Audit and Assurance

Expand all | Collapse all

SSO architecture

  • 1.  SSO architecture

    Posted 30 Aug, 2019 12:22

    How can an external auditor detect if the enviornment is SSO or no ?
    Is there a way to technically know how the enviornment is settled SSO or no, without asking the client if it is SSO or no.

    In both ways whether it is via cloud or Active Directory.

    Thanks folks in advance

    Marat Kaisseov

  • 2.  RE: SSO architecture

    Posted 31 Aug, 2019 09:10
    Hello Marat,

    The simplest way to determine whether SSO is in place is to use a test/auditor account to see if a single set of credentials, used once, will allow you to access multiple resources that generally require a separate login. After all, this is what SSO is for.

    Getting more technical, you would need to know what SSO technology is in use and then you can do one or more of the following (using Microsoft Azure AD as an example):

    1. Visit the Azure AD console to review login activity logs. When used for SSO, Azure AD meticulously records what application(s) it granted access to whom.

    2. If SSO connects cloud/web-based applications, you can often see the SSO process in action if you watch the URLs change during SSO login-it flips from the SSO provider (e.g. Azure AD) to that of the web page of the service that SSO unlocks.

    I am sure there are many other ways to accomplish this-some more technical than the others, but the above should give you a starting point.

    Best regards,
    Aleksandr Zhuk

    Aleksandr Zhuk
    Principal Consultant

  • 3.  RE: SSO architecture

    Posted 31 Aug, 2019 10:48
    Thank you for your answer.
    What about the active directory.

    Could you please provide any technical side for acitve directory

    Marat Kaisseov