Okta for Listing, IdP, and SSO. ACM.149 Exploring Okta options that… | by Teri Radichel | Cloud Safety | Feb, 2023 | Infinite Tech

ACM.149 Discover Okta options that might enable it for use as an IdP for consumer authentication

A part of my sequence on Automation of cybersecurity metrics. He Code.

In my final put up I defined what an Id Supplier (IdP) is and differentiated it from Single Signal On (SSO) to elucidate what I am attempting to attain in my subsequent posts.

There are numerous variations on how and the place consumer credentials could be saved and the way customers could be authenticated. An IdP usually shops consumer credentials and handles consumer authentication. The time period for transferring authentication to a different system or service is named federation. That implies that the applying itself doesn’t validate the credentials, however passes that process to a different system. As we have seen, there are nonetheless many variations on how credential administration can happen, even in that state of affairs.

As I defined, if the system merely shops the credentials and passes them to another third-party system to carry out authentication, then that is not likely an IdP. It’s merely a mechanism to facilitate consumer login (SSO). That does not actually obtain the structure change I am attempting to make through the use of a 3rd occasion authentication service.

As a reminder, I wish to cut up up consumer creation and supply entry for these customers to happen with completely different credentials and periods on completely different methods in hopes of thwarting this assault:

I have been toying with the thought of ​​utilizing OKTA as the house listing for a number of cloud environments for some time now, however have not gotten round to attempting it out. On this put up, I will talk about a few of Okta’s options, capabilities, and doable safety gaps that I will discover in additional element in future posts. A few of the Okta documentation is scattered, so I could have missed one thing under within the authentication choices. I will replace this put up if I discover extra whereas testing the system.

Traditional Engine vs. Id Engine

Okta helps what it calls the Traditional Engine and the brand new Id Engine. When reviewing the documentation, you may see which model you are on the high proper of the documentation:

Since Id Engine is the brand new and improved model, we are going to give attention to that.

Okta as foremost consumer listing

As talked about within the final put up, an IdP usually maintains the listing of customers and their passwords which can be used to authenticate login requests. Okta gives one thing they name “Common Listing” which acts as a repository for all of your customers, teams and gadgets.

Many organizations immediately use Azure Energetic Listing or Energetic Listing because the supply of knowledge for all customers in a company. Okta (and plenty of different corporations) have tried to change into a substitute for that possibility.

However can Okta’s Common Listing actually change Energetic Listing or Azure Energetic Listing? Not if Microsoft might help it. Final time I attempted I could not utterly federative Register to Azure for Okta. We’ll take a more in-depth take a look at the Common Listing in future posts. Perhaps issues have modified since I final checked.

By the way in which, different corporations wish to do the identical with companies like Google Cloud Id and JumpCloud. Different id corporations have tried and failed up to now with unreliable and not-so-secure companies, although Microsoft Energetic Listing has had its personal safety challenges.

Can an organization that focuses solely on authorization and id administration do any higher? Probably. Though an organization that centered solely on password administration has simply been breached (LassPass), so a singular method is not any assure of success.

Listing Integrations

If you wish to use an alternate listing, Okta helps the next listing integrations. As I already defined, I am attempting to check Okta as my supply listing for actual, so I will not be utilizing the next. On this case, we’re doubtlessly copying and syncing issues that I actually do not wish to do.

Energetic Listing

ldap

CSV

Okta Dashboard for SSO

Okta actually began as a single sign-on (SSO) resolution. The aim was to make life simpler for directors and customers who needed to log into many various methods. I defined the distinction between an IdP and SSO in my final put up.

While you log into Okta, you get a dashboard with a sequence of icons that you could click on to log in to varied methods.

As I coated in my final put up, what occurs while you click on a type of buttons can fluctuate relying on the implementation behind the scenes. The kind of authentication course of that Okta can provide will rely on two issues:

1. The mechanisms that Okta helps.
2. The mechanisms which can be supported by the supplier you’re logging into while you click on the button.

What authentication choices does Okta assist for an exterior IdP?

You’ll be able to enable customers to authenticate with the next exterior IdPs when utilizing Okta. Meaning Okta federates authentication with the third-party IdP that shops the consumer’s credentials as a substitute of storing and authenticating the consumer themselves.

OIDC (Open Identification Connection)

Open ID join is a more moderen customary than SAML. It makes use of JSON internet tokens as a substitute of XML.

Generic OpenID Join (OIDC) permits customers to check in to an Okta group utilizing their current account credentials at an OIDC Id Supplier (IdP).

SAML (Safety Assertion Markup Language)

SAML was one of many foremost protocols and requirements used to federate the authentication course of to an IdP for years. It’s based mostly on XML and a few folks discover OIDC to be easier. That being mentioned, some older methods solely assist SAML.

social IdP

Okta can work with exterior companies like Fb, Google and Microsoft.

good card IdP

Okta works with good playing cards that include an x.509 compliant digital certificates.

From the documentation:

A Private Id Verification (PIV) card is a United States federal good card that comprises knowledge crucial for the cardholder to entry federal data methods and services and to make sure applicable ranges of safety for all relevant federal purposes. PIV playing cards are very highly effective authenticators (as much as IAL3/AAL3, per NIST steerage), which might change username and password because the authentication technique the place supported.

What forms of protocols does Okta assist for SSO?

RADIO

Some firewalls and different methods require using the RADIUS protocol which can be supported by Okta.

Energetic Listing Single Signal On

Use Energetic Listing credentials to check in to purposes.

OIDC Integrations

OIDC tokens issued by Okta:

OIDC tokens issued by a third-party utility:

SAML

Much like the photographs above, the SAML assertion could be issued by Okta or the third occasion.

WS-Fed

Some legacy Microsoft purposes use WS-Fed.

SWA (Safe Net Authentication)

Okta SSO makes use of this technique for purposes that don’t assist federation of the authentication course of with Okta. This aligns with the state of affairs I wrote about yesterday, the place Okta acts as a “password supervisor within the sky.”

How Okta describes it:

Directors can set the credentials for the applying, or the tip consumer can enter a particular username and password. Okta retains that app’s credentials inside a safe retailer, encrypted with robust AES-256 encryption. After configuring the credentials, finish customers solely must authenticate with Okta and might then SSO instantly into the app.

This is likely to be a superb resolution if you do not need the consumer to have the credentials for an app, however does the administrator see and have the credentials? That units us up for potential credential abuse by insiders I wrote about in earlier posts.

SCIM (System for inter-domain id administration)

SCIM is a technique for automating id administration throughout platforms. We’ll check out SCIM in additional element in later posts.

CASB

Okta additionally gives documentation for CASB integrations. We won’t use a CASB for this explicit product analysis.

What choices does OKTA assist for customized apps utilizing the Okta API?

Okta describes two completely different authentication mechanisms in its developer documentation: forwarder authentication and built-in authentication. This documentation doesn’t specify which engine it’s relevant to.

redirect authentication

The consumer logs into Okta and is then redirected to a different app. On this case, the credentials are entered into an internet web page hosted by Okta, and Okta considers this technique safer.

okta says:

A consumer login circulate that provides Okta authentication management by redirecting to a login web page hosted by Okta utilizing open protocols resembling OAuth 2.0 and SAML.

Redirect authentication by way of the Okta-hosted login widget is taken into account the simplest and most safe technique of integration. It’s because Okta hosts the login widget itself, is maintained by Okta, and is stored safe by Okta. The Okta-hosted login widget is really helpful for many integrations.

built-in authentication

With the embedded possibility, your cloud service hosts an internet web page that accepts the credentials, that are then used to authenticate to Okta. On this case, the credentials are uncovered to the applying that hosts the login web page. This feature is obtainable in case the app that Okta makes use of to log in requires extra customization than is feasible with the Okta login widget.

multi-factor authentication

Okta additionally gives MFA now. Since credentials float between methods, in that case, implementing MFA might help restrict sure forms of assaults. After all, we might want to see the MFA implementation and take a look at it.

What occurs when MFA is required on Okta and also you wish to implement MFA on AWS by way of a situation in an AWS IAM coverage? Happily, Okta has an answer for that, however we wish to attempt it out.

contemplating our choices

We’re actually not performed at this level, however we are able to take a look at the completely different choices that Okta helps for the authentication a part of the answer. The query is, what assist do the platforms we wish to log into have? The place will our passwords find yourself? What sort of safety is in place to guard the combination between the 2 methods? What sort of assaults is likely to be doable for the answer we are attempting to arrange? And is a real federation doable? Can we delegate consumer creation to at least one platform and entry controls to the opposite?

Observe for updates.

Teri Radichel | © second sight lab 2023

Should you preferred this story ~ use the hyperlinks under to point out your assist. Thanks!

Assist:
Clap for this story or refer others to observe me.
Observe on Medium: Teri Radichel
Join E mail Checklist: Teri Radichel
Observe on Twitter: @teriradichel
Observe on Mastodon: @[email protected]
Observe on Submit: @teriradichel
Like on Fb: 2nd Sight Lab
Purchase a Guide: Teri Radichel on Amazon
Purchase me a espresso: Teri Radichel
Request companies by way of LinkedIn: Teri Radichel or via IANS Analysis

About:
Slideshare: Shows by Teri Radichel 
Speakerdeck: Shows by Teri Radichel
Recognition: SANS Distinction Makers Award, AWS Hero, IANS School
Certifications: SANS
Training: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I acquired into safety: Lady in tech
Firm (Penetration Exams, Assessments, Coaching): 2nd Sight Lab

Cybersecurity for executives within the cloud period at Amazon

Cloud Safety Coaching (digital now accessible):

2nd Sight Lab Cloud Safety Coaching

Is your cloud safe?

Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.

Do you have got a query about cybersecurity or cloud safety?

Ask Teri Radichel by scheduling a name with IANS Analysis.

Extra from Teri Radichel:

Cybersecurity and cloud safety courses, articles, white papers, shows, and podcasts