PR.AA-04.204

Does your organization implement controls to protect identity assertions used in single sign-on (SSO) systems?

Explanation

Identity assertions contain authentication data and user attributes that are passed between systems during SSO processes. If these assertions are not properly protected, attackers could intercept, modify, or forge them to gain unauthorized access to multiple systems with a single compromise. Protection measures typically include encryption of assertions, digital signatures, proper token validation, secure transmission channels, and short token lifetimes. Evidence could include documentation of SSO implementation with security controls, configuration screenshots showing encryption and signature settings for SAML/OAuth/OIDC tokens, network diagrams showing secure transmission paths for identity assertions, or audit logs demonstrating validation of identity assertions.

Implementation Example

Protect identity assertions that are used to convey authentication and user information through single sign-on systems

ID: PR.AA-04.204

Context

Function: PR: PROTECT
Category: PR.AA: Identity Management, Authentication, and Access Control
Sub-Category: Identity assertions are protected, conveyed, and verified

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub