t badly assign a role and give access.
 

Dave New

Active member
Nov 23, 2020
34
9
To be clear, my enterprise uses LDAP and WiFi certs, etc. to lock down access to authorized sites and authorized devices. I'm not in our IT group, so I can't speak much to what goes on there, just what I experience as a user.

LastPass is for my personal use. The enterprise tolerates it, for that usage, because they understand that users will need to get access to personal sites (banking, webmail, etc) and if they block things like LastPass, it will only encourage poor security practice on their machines.
 

slartibartphast

New member
Sep 30, 2020
3
0
To be clear, my enterprise uses LDAP and WiFi certs, etc. to lock down access to authorized sites and authorized devices. I'm not in our IT group, so I can't speak much to what goes on there, just what I experience as a user.

LastPass is for my personal use. The enterprise tolerates it, for that usage, because they understand that users will need to get access to personal sites (banking, webmail, etc) and if they block things like LastPass, it will only encourage poor security practice on their machines.
We use corporate lastpass! So maybe your it guys may want to look into it. it’s great for sharing tons of passwords for machines that we don’t use ldap on like routers switches and hosts.

plus you can link your personal account and use both.
 

Intuit

Well-known member
Dec 27, 2020
88
25
SSO + 2FA
Make sure that SSO is properly configured so that your users aren't giving out the password to a third-party. This means that third-party websites will be temporarily redirecting back to your domain.
Make it so one can only configure 2FA from the domain network. (not VPN)
This of course means that users who are 100% remote, will have to call in, to get 2FA configured and changed.