Untold Challenges Faced in Practice

            Inconsistent Terminology & Incompatible Signatures

            Various SSO vendors offer solutions, with some firms opting to develop their own. This diversity results
            in inconsistent terminology across vendors. For instance, the URL receiving the SAMLResponse token
            (step  2  in  Figure  1)  goes  by  various  names  like  Assertions  Consumer  URL,  SAML  Post  URL,  and
            SAMLResponse  URL.  Moreover,  different  vendors  employ  different  methods  for  signing  the
            SAMLResponse token. While some sign only the payload (user identifier, timestamps), others sign the
            entire token. If the signature expectations of the Service Provider (SP) and Identity Provider (IDP) don't
            align, SSO transactions can fail.

            Corporate Firewall Misconfiguration

            Corporate networks restrict traffic to known IP ranges, causing SSO failures if an IDP or SP's IP falls
            outside  the  allowed  list.  Additionally,  proxies  in  corporate  networks  sanitize  web  traffic,  sometimes
            resulting  in  incomplete or missing request  payloads  during  exchanges between IDP  and  SP,  further
            impacting SSO functionality.

            Clock Drift

            Clock Drift is a phenomenon where a server’s clock goes out of sync with natural time and begins to lag.
            If either SP or IDP has servers that have drifted, then the timestamps published in the SAMLResponse
            token appear stale to the SP, causing it to suspect malintent and reject the token, in turn causing the
            SSO to fail.

            It is important for the SP and IDP’s administrators to know and account for these factors before SSO
            transactions  can  occur  in  order  to  save  countless  engineering  hours  spent  in  troubleshooting  SSO
            failures.



            Other Often Ignored Facets of Supporting SSO

            Improper Certificate Management

            The private-public key pairs exchanged between IDP and SP have expiration dates for security reasons.
            When a certificate expires, it causes SSO failures due to invalid signatures and leads to board scale
            service  unavailability.  To  prevent  this,  certificates  must  be  tracked,  renewed,  and  deployed  before
            expiration. Storing certificates externally, rather than within the application, allows for easy replacement
            and validation. Caching certificates minimizes I/O for fetching, with the cache invalidated upon expiration.



            Lack of Troubleshooting Tools

            SSO is essential for onboarding new partners, typically occurring as the final step in the sales cycle.
            Onboarding is often managed by non-technical personnel, so providing self-service tools empowers them






            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          142
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.