Challenges With SAML Just In Time (JIT) Provisioning

If your organization uses cloud-based services, then it is quite likely that your IT team has already configured Single Sign On (SSO) for these cloud-based services. SSO ensures that you can use your enterprise account credentials for logging on to cloud-based services. SAML (Security Assertion Mark-up Language) is currently the gold standard for SSO.

One may wonder when a cloud-based service provider creates an account for an enterprise user in the first place. Does SAML provide something for this? No. However, SAML assertion contains attributes about the authenticated user. Using these attributes, the cloud-based service provider creates an account for a non-existing user at their end. Hence, the term “SAML-based Just In Time Provisioning”, wherein provisioning is the process of creating user account on the cloud-based service provider end.

At a first glance this looks like a good solution for creating non-existent accounts at the cloud-based service provider end. I agree that it is a working solution, but an incomplete one. It is incomplete, since it does not consider an important scenario – when the user leaves the organization and his/her account  is removed from the enterprise store. Now how will the cloud-based service provider know when to delete the user account at its end? This results in what is called as an “Orphaned Account” in the security parlance.

One may argue – what is the need to delete the account since the user cannot SSO anyways as the user is removed from the enterprise store. Well, there is more to it:

  • Firstly lot of cloud-based service providers allow two modes of login – SSO and direct login. By direct login, I mean directly login into the cloud service using the credentials of the cloud service. This implies a security hole as the user can still access the cloud service (via the orphaned account) after being removed from the enterprise store. For a minute think about the purpose of the cloud-based service that your organization is using (for example – file sharing, accounting, CRM, etc.) and then associate a risk level with the orphaned account.
  • Secondly most cloud-based service providers charge a user-based subscription model. This implies that the orphaned accounts are still considered as active users by the cloud-based service provider. Hence your organization is paying subscription cost associated with these un-used accounts. In a way this works in the favor of the cloud-based service provider.

The process of removing the account on the cloud-based service provider end is called “de-provisioning”. Thus, de-provisioning is the missing piece in this puzzle.

Note while it is possible to build de-provisioning mechanism using SAML, it has its own cons and hence not prevalent. Let us explore the 2 options given below:

  1. SAML Attribute Query based de-provisioning – Here the cloud-based service provider will query the Identity Provider at regular intervals (say every night) to check if all users still exist on the Identity Provider end. This will result in unnecessary traffic though. Onus is on the service provider. None of the service providers provide this feature as of today.
  2. SAML NameID based de-provisioning – The Identity Provider can ask the cloud-based service provider to terminate a relationship represented by a given NameID (consider NameID as a primary key identifying the user). Onus is on the organization to relay updates to the cloud-based service provider.

A more practical solution to user provisioning/de-provisioning is IdentityDesk (extensible IDentity) from GS Lab which is geared to cater to Joiner-Mover-Leaver scenarios. Let us look at these scenarios in more detail below:

  • Joiner – When people join the organization (i.e. they are added to the enterprise store), then IdentityDesk will automatically provision accounts for these users on required applications (based on policies you define).
  • Mover – As people move across departments, change titles/roles, etc. the applications they need access to change. IdentityDesk will automatically provision accounts for such folks on new applications and de-provision access from old applications.
  • Leaver – When people leave the organization, IdentityDesk will help de-provision accounts from the respective applications.

IdentityDesk is a standard-based, policy-driven, extensible provisioning/de-provisioning system geared for your organizational needs. It allows customizing the provisioning/de-provisioning flows to accommodate your existing business processes, while provisioning user accounts in near real-time. You can read more about IdentityDesk here.