Safety of Third party Single Sign-On (SSO) on your network

Seb
Seb used Ask the Experts™
on
Hello All,
I have a question about SSO (Single Sign-On).
There is a website that offers a service and in order to use their service they used to require knowing what our IP address was in order to control access to their services by IP. Now they are changing to SSO instead and even though I'm not familiar w/ SSO I know that they would need to connect to our AD for authentication and as we know a lot of breaches happen with Third party companies having access to internal network infrastructure. I don't feel comfortable using this method and since I'm not all that familiar with it I figured I'd ask your opinion. Yes, I do know that NOTHING is 100% secured and full proof but I want to at least make sure that I'm not potentially opening a can of worms.

My questions are:

- What are some of the risks if I chose to give their SSO access to our AD?
-If I decide to go w/ the SSO what are the questions I should be asking them to make sure that they have their "sh#*" together and will not potentially compromise our Server/network.
-What are some of your opinions on going w/ SSO from a Third party vendor?
-Should I implement SSO in this case or hold my ground and ask for another solution?
-Could I use AWS, Azure AD (or similar) to create just a stand alone AD on it's own to use with this service and is is cost prohibitive?

Thanks in advance for all your help, it's greatly appreciated!!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AmitIT Architect
Distinguished Expert 2017

Commented:
SSO is completely safe. In your case you need to use app like ADFS from Microsoft. Setup ADFS environment, where you will be acting as IDP or identity provider and your application vendor will with using it. With ADFS you just relay claim or user attributes to your app vendor. Say, your user want to login to X app. Your app vendor will ask you to relay claims like email address, name and Group info. Once you relay those claims to your vendor, vendor will be using them to configure it's app and provide the access.

It is same like you are using your gmail account to login to other sites. From security point, you need to setup ADFS farm. More you can read here:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs

There is one more option ADLDS, but i don't recommend that, as it is bit complex to manage and required regular admin work.

Note: Don't give any access to your AD environment directly to any vendor.
SebSystems Admin

Author

Commented:
Thanks for the great information @Amit but I'm still not clear on this.

can you also answer these questions:
- What are some of the risks if I chose to give their SSO access to our AD?
-If I decide to go w/ the SSO what are the questions I should be asking them to make sure that they have their "sh#*" together and will not potentially compromise our Server/network.
-Could I use AWS, Azure AD (or similar) to create just a stand alone AD on it's own to use with this service and is is cost prohibitive?

YES, I'm with you. They are NOT getting access to our AD. LOL!!!
Ramasamy PanchavarnamSenior Technical Architect

Commented:
SSO is safe the way you define the roles. you have to create a role and share the role to the vendor.

you can use your existing AD and provide a role  with least access they needed

Just ask them the level of access and name of role needed.
IT Architect
Distinguished Expert 2017
Commented:
- What are some of the risks if I chose to give their SSO access to our AD?
Check MS KB i posted, it provide all details for implementing SSO solution safely. In nutshell, your main ADFS server need to be behind firewall.

-If I decide to go w/ the SSO what are the questions I should be asking them to make sure that they have their "sh#*" together and will not potentially compromise our Server/network.
Once you have ADFS setup done. You basically need to ask, what claims or user attributes you needed to be relayed.

-Could I use AWS, Azure AD (or similar) to create just a stand alone AD on it's own to use with this service and is is cost prohibitive?
AWS or Azure AD is not the replacement for your On-premises AD, it is just an extension for your on-premises AD into cloud. Which can be used to integrate AWS and Azure applications.


I highly advise you to get a ADFS or SSO expert, who can help you to set it up. But before that, you need to talk to you vendor, what exactly they need. ADFS is free and part of Windows role.
SebSystems Admin

Author

Commented:
Great, thanks!! I appreciate the help Gentlemen!.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial