SSO & Identity Management

Okta • Azure AD • Auth0 • Identity Security

Blue TeamIdentity SecurityHigh RiskInteractive

Oracle Cloud SSO Breach (March 2025)

6 million SSO and LDAP records exfiltrated, affecting over 140,000 tenants.

•Attack Vector: Critical CVE in Oracle Cloud SSO framework exploited
•Impact: Usernames, email addresses, hashed passwords, LDAP credentials compromised
•Lesson: SSO is a single point of failure - compromise it, compromise everything

What is Single Sign-On (SSO)?

SSO allows users to authenticate once and gain access to multiple applications without re-entering credentials. Instead of managing 50 different passwords, users log in to one identity provider (IdP) that vouches for them across all connected services.

Common SSO Providers:

Okta

Enterprise SSO, MFA, lifecycle management

Azure AD (Entra ID)

Microsoft's cloud identity platform

Auth0

Developer-friendly SSO with APIs

Google Workspace

SSO for Google services + SAML apps

How SSO Works (SAML Flow)

User Requests Access

User tries to access corporate app (e.g., Salesforce)

App Redirects to IdP

App sends SAML request to Okta/Azure AD

User Authenticates

User logs in to IdP (with MFA if enabled)

IdP Issues SAML Assertion

Signed XML token with user identity and attributes

App Validates & Grants Access

App verifies signature, creates session, user is logged in

SSO Attack Vectors

1. SAML Token Forgery

Attacker crafts fake SAML assertion to impersonate legitimate user. Works if IdP's signing key is compromised or signature validation is weak.

<SAMLResponse><NameID>admin@company.com</NameID>...</SAMLResponse>

2. Session Hijacking

Steal SSO session cookie (via XSS, network sniffing) to impersonate authenticated user across all connected apps.

3. IdP Compromise

If attacker gains admin access to IdP (Okta, Azure AD), they control ALL user accounts and can access ALL connected applications.

4. Replay Attacks

Capture valid SAML assertion and replay it later. Mitigated by short-lived tokens and NotBefore/NotOnOrAfter timestamps.

5. Man-in-the-Middle

Intercept SAML response during redirect, modify user attributes (e.g., change role to admin), forward to application.

Detection & Monitoring

Behavioral Anomalies:

Unusual Geographic Login: User logs in from US, then China 5 minutes later
Impossible Travel: Physical distance cannot be covered in time between logins
MFA Failures: Repeated MFA push rejections followed by approval (fatigue attack)
Unusual Access Patterns: User accesses apps they've never used before

Technical Indicators:

SAML Validation Errors: Invalid signatures, expired tokens
Session Anomalies: Multiple concurrent sessions from different IPs
API Abuse: Excessive API calls to IdP (credential stuffing attempt)

Log Sources to Monitor:

Okta System Loguser.session.start, user.authentication.auth_via_mfa

Azure AD Sign-in LogsSignInActivity, RiskyUsers, UserRiskEvents

Application LogsSAML assertion received, signature validation

Network LogsIdP redirects, suspicious user-agents

Security Best Practices

Technical Controls:

✓Enforce MFA for all SSO logins
✓Short session timeouts (4-8 hours)
✓Conditional Access policies (IP allowlists, device compliance)
✓Certificate pinning for SAML signatures
✓Monitor privileged accounts (admins, service accounts)

Operational Controls:

✓Regular access reviews (quarterly)
✓Just-in-Time (JIT) admin access
✓Incident response plan for IdP compromise
✓Backup authentication methods
✓Vendor security audits (SOC 2, ISO 27001)

SSO Login Dashboard

Detection:

User	Location	IP Address	MFA	Time	Status
john.doe@company.com	New York, US	192.168.1.100		10:00 AM	Normal
jane.smith@company.com	London, UK	10.0.0.50		10:05 AM	Normal

Total Logins

Legitimate

Suspicious

MFA Bypassed