The Art of SAML/SSO and MFA

SAML SSO Integration

Security Assertion Markup Language or SAML is well known by its function and not necessarily by its name or moniker. IT Managers use it on any given day possibly multiple times. With SAML multi device management becomes easier and less stressful and tedious. Simply put, you are able to sign on to one computer and access and perform security functions on other computers. In this current climate of data integrity worries and data leak prevention, being able to authenticate and authorize credentials is critical. SAML makes network security easier to manage.

SSO or Single Sign On is what any executive or front-line staff wants and needs for easy collaboration, streamlined workflow, and smooth operations as more staff work remotely. For example, if your core inventory management database is cloud based and your retail POS has a local server but they have an API that makes them talk to each other along with a dashboard that talks to an on premise file server with financials and you have a single sign on credential for all logins then you are not constantly having to remember passwords or create usernames and secure logins for every point of contact in your enterprise where operations and performance metrics live.

Some security experts’ shudder at the thought of a CEO keeping a post-it note in a drawer with passwords but before you snicker just remember that a lot of Network Security professionals don’t always use a password protector or authenticator either and are prone to losing cell phones at trade shows. You have one key to your front door and this lets you in every time. Don’t make things complicated.

Picture yourself at an airport sitting with your laptop with time to kill before boarding your business flight. On your laptop you have an icon you click open that you enter your single sign on credentials and bingo you are instantly in your home drive at the office and on the server at the colo. You are working at the speed at light and not missing a beat regarding the latest report just updated and saved on the server in the folder marked sales reports. Having a web dav client and being able to instantly, securely, and remotely access your files is a game changer. You can stay agile, productive, and efficient with your time. No need to text the IT desktop support back at HQ to find out who changed passwords all of the sudden or why you are locked out right now.

There is duo authentication which most gmail users are familiar with via entering a phone number to get a text with a code that you enter so you can add another layer of protection to signing in to your email account. MFA or Multi Factor Authentication adds yet more layers and added protections especially if the data you are sharing is critical, classified, and/or for certain eyes only. Many contractors in the government sector as well as in healthcare and research and development are well aware of MFA just like in banking where you have a safety security box locked in a vault behind the closed doors of a bank who also has an armed security guard at the door. Banks and financial institutions use MFA all the time.

You can live dangerously and have all your logins saved to your browser but what if you lose your laptop or you click open a link in an email that renders your machine kaput and has to be taken off the network immediately…what then? You should make a habit of clearing your cache, removing cookies, updating logins and securely storing them somewhere in your own vault of some kind whether that be a platform like LassPass or while also having your enterprise network architecture and data security protocol include SSO. You don’t want staff members being the master of your universe. Don’t make your IT Department lose sleep every night by making them chase down each and every staff member to get updated login credentials. That should be managed from top down. They can have their own passwords, but every platform and software used should have a master admin account that can access everything and that SAML and SSO should live with IT and Executive Management. Terming out an employee should not be a fire drill in getting your network back or worrying who still has access to what.  Active Director integrated with Windows File Server Shares should be managed concurrently, and onboarding or terming staff should have the same consistent protocol each time. You need to be able to pull the plug so to speak on all logins at all touch points to the system based on what level or what clearance the employee had. If you have it related to SSL or NTFS permissions, then it’s not a nightmare to manage. Adding another layer of MFA that you are able to control from internally is also an essential safeguard.

On one side you have ease of use for the employee and on the other side you have ease of control on the management side. Your user base will be very happy being able to log on to all aspects of operations with one sign on credential even if it means they have to enter a code that is generated to their cell phone with a text alert when logging in. Again, this level of security depends on what is being accessed and what permission has been granted to staff member.

What constitutes a work stoppage? Someone can’t get their email? That’s inconvenient but not a reason to fold your arms in your lap and plan on catching the early train home. With SAML and/or SSO all you need is a browser and you are back in business accessing the information you need. It’s always good protocol and policy to have some kind of Multi Factor Authentication on your phone and mobile devices like tablets, etc. Think of it much like an Apple ID account. You have that added layer of having to use your thumbprint when downloading an app and then to purchase and set up an account you still need to enter your Apple ID. You want layers between you and someone else trying to steal your identity, hack your network, or corrupt your files. You also want it to be easy and fast to access your files. Use MyWorkDrive with any compliant SAML solution with streamlined setup of Azure AD, Okta and Onelogin.  Add MFA or DUO as you need to and start working away from anywhere!