I have a scenario in mind and I am wondering if this is, in general, a drawback to SSO using SAML 2.0/OIDC or if there are any known ways to mitigate such a scenario:
Background: 1. A user is able to SSO into some remote app BizManager. The user does so by authenticating to his Enterprise IdP and then picks BizManager to navigate there. In this case, BizManager is the Assertion Consuming Service. 2. Let’s assume said Enterprise has configured a server to send a SAML 2.0 response with assertions about the user to BizManager app, BizManager, in turn, will process this SAML response and after verifying all assertions, logs the Enterprise user into BizManager.
Let’s assume malicious actors infiltrate Enterprise IdP and are actually able to create other user accounts. Is there a way to control the ability of these newly created users from accessing BizManager. In particular, if the malicious actors were aware of a high profile user of BizManager, nothing stops them from impersonating high profile user in BizManager.
Are there ways to thwart a scenario like this? I had gone through a great deal of literature. The general impression I’m getting is probably not given that BizManager can only go off on the Assertions it is provided. Everything prior is opaque to BizManager.
- Is this understanding correct?
- Does OIDC provide mechanisms to mitigate this?