Fluid Attacks Database

Authenticate using standard protocols

Summary

The organization must implement the Single Sign On (SSO) process using standard protocols (e.g., SAML).

Description

When SSO is enabled, centralized control over user authentication and authorization is possible. The Identity Provider becomes the central authority for validating user identities, enforcing access policies, and managing user sessions.

References

CWE-287. Improper authentication
CWE-1390. Weak Authentication
CAPEC-115. Authentication bypass
SOC2-CC6_1. Logical and physical access controls
NYSHIELD-5575_B_2. Personal and private information
PADSS-3_1_4. Application employs methods to authenticate all users
SANS25-22. Improper Privilege Management
SANS25-24. Incorrect Authorization
POPIA-3A_23. Access to personal information
ISO27002-8_5. Secure authentication
IEC62443-IAC-1_5. Authenticator management
WASSEC-2_1. Authentication schemes
WASC-W_01. Insufficient authentication
NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
MVSP-2_1. Application design controls - Single Sign-On
BSAFSS-IA_1-1. Software development environment authenticates users and operators
BSAFSS-SI_2-1. Strong identity
NIST800171-1_17. Protect wireless access using authentication and encryption
ASVS-14_1_5. Build and deploy
ASVS-1_2_2. Authentication architecture
ASVS-13_3_2. SOAP web service
OWASPAPI-API2. Broken Authentication
ISO27001-8_5. Secure authentication
CASA-1_2_2. Authentication Architecture
CASA-1_4_4. Access Control Architecture
CASA-2_10_1. Service Authentication
CASA-14_1_5. Build and Deploy
RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
CWE25-269. Improper Privilege Management
CWE25-863. Incorrect Authorization

Weaknesses

006. Authentication mechanism absence or evasion
015. Insecure authentication method - Basic
240. Authentication mechanism absence or evasion - OTP
241. Authentication mechanism absence or evasion - AWS
242. Authentication mechanism absence or evasion - WiFi
243. Authentication mechanism absence or evasion - Admin Console
244. Authentication mechanism absence or evasion - BIOS
298. Authentication mechanism absence or evasion - Redirect
299. Authentication mechanism absence or evasion - JFROG
300. Authentication mechanism absence or evasion - Azure
309. Insecurely generated token - JWT
318. Insecurely generated token - Validation
365. Authentication mechanism absence or evasion - Response tampering
370. Authentication mechanism absence or evasion - Security Image
383. Insecurely generated token - OTP
388. Insecure authentication method - NTLM
397. Insecure authentication method - LDAP
449. Insecure authentication method

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Supported In

This requirement is verified in following services

Essential Plan

Yes

Advanced Plan

Yes