Single Sign-on: Usage. Risks. Tips for more Security.

11. April 2023

Companies can benefit from the use of Single Sign-on (SSO), but it also entails many risks. Gerbert Roitburd, Senior Consultant at usd HeroLab and responsible for Single Sign-on Pentests, explains to us how Single Sign-on operates and what companies need to keep in mind when using such solutions.

What is Single Sign-on?

Single Sign-on is an authorization and authentication method that enables users to log on to multiple applications, so-called service providers, with just one set of credentials. Authentication or authorization is performed by trusted parties, also known as identity providers, with whom users are already registered. So when users log on to an application, the identity provider checks the user's credentials and grants them subsequently access. For example, a user's own social media account is often sufficient to log in to a website.

Single Sign-on processes are also being used increasingly in the corporate context. This enables employees to log on to various internal applications with a single user account and access the IT assets for which they are authorized.

The most common underlying standards or authorization and authentication mechanisms for applications are OAuth 2.0, OpenID Connect 1.0 and SAML, which are used in various combinations and configurations in the business context.  

What are the advantages of using Single Sign-on solutions?

Single Sign-on procedures increase the usability, as users only need one user name and password to log in to several applications. This simplified login process can also increase security by reducing the number of credentials required and mitigating the reuse of mostly weak passwords.

The previously mentioned benefits are also appealing to companies, as it allows them to efficiently manage user and access permissions. In addition, enterprises can dynamically register their applications with identity providers. This eases cross-company or cross-departmental collaboration enormously. 

What are the risks associated with a Single Sign-on process?

Single Sign-on has its very own risks. If attackers gain access to a linked user account, they are able to access all applications that are defined for the user by the identity provider. If a Single Sign-on identity provider is compromised and its data is leaked, it could have devastating consequences for all users whose user accounts are stored with the identity provider - especially if the compromised user accounts are used for other applications.

The use of current authentication and authorization methods, such as OAuth 2.0, is no guarantee for security. After all, both service providers and identity providers can have errors in their implementation or configuration. These errors can lead to vulnerabilities, which could allow attackers unauthorized access to the underlying application and user data.

The user and application data of Single Sign-on procedures is thus an asset that requires special protection. Consequently, a secure implementation of SSO solutions is essential for an organization's IT security.

What are recommendations you often give to increase security?

In general, there are two recommendations that service or identity providers can implement to avoid the typical pitfalls:

  1. It is recommended to use already proven and secure libraries. In particular, developing your own libraries for authentication and authorization processes is often error-prone, as it requires a comprehensive understanding of the standard. The processes are complex sometimes, and if not all details of the standard are adhered to, this can lead to serious vulnerabilities. In addition, the maintenance of such a self-developed library is associated with great effort.
  2. There are a number of best practices that both service providers and identity providers should adhere to in order to be as well secured as possible:

Additionally, the interaction between identity providers and service providers can result in individual vulnerabilities. A penetration test, or pentest, is used to verify the security of the SSO solution so that applications and user data are proactively protected.

What is a Single Sign-on Pentest?

During a pentest, security analysts assume the role of an attacker. They examine a company's IT landscape for vulnerabilities and points of attack, whereby they use methods, techniques and procedures that real attackers would also use. The objective is to find as many vulnerabilities as possible so that the company can correct them in a timely manner before real attackers can exploit them.

Single Sign-on solutions require a special kind of pentesting, because such solutions are often structured in a complex way and require a deep understanding of the application and underlying SSO standards, as well as broad experience with different technologies. A special procedure is required to check the security status of the implemented SSO solution, which combines both application-specific test elements and SSO-specific checks. This includes, for example, an in-depth analysis of the interaction between users, identity providers and service providers. 

How regularly should Single Sign-on Pentests be performed?

We recommend conducting a Single Sign-on Pentest prior to productive operation so that vulnerabilities identified can be remedied before the system goes live. In addition, changes to the existing SSO solution, such as adjustments to the underlying IT environment, can lead to new security vulnerabilities. For this reason, we recommend our customers to repeat pentests regularly once a year and integrate them firmly into the security process.

What is your approach to Single Sign-on Pentesting?

My colleagues and I have incorporated our experience and know-how into a special procedure for conducting Single Sign-on Pentests. In preparation for the pentest, we work closely with our customers on the scope of the test. This includes the purpose and role concept of the application, details of the implemented SSO solution and the technologies used. We then comprehensively check the SSO solution for vulnerabilities and misconfigurations as well as compliance with all best practices of the underlying SSO standard. Finally, we document the results of the security analysis for our customers in a detailed report, including recommended measures for correcting identified vulnerabilities.

You would like to have your SSO solution checked for vulnerabilities? Find out more about our approach and training options for SSO here. Please feel free to contact us.

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...