Apr 17, 2023

JITSPLOIT: An Azure AD SaaS Identity Risk

JITSPLOIT enables stealth access for external identities to enterprise SaaS, confidential data, secrets, and administrative privileges. Unless mitigated, external identities can use JITSPLOIT to gain unsanctioned access through valid single sign-on (SSO) channels, such as Azure AD SAML or OIDC.

This webinar will cover:

In this webinar:

Oops! Something went wrong while submitting the form.

Registration successful!

Webinar link will be sent to your email soon

Oops! Something went wrong while submitting the form.

In this webinar:

Executive Summary

JITSPLOIT occurs when an identity provider (IdP) and SaaS services are both configured to rely on the other for authorization. JITSPLOIT vulnerable SaaS services expose sensitive corporate applications to external users.

Overview

Grip Security

Grip’s mission is to empower every security team to safeguard identities, whenever and wherever SaaS is used — customers and clouds, employees and websites, partners and portals, users and apps. Grip SSCP discovers and graphs the identity-SaaS attack surface, mapping SaaS services and user-SaaS relationships, identifying risky access and malicious or abandoned SaaS services, and automates action to secure the enterprise SaaS layer.

Authentication vs Authorization

Identity services typically provide two primary functions – Authentication, and Authorization.

Authentication services are responsible for verifying an entity (e.g., user) trying to access a resource. Authentication mechanisms include credentials, MFA challenges, biometrics, etc.

Authorization services are responsible for defining what resources an entity should have access granted (e.g., applications, files), and in what way (e.g., read or write, assuming which user roles, administrative permissions)

Within a typical enterprise environment, Single Sign-On (SSO) solutions provide both functions, federating authentication into a single directory (e.g., Azure AD credentials) while also defining which users have access to which SaaS services.

User Provisioning

There are several diverse ways in which user accounts are created within SaaS applications. The four primary mechanisms are:

Manual. Users need to be created within the app’s interface, typically by the admin. In some cases, this happens in batches by uploading user lists periodically.

SCIM. An Identity Provider (IdP) issues commands instructing apps to create and destroy users when users join or leave the organization, or when their permissions change.

Directory Sync. An application periodically polls the IdP over API to check for user permissions changes.

Just-in-time (JIT). An application creates a user’s account during their first successful login.

‍

‍

Azure Active Directory Assignments

Azure AD supports two assignment configuration options for each SaaS service connected to SSO. The configuration is named “App Role Assignment Required.” When this configuration is turned on, Azure AD will only authorize identities that have been explicitly assigned to an app to login to that application. When this configuration is turned off, Azure AD will only perform authentication, and will allow any user within that Azure AD tenant to login to that application.

Most commonly, this configuration is turned off in tandem with a manual user provisioning mechanism within the target SaaS service, and/or in cases where the entire organization should have access to an application (e.g., an HRIS or VPN app).

‍

The complete SaaS identity risk management solution.

Uncover and secure shadow SaaS and rogue cloud accounts.

Prioritize SaaS risks for SSO integration.

Address SaaS identity risks promptly with  policy-driven automation.

Consolidate redundant apps and unused licenses to lower SaaS costs.

Leverage your existing tools to include shadow SaaS.

JITSPLOIT: An Azure AD SaaS Identity Risk

Executive Summary