Knowledge Base

Single Sign-On and Federation Security

Review trust, claims, validation, and lifecycle behavior across identity boundaries.

Core concepts

SSO and federation connect an identity provider to a service provider or relying party. SAML assertions, OpenID Connect identity tokens, and OAuth 2.0 authorization flows have related but different purposes. OAuth authorization should not be treated as user authentication by itself.

Trust and validation

Review issuer, audience, redirect URIs, signing, encryption where used, metadata, certificates, clock synchronization, name identifiers, attribute mapping, conditional access, session lifetime, logout behavior, and error handling. A token must be validated in the context expected by the relying service; do not provide replay, forgery, or bypass techniques.

Integration checklist

  1. Identify the identity provider, relying party, owners, protocol, certificate lifecycle, and expected claims.
  2. Define least-privilege mapping and test a normal, denied, expired, and rollover case.
  3. Plan certificate rollover, metadata change, clock monitoring, and rollback.
  4. Review logs for correlation between provider and application events.

Common failures

Wrong audience, stale metadata, missing claims, incorrect name identifiers, clock drift, and certificate rollover can look like generic login failures. Avoid broad claim mapping or disabling validation to restore service.

Fictional example

A new application accepts sign-in but assigns every user an administrator role because a group claim is mapped too broadly. The fix narrows the application mapping and tests a least-privilege account; it does not change the identity provider's global sign-in rule.

Operational decision points

Start by identifying issuer, audience, redirect URI, assertion consumer service, claims, name identifier, metadata, certificate lifecycle, and application-local authorization. Keep those elements separate in the change record: a successful technical step can still leave an inappropriate authorization, unavailable dependency, or incomplete audit trail. Scope decisions to a named owner, system, time window, and evidence source.

Practical workflow

establish trust, map a least-privilege identity, validate a representative sign-in and denial, test expiry and rollover, then monitor provider and relying-party events. At each stage, decide whether the observed result is sufficient to continue, needs an owner question, or requires a bounded rollback or escalation. Avoid turning an unavailable log or delayed response into proof that no activity occurred.

Evidence and review checklist

  • retain issuer, audience, correlation identifier, relying party, mapped claim names, certificate fingerprint or reference, time window, and safe error category.
  • Confirm the accountable owner, expected dependency, approved exception, and next review date.
  • Test an ordinary permitted path and a relevant denial or expiry condition using approved accounts and non-sensitive data.
  • Separate service availability symptoms from identity, policy, session, and logging outcomes.

Fictional operational example

A SAML integration succeeds for sign-in but grants a default operator role because a broad group mapping is accepted. The application mapping is narrowed and tested with an ordinary user and a denied user.

Validation boundaries and failure modes

For SAML, troubleshoot request, identity-provider response, assertion consumer service, issuer, audience, signature, clock, and mapped attributes. For OpenID Connect, verify the approved authorization-code flow, redirect URI, issuer, audience, and application validation. Log safe identifiers and error categories, not raw tokens or assertions.

Before closing a review, confirm the result with the system owner and retain a reference to the relevant configuration, event, approval, or test. Missing evidence should create a follow-up question, not an unsupported conclusion about safety, authorization, or exposure.

Focused review checklist

A rollover plan should name the certificate owner, metadata source, validation window, relying applications, rollback condition, and post-change evidence. Multiple identity providers and large group claims need deliberate application mapping; a federation success can still be followed by an incorrect local role decision.

Related Vuln Signal content

Read AAA, TLS and Certificates, JWT inspection, and Identity Architecture.