SSO & MFA for Helpdesk and Administrators
Recently, I wrote about how you can add Multi-Factor Authentication to your Self-Service Password Resets with One Identity Password Manager and OneLogin.
Read it on the OneIdentity blog, OneLogin blog, or my personal blog
In that scenario, a user with a forgotten or expired password authenticates to the self-service portal with a combination of their security questions and MFA provided by OneLogin to reset their password.
With the release of Password Manager 5.11, we can take this a step further by enabling MFA and/or Single Sign-On for Admins (SSO) and helpdesk staff accessing Password Manager using OneLogin, or any other IdP (Identity Provider) that supports standard protocols like SAML (Security Assertion Markup Language).
Introducing Secure Token Server
I'll spare you the details on what this is and keep it simple. is the same component used in other One Identity products, like Safeguard for Privileged Passwords, to provide federated authentication or multistep authentication using various providers and protocols like SAML, OAuth, RADIUS and others. This functionality is now part of Password Manager for use within workflows, and for authentication to the helpdesk and admin web interfaces.
The cybersecurity frameworks, cyber insurance companies and consulting firms are all correctly on the same page — MFA should be required for access to any privileged application. The admin and helpdesk pages for Password Manager are no exception. Admins can configure the product to do whatever they desire to accounts on all the included domains. Helpdesk staff often have access to unlock or enable accounts, reset passwords, issue BitLocker recovery keys and more. Enabling MFA as a requirement to access these resources is a logical step towards securing your password-reset process.
There are two supported methods of configuring federated authentication for the Password Manager admin and helpdesk pages, and since I love having options, I'll walk through both.
External Federation (SSO)
This is a common standards-based scenario where your external Identity Provider of choice acts as the authentication mechanism. This can be both service-provider initiated — where a user navigates to the Password Manager admin or helpdesk portal and gets redirected to the IdP (Identity Provider) for authentication; and identity-provider initiated — where a user signs in to the IdP and clicks an icon on their dashboard to into Password Manager.
Let's use OneLogin as an example. As it supports SAML2.0, I can create a SAML application called Password Manager, point it to the Password Manager STS (Secure Token Server), and configure Password Manager to use that application for authentication.
When I access Password Manager's admin or helpdesk pages, it will automatically redirect me to authenticate through OneLogin.
But we can take this a step further. OneLogin QuickLinks allows you to create custom applications that show up on the user's SSO dashboard. These can simply be a URL, and a custom name and icon to make it easy to identify. So, you can have a single SAML application to handle the authentication, and a QuickLink each for the admin and helpdesk pages, which can be assigned to users appropriately.
When users sign in to their OneLogin dashboard, they'll see these links if they are assigned:
Clicking the link will take them directly to the associated Password Manager URL. And, since they are already authenticated to OneLogin, they'll be automatically signed in.
Right, but what about the MFA?
Of course, the user may already have to authenticate with a second factor when initially signing in to their OneLogin dashboard. However, depending on your configuration, this may not be the case. Certain OneLogin users may have a Security Policy that does not require a second factor when authenticating to their dashboard, or you may be using OneLogin SmartFactor Authentication to suppress the prompt when a low-risk sign-in is detected. In order to ensure MFA is provided when accessing critical applications, regardless of how the user authenticates to their dashboard, OneLogin allows you to create application-specific security policies.
These policies allow you to force an MFA prompt for specific applications and can of course be configured to suppress that prompt for those users who already provided one in the last X minutes, to avoid multiple prompts in a row.
With an application security policy that requires MFA assigned to the Password Manager SAML application, we can ensure that users will always need to provide a second authentication factor in order to access the Password Manager administration and helpdesk pages.
What about other IdPs?
Other Identity Providers have their own processes for configuring SAML, OAuth or WS-Fed authentication, but it's all the same to Password Manager. Even better, it can support multiple identity providers for different user groups federating from multiple domains. Keep in mind, however, that this scenario typically expects the identity provider to handle both the primary and secondary authentication...but it doesn't have to.
Primary Directory Authentication + Secondary Authentication
Our STS allows you to separately configure a primary and secondary authentication method from a choice of standard providers. Want to still have Active Directory (AD) Authentication but use a RADIUS server for MFA? No problem. How about LDAP (Lightweight Directory Access Protocol) and Duo? That works, too.
This scenario is perfect for organizations that are not standardized to an IdP across the board or have existing standalone MFA solutions that only provide secondary authentication and rely on a primary authentication source like Active Directory.
Whether you're fully committed to the latest in security frameworks, are fighting an uphill battle to implement any security controls you can, or are somewhere in between these two extremes and are balancing security and usability concerns, you need to learn more about One Identity Password Manager. It offers configuration and extensibility options to help you design a secure password-reset process that adheres to your unique requirements, without compromising the experience for your end users.
One of the easiest first steps you can take towards securing the entire process is to require MFA for privileged admins and helpdesk users accessing Password Manager, and for the end users performing password resets.
For more information:
Read about OneLogin Workforce Identity Solutions https://www.onelogin.com/product
See how One Identity Password Manager = Download a trial version today https://www.oneidentity.com/products/password-manager/
Read the original article at OneLogin.com