Hi Team,
We are currently evaluating options to enable Single Sign-On (SSO) for our client and are considering using Auth0 with SP-initiated SSO through Enterprise Connections.
We would like to understand more about the security aspects of this approach specifically, how safe it is to use SP-initiated SSO in Auth0. Additionally, since we require Multi-Factor Authentication (MFA), we are uncertain whether the client’s Identity Provider (IdP) enforces MFA during authentication.
Could you please provide details on:
-
How MFA is handled in such SSO scenarios, especially when the IdP is external?
-
The security measures implemented by Auth0 to prevent potential attacks in SP-initiated SSO flows?
Hi @anirudh.bharti
Welcome to the Auth0 Community!
- How MFA is handled in such SSO scenarios, especially when the IdP is external?
As you have stated, if you are unsure if MFA is being enforced by the external IdP, you can enforce it for your application within your Tenant via Actions. The user will be prompted for MFA once they are redirected back from the enterprise connection. If the external IdP already enforces MFA, you can add an extra layer of MFA if necessary.
- The security measures implemented by Auth0 to prevent potential attacks in SP-initiated SSO flows?
In short terms, the flow is secured by SAML and OIDC standards which basically include measures like signed/encrypted messages, state validation to prevent CSRF or replay attack and audience validation.
Auth0’s approach for SP Initiated SSO is built on these standards in order to protect against common attacks. Some of the most important features of SAML or OIDC standards are:
- Signed Assertions (SAML): The “proof” sent by the IdP back to Auth0 which is digitally signed with the IdP’s private key. Auth0 verifies this signature using the IdP’s public certificate. This makes it impossible for an attacker to tamper or intercept the response (ex: change the user’s email) during the process.
- State Parameter (OIDC): For OIDC connections, when Auth0 sends the user to the IdP, it includes a unique, unguessable
state parameter. When the IdP redirects back, it must include this exact same state parameter. Auth0 checks that it matches. This prevents CSRF attacks, ensuring the login response you’re receiving is for the login request initiated by your application/the intended user.
InResponseTo (SAML): SAML uses a similar mechanism. The SAMLRequest has a unique ID, and the SAMLResponse from the IdP must include an InResponseTo attribute that matches that ID. This prevents replay attacks.- Audience and Recipient Validation: Auth0 validates that the assertion from the IdP was intended for Auth0 and was sent to the correct endpoint. This prevents an attacker from stealing an assertion from a different service and “replaying” it to log into your application.
Hope the information above is useful regarding the matter, if you have any other questions, please let me know!
Kind Regards,
Nik