SSO Token Security: SAML & OpenID Connect

TL;DR

Single Sign-On (SSO) using SAML and OpenID Connect relies on tokens to prove a user’s identity. This guide explains how to keep those tokens secure, covering best practices for configuration, validation, and monitoring.

1. Understand Your Tokens

Before securing them, know what you’re dealing with:

• SAML Assertions: XML documents containing user attributes. They’re digitally signed to ensure authenticity.
• OpenID Connect ID Tokens: JSON Web Tokens (JWTs) containing claims about the user. Also digitally signed.
• Access Tokens: Used to access protected resources; often OAuth 2.0 based and tied to OpenID Connect.

Each token type has different security considerations.

2. Secure Configuration

1. Metadata Exchange: Use HTTPS for exchanging SAML metadata (Identity Provider & Service Provider). This prevents man-in-the-middle attacks.
2. Entity IDs: Ensure Entity IDs are unique and properly configured on both sides of the SSO connection. Incorrect configuration can lead to token misdirection.
3. Binding Methods: Prefer secure binding methods like HTTP-POST or HTTPS Redirect for SAML. Avoid less secure options like HTTP GET.
4. OpenID Connect Discovery: Use the OpenID Connect discovery endpoint (https://openid.net/specs/discovery/) to dynamically retrieve configuration details, reducing manual errors.

3. Token Validation

Rigorous validation is crucial. Here’s how:

1. Digital Signature Verification: Always verify the digital signature of SAML Assertions and OpenID Connect ID Tokens using the trusted public key from the Identity Provider (IdP).

# Example Python with PyJWT (OpenID Connect)

import jwt

public_key = "--Your Public Key--"
token = "--Your ID Token--"

decoded_token = jwt.decode(token, public_key, algorithms=['RS256'])
print(decoded_token)

2. Audience (aud) Claim: Verify the aud claim in OpenID Connect tokens matches your application’s Client ID. This ensures the token is intended for you.
3. Issuer (iss) Claim: Validate the iss claim to confirm the token originated from a trusted IdP.
4. Expiration Time (exp) Claim: Check that the token hasn’t expired. Reject tokens with an invalid expiration time.
5. Subject (sub) Claim: Use the sub claim as the unique identifier for the user within your application.
6. SAML Conditions: Carefully review SAML conditions (e.g., AudienceRestriction, NameIDPolicy) to ensure they align with your security requirements.

4. Token Handling Best Practices

• Short Token Lifetimes: Use the shortest possible token lifetimes that are practical for your users. This limits the impact of a compromised token.
• Refresh Tokens (OpenID Connect): Implement refresh tokens to obtain new access tokens without requiring the user to re-authenticate frequently. Securely store and manage refresh tokens.
• Secure Storage: Store tokens securely, using encryption where appropriate. Avoid storing sensitive information in plain text.
• Transport Security (HTTPS): Always use HTTPS for all communication involving SSO tokens.

5. Monitoring and Logging

1. Log Token Validation Failures: Log any instances where token validation fails, including the reason for failure. This helps identify potential attacks or configuration issues.
2. Monitor Authentication Events: Track successful and failed authentication attempts to detect suspicious activity.
3. Regular Security Audits: Conduct regular security audits of your SSO implementation to identify vulnerabilities and ensure best practices are being followed.

6. Cyber security Considerations

• Cross-Site Scripting (XSS): Protect against XSS attacks that could steal tokens from users’ browsers.
• Cross-Site Request Forgery (CSRF): Implement CSRF protection to prevent attackers from forging authentication requests.
• Injection Attacks: Sanitize all user input to prevent injection attacks that could compromise token validation or storage.