Does your organization implement controls to protect identity assertions used in single sign-on (SSO) systems?
Explanation
Identity assertions contain authentication data and user attributes that are passed between systems during SSO processes. If these assertions are not properly protected, attackers could intercept, modify, or forge them to gain unauthorized access to multiple systems with a single compromise.
Protection measures typically include encryption of assertions, digital signatures, proper token validation, secure transmission channels, and short token lifetimes.
Evidence could include documentation of SSO implementation with security controls, configuration screenshots showing encryption and signature settings for SAML/OAuth/OIDC tokens, network diagrams showing secure transmission paths for identity assertions, or audit logs demonstrating validation of identity assertions.
Implementation Example
Protect identity assertions that are used to convey authentication and user information through single sign-on systems
ID: PR.AA-04.204
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Identity assertions are protected, conveyed, and verified
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

