Okta for Listing, IdP, and SSO. ACM.149 Exploring Okta options that… | by Teri Radichel | Cloud Safety | Feb, 2023 | Tech Zen

ACM.149 Discover Okta options that might permit it for use as an IdP for person authentication

A part of my collection on Automation of cybersecurity metrics. He Code.

In my final publish I defined what an Id Supplier (IdP) is and differentiated it from Single Signal On (SSO) to clarify what I am attempting to attain in my subsequent posts.

There are lots of variations on how and the place person credentials may be saved and the way customers may be authenticated. An IdP sometimes shops person credentials and handles person authentication. The time period for transferring authentication to a different system or service is known as federation. That implies that the appliance itself doesn’t validate the credentials, however passes that activity to a different system. As we have seen, there are nonetheless many variations on how credential administration can happen, even in that situation.

As I defined, if the system merely shops the credentials and passes them to another third-party system to carry out authentication, then that is probably not an IdP. It’s merely a mechanism to facilitate person login (SSO). That does not actually obtain the structure change I am attempting to make by utilizing a 3rd celebration authentication service.

As a reminder, I need to cut up up person creation and supply entry for these customers to happen with totally different credentials and periods on totally different techniques in hopes of thwarting this assault:

I have been toying with the concept of ​​utilizing OKTA as the house listing for a number of cloud environments for some time now, however have not gotten round to attempting it out. On this publish, I am going to focus on a few of Okta’s options, capabilities, and potential safety gaps that I am going to discover in additional element in future posts. A few of the Okta documentation is scattered, so I could have missed one thing beneath within the authentication choices. I am going to replace this publish if I discover extra whereas testing the system.

Traditional Engine vs. Id Engine

Okta helps what it calls the Traditional Engine and the brand new Id Engine. When reviewing the documentation, you may see which model you are taking a look at on the high proper of the documentation:

Since Id Engine is the brand new and improved model, we are going to give attention to that.

Okta as foremost person listing

As talked about within the final publish, an IdP sometimes maintains the listing of customers and their passwords which might be used to authenticate login requests. Okta affords one thing they name “Common Listing” which acts as a repository for all of your customers, teams and gadgets.

Many organizations at present use Azure Energetic Listing or Energetic Listing because the supply of data for all customers in a company. Okta (and plenty of different firms) have tried to grow to be an alternative choice to that choice.

However can Okta’s Common Listing actually substitute Energetic Listing or Azure Energetic Listing? Not if Microsoft can assist it. Final time I attempted I could not utterly federative Register to Azure for Okta. We’ll take a more in-depth have a look at the Common Listing in future posts. Possibly issues have modified since I final checked.

By the way in which, different firms need to do the identical with companies like Google Cloud Id and JumpCloud. Different identification firms have tried and failed up to now with unreliable and not-so-secure companies, although Microsoft Energetic Listing has had its personal safety challenges.

Can an organization that focuses solely on authorization and identification administration do any higher? Probably. Though an organization that targeted solely on password administration has simply been breached (LassPass), so a singular method isn’t any assure of success.

Listing Integrations

If you wish to use an alternate listing, Okta helps the next listing integrations. As I already defined, I am attempting to check Okta as my supply listing for actual, so I will not be utilizing the next. On this case, we’re doubtlessly copying and syncing issues that I actually do not need to do.

Energetic Listing

ldap

CSV

Okta Dashboard for SSO

Okta actually began as a single sign-on (SSO) resolution. The aim was to make life simpler for directors and customers who needed to log into many alternative techniques. I defined the distinction between an IdP and SSO in my final publish.

Once you log into Okta, you get a dashboard with a collection of icons that you could click on to log in to varied techniques.

As I coated in my final publish, what occurs if you click on a type of buttons can range relying on the implementation behind the scenes. The kind of authentication course of that Okta can provide will rely upon two issues:

1. The mechanisms that Okta helps.
2. The mechanisms which might be supported by the supplier you’re logging into if you click on the button.

What authentication choices does Okta assist for an exterior IdP?

You possibly can permit customers to authenticate with the next exterior IdPs when utilizing Okta. Meaning Okta federates authentication with the third-party IdP that shops the person’s credentials as an alternative of storing and authenticating the person themselves.

OIDC (Open Identification Connection)

Open ID join is a more recent customary than SAML. It makes use of JSON internet tokens as an alternative of XML.

Generic OpenID Join (OIDC) permits customers to register to an Okta group utilizing their current account credentials at an OIDC Id Supplier (IdP).

SAML (Safety Assertion Markup Language)

SAML was one of many foremost protocols and requirements used to federate the authentication course of to an IdP for years. It’s primarily based on XML and a few folks discover OIDC to be easier. That being mentioned, some older techniques solely assist SAML.

social IdP

Okta can work with exterior companies like Fb, Google and Microsoft.

good card IdP

Okta works with good playing cards that comprise an x.509 compliant digital certificates.

From the documentation:

A Private Id Verification (PIV) card is a United States federal good card that comprises knowledge crucial for the cardholder to entry federal info techniques and amenities and to make sure acceptable ranges of safety for all relevant federal functions. PIV playing cards are very highly effective authenticators (as much as IAL3/AAL3, per NIST steerage), which might substitute username and password because the authentication methodology the place supported.

What kinds of protocols does Okta assist for SSO?

RADIO

Some firewalls and different techniques require the usage of the RADIUS protocol which can also be supported by Okta.

Energetic Listing Single Signal On

Use Energetic Listing credentials to register to functions.

OIDC Integrations

OIDC tokens issued by Okta:

OIDC tokens issued by a third-party software:

SAML

Much like the pictures above, the SAML assertion may be issued by Okta or the third celebration.

WS-Fed

Some legacy Microsoft functions use WS-Fed.

SWA (Safe Internet Authentication)

Okta SSO makes use of this methodology for functions that don’t assist federation of the authentication course of with Okta. This aligns with the situation I wrote about yesterday, the place Okta acts as a “password supervisor within the sky.”

How Okta describes it:

Directors can set the credentials for the appliance, or the top person can enter a particular username and password. Okta retains that app’s credentials inside a safe retailer, encrypted with robust AES-256 encryption. After configuring the credentials, finish customers solely have to authenticate with Okta and might then SSO straight into the app.

This is perhaps an excellent resolution if you do not need the person to have the credentials for an app, however does the administrator see and have the credentials? That units us up for potential credential abuse by insiders I wrote about in earlier posts.

SCIM (System for inter-domain identification administration)

SCIM is a technique for automating identification administration throughout platforms. We’ll check out SCIM in additional element in later posts.

CASB

Okta additionally affords documentation for CASB integrations. We won’t use a CASB for this specific product analysis.

What choices does OKTA assist for customized apps utilizing the Okta API?

Okta describes two totally different authentication mechanisms in its developer documentation: forwarder authentication and built-in authentication. This documentation doesn’t specify which engine it’s relevant to.

redirect authentication

The person logs into Okta and is then redirected to a different app. On this case, the credentials are entered into an online web page hosted by Okta, and Okta considers this methodology safer.

okta says:

A person login stream that offers Okta authentication management by redirecting to a login web page hosted by Okta utilizing open protocols akin to OAuth 2.0 and SAML.

Redirect authentication through the Okta-hosted login widget is taken into account the simplest and most safe technique of integration. It is because Okta hosts the login widget itself, is maintained by Okta, and is saved safe by Okta. The Okta-hosted login widget is advisable for many integrations.

built-in authentication

With the embedded choice, your cloud service hosts an online web page that accepts the credentials, that are then used to authenticate to Okta. On this case, the credentials are uncovered to the appliance that hosts the login web page. This selection is accessible in case the app that Okta makes use of to log in requires extra customization than is feasible with the Okta login widget.

multi-factor authentication

Okta additionally affords MFA now. Since credentials float between techniques, if that’s the case, implementing MFA can assist restrict sure kinds of assaults. In fact, we might want to see the MFA implementation and check it.

What occurs when MFA is required on Okta and also you need to implement MFA on AWS through a situation in an AWS IAM coverage? Thankfully, Okta has an answer for that, however we need to strive it out.

contemplating our choices

We’re actually not finished at this level, however we will have a look at the totally different choices that Okta helps for the authentication a part of the answer. The query is, what assist do the platforms we need to log into have? The place will our passwords find yourself? What sort of safety is in place to guard the mixing between the 2 techniques? What sort of assaults is perhaps potential for the answer we try to arrange? And is a real federation potential? Can we delegate person creation to at least one platform and entry controls to the opposite?

Observe for updates.

Teri Radichel | © second sight lab 2023

When you appreciated this story ~ use the hyperlinks beneath to point out your assist. Thanks!

Help:
Clap for this story or refer others to comply with me.
Observe on Medium: Teri Radichel
Join Electronic mail Checklist: Teri Radichel
Observe on Twitter: @teriradichel
Observe on Mastodon: @[email protected]
Observe on Publish: @teriradichel
Like on Fb: 2nd Sight Lab
Purchase a Ebook: Teri Radichel on Amazon
Purchase me a espresso: Teri Radichel
Request companies through LinkedIn: Teri Radichel or via IANS Analysis

About:
Slideshare: Shows by Teri Radichel 
Speakerdeck: Shows by Teri Radichel
Recognition: SANS Distinction Makers Award, AWS Hero, IANS College
Certifications: SANS
Training: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I bought into safety: Lady in tech
Firm (Penetration Exams, Assessments, Coaching): 2nd Sight Lab

Cybersecurity for executives within the cloud period at Amazon

Cloud Safety Coaching (digital now obtainable):

2nd Sight Lab Cloud Safety Coaching

Is your cloud safe?

Rent 2nd Sight Lab for a penetration check or safety evaluation.

Do you have got a query about cybersecurity or cloud safety?

Ask Teri Radichel by scheduling a name with IANS Analysis.

Extra from Teri Radichel:

Cybersecurity and cloud safety lessons, articles, white papers, shows, and podcasts