SSO Security Assessment

An SSO security assessment is a specialist security review of your Single Sign-On implementation, covering the protocols (SAML 2.0, OAuth 2.0, OpenID Connect), the Identity Provider configuration, and the trust relationships between your IdP and connected applications. Because SSO acts as a master key (one compromised session grants access to every connected system) it requires dedicated testing that goes beyond what a standard web application penetration test covers. Our assessments are delivered by CREST-accredited testers with specialist expertise in identity protocols.

No. We request read-only Global Reader or Security Reader access to your IdP tenant. We never require write access, administrator privileges, or production environment credentials. All access is scoped to configuration export only and can be revoked immediately after the assessment. This means there is zero risk of accidental configuration changes during testing.

A standard penetration test treats the Identity Provider as trusted infrastructure and tests login at the surface level, typically the login form, session cookies, and basic authentication bypass. An SSO security assessment goes deeper: we intercept and manipulate live SAML assertions and OAuth token exchanges, audit your IdP tenant configuration directly (read-only access to Entra ID / Okta), and test specific protocol attack paths including SAML signature wrapping, PKCE downgrade, redirect URI manipulation, and Golden SAML. The result is a specialist report evidencing protocol-level testing, the kind a PCI DSS QSA or ISO 27001 auditor will accept as substantive coverage of your identity controls.

Single sign-on is both a security improvement and a security concentration. SSO eliminates password sprawl and enables centralised MFA enforcement, reducing overall attack surface. However, it also creates a high-value target: a misconfigured SSO implementation can give an attacker authenticated access to every federated application simultaneously. The risk is not in SSO itself but in the configuration: Conditional Access policy gaps, legacy authentication bypass, unsigned SAML assertions, and overpermissioned OAuth consent grants are the vulnerabilities that turn SSO from a security control into a liability. An independent SSO security assessment identifies precisely these misconfigurations before an attacker does.

The six most important SSO security best practices are: (1) Block legacy authentication protocols (Basic Auth, SMTP AUTH) at the Conditional Access layer, as legacy protocols bypass MFA entirely. (2) Enforce MFA for all users without exception, including service accounts and emergency access accounts. (3) Review OAuth consent grants regularly and revoke any application with Mail.Read, Files.ReadWrite, or directory access that has not been explicitly approved by an administrator. (4) Audit Conditional Access exclusion groups, as stale exclusions from IT projects commonly create persistent MFA bypass paths. (5) Enforce SAML assertion signing with SHA-256 minimum, as unsigned or weakly signed assertions are vulnerable to Golden SAML attacks. (6) Commission an independent SSO security assessment annually or after significant identity infrastructure changes.

Our SAML testing covers XML signature wrapping (including comment injection variants), XML External Entity (XXE) injection, SAML assertion replay attacks, signature stripping, assertion encryption weaknesses, and Golden SAML attacks targeting ADFS token signing certificates. We use protocol-specific tooling including SAML Raider to manipulate live assertions during dynamic testing.

Our OAuth 2.0 and OIDC testing covers: redirect URI manipulation leading to authorisation code interception, PKCE downgrade attacks (forcing implicit flow on PKCE-protected endpoints), token leakage via Referer headers and browser history, scope escalation via over-permissioned client registrations, authorisation code replay (missing state and nonce validation), and OIDC token validation failures including alg:none substitution and missing audience checks.

A Conditional Access policy review is a systematic audit of the logic governing when and how users are permitted to access your Microsoft 365 or Entra ID-protected resources. Our review maps every policy, including inclusions, exclusions, conditions, and grant controls, to identify logic gaps that allow unintended access. Common findings include: policies with exclusion groups that have been silently depopulated, legacy authentication bypass for service accounts that were excluded temporarily and never re-included, sign-in risk policies in report-only mode rather than enforcement mode, and emergency access accounts excluded from all policies without compensating monitoring controls. The review produces a prioritised list of policy changes with exact admin portal click-path instructions.

We have extensive experience auditing Microsoft Entra ID (Azure AD), Okta, Auth0 (Okta CIC), PingIdentity, and Google Workspace. We review both the tenant-level configuration and the specific application registrations. We also assess custom Identity Providers built on IdentityServer4, Keycloak, or other OpenID Connect-compliant frameworks.

Yes. Our assessment produces a structured technical report suitable for submission to a PCI DSS QSA as evidence that SSO and authentication controls within cardholder data environment scope have been independently tested. For ISO 27001, findings map to Annex A.5.15 (Access Control), Annex A.8.2 (Privileged Access Rights), and Annex A.8.5 (Secure Authentication). For Cyber Essentials Plus, the report provides evidence of MFA enforcement and access control testing. We can provide a supplementary compliance mapping document on request.

Yes. We verify that Multi-Factor Authentication is correctly enforced through Conditional Access policies and cannot be bypassed via legacy authentication protocols (Basic Auth, NTLM), device compliance exceptions, or logic flaws in the application post-SSO session handling. We specifically test whether MFA can be bypassed by replaying a session established before MFA was added to the Conditional Access policy.

Engagements typically range from 2 to 5 days depending on the number of SSO integrations in scope, the protocols in use, and whether full IdP tenant audit access is included. We provide a fixed-scope quote following a 30-minute scoping call at no charge.