Authenticate using standard protocols
Summary
The organization must implement the Single Sign On (SSO) process using standard protocols (e.g., SAML).
Supported In
This requirement is verified in following services:
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
| One-Shot | 🟢 |
References
- CAPEC™-115. Authentication bypass
- PCI DSS-6_5_10. Broken authentication and session management
- SOC2®-CC6_1. Logical and physical access controls
- NY SHIELD Act-5575_B_2. Personal and private information
- PA-DSS-3_1_4. Application employs methods to authenticate all users
- SANS 25-798. Use of hard-coded credentials
- POPIA-3A_23. Access to personal information
- ISO/IEC 27002-8_5. Secure authentication
- ISA/IEC 62443-IAC-1_5. Authenticator management
- WASSEC-2_1. Authentication schemes
- WASC-W_01. Insufficient authentication
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- MVSP-2_1. Application design - Single Sign-On
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- BSAFSS-SI_2-1. Strong identity
- NIST 800-171-1_17. Protect wireless access using authentication and encryption
- OWASP ASVS-14_1_5. Build and deploy
Vulnerabilities
- 006. Authentication mechanism absence or evasion
- 015. Insecure authentication method - Basic
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 309. Insecurely generated token - JWT
- 318. Insecurely generated token - Validation
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
- 383. Insecurely generated token - OTP
- 388. Insecure authentication method - NTLM
- 397. Insecure authentication method - LDAP