Authenticate using standard protocols
Summary
The organization must implement the Single Sign On (SSO) process using standard protocols (e.g., SAML).
Description
When SSO is enabled, centralized control over user authentication and authorization is possible. The Identity Provider becomes the central authority for validating user identities, enforcing access policies, and managing user sessions.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References
- CWE™-287. Improper authentication
- CWE™-1390. Weak Authentication
- CAPEC™-115. Authentication bypass
- SOC2®-CC6_1. Logical and physical access controls
- NY SHIELD Act-5575_B_2. Personal and private information
- PA-DSS-3_1_4. Application employs methods to authenticate all users
- SANS 25-22. Improper Privilege Management
- SANS 25-24. Incorrect Authorization
- POPIA-3A_23. Access to personal information
- ISO/IEC 27002-8_5. Secure authentication
- ISA/IEC 62443-IAC-1_5. Authenticator management
- WASSEC-2_1. Authentication schemes
- WASC-W_01. Insufficient authentication
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- MVSP-2_1. Application design controls - Single Sign-On
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- BSAFSS-SI_2-1. Strong identity
- NIST 800-171-1_17. Protect wireless access using authentication and encryption
- OWASP ASVS-14_1_5. Build and deploy
- OWASP ASVS-1_2_2. Authentication architecture
- OWASP ASVS-13_3_2. SOAP web service
- OWASP API Security Top 10-API2. Broken Authentication
- ISO/IEC 27001-8_5. Secure authentication
- CASA-1_2_2. Authentication Architecture
- CASA-1_4_4. Access Control Architecture
- CASA-2_10_1. Service Authentication
- CASA-14_1_5. Build and Deploy
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- OWASP MASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- CWE TOP 25-269. Improper Privilege Management
- CWE TOP 25-863. Incorrect Authorization
Vulnerabilities
- 006. Authentication mechanism absence or evasion
- 015. Insecure authentication method - Basic
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 309. Insecurely generated token - JWT
- 318. Insecurely generated token - Validation
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
- 383. Insecurely generated token - OTP
- 388. Insecure authentication method - NTLM
- 397. Insecure authentication method - LDAP
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.