https://community.isc2.org/t5/Tech-Talk/Location-Location-Location/m-p/34678#M2571 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/809125741">@Caute_cautim</a>&nbsp;wrote:<P>Interesting situation arose, shared client infrastructure using the same source IP address range.&nbsp;&nbsp; Salesforce Authentication uses SAML and XML messages, by default without MFA etc.&nbsp;</P><P>&nbsp;</P><P>What happens if you have a business contract, which prevents users from seeing information from another organisation (insurance acquisition), but the original organisation is still in migration mode for months to come.&nbsp; So one user from the organisation goes through to Salesforce, using the same IP address (shared infrastructure), and due to the current remote working situation (COVID-19) and they are forced to used BYOD to keep the business up and running.</P><HR /></BLOCKQUOTE><P>Source IP really should not be used as an authorization factor (e.g. to which organizational unit the user may access).&nbsp; Instead, the SAML IdP (Identity Provider) should return said authorization in an attribute. This ensures that if an employee visits the other unit, their authorization remains consistent.&nbsp;&nbsp;</P><P>&nbsp;</P><P><SPAN>Now that we are all in the midst of work-from-home mandates, the use of source-IP as part of the IAAA process really shows its limitations.&nbsp; It took my colleagues a few years of dealing with a mobile work force and mergers/acquisitions to come up with a few SAML strategies that seem work well for us:</SPAN></P><P>&nbsp;</P><OL><LI><SPAN>All aspects of authentication are done by our IdP.&nbsp; For example, we would <STRONG>not</STRONG> use Salesforce OTP or Salesforce geolocation.&nbsp; Instead, our IdP handles those tasks internally (and consistently across all SPs - Service Providers).</SPAN></LI><LI><FONT face="inherit">We use Geolocation to determine which authentication factors are required.&nbsp; For example, if one is onsite, we accept NTLM or Username/Password.&nbsp; When offsite, we add an OTP requirement.&nbsp; We are contemplating adding a third factor when in countries where we have no business or when geolocation indicates improbable travel (e.g. over 1,235 km/h)</FONT><FONT face="inherit">. However, we do not use GeoFencing to completely block access.&nbsp; There are enough border cases and database errors that users need a way to react when it flares up.</FONT></LI><LI><SPAN>Significant access roles (admin, manager, user, org unit, etc.) are best kept in corporate AD (or whatever you use for identity management) and handed off to the SP by attribute.&nbsp; &nbsp;This keeps your core security team in charge of the fundamental access decisions and more quickly able to modify/remove access.</SPAN></LI><LI><SPAN>App settings and preferences best remain with the SP.&nbsp; Our general rule is that SAML only sends mandatory things via attribute.&nbsp; For example, if the default should be "Compact View", the SP sets it initially and keeps track of the user's preference.&nbsp; On the other hand, our IdP often sends "email address" because it needs to be "right" and users can not change it.</SPAN></LI><LI><A href="https://help.salesforce.com/articleView?id=sso_jit_about.htm&amp;type=5" target="_blank" rel="noopener">Just-in-time provisioning</A><FONT face="inherit">&nbsp;can be your friend, but you still need a sync process to handle deprovisioning.</FONT></LI><LI><FONT face="inherit">SAML becomes an easy "sell" when admins realize how simple it is to comply with account life-cycle management requirements (i.e. refer the auditors to the AD team).</FONT></LI></OL><P><SPAN>Like most things, after one has a dozen or so SPs, it becomes more obvious where the line in the sand should be drawn between the IdP vs the SP.</SPAN></P> Sat, 11 Apr 2020 01:14:38 GMT denbesten 2020-04-11T01:14:38Z https://community.isc2.org/t5/Tech-Talk/Location-Location-Location/m-p/34598#M2559 <P>Attributed to The Cyber Security Hub on LinkedIn:<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="nerd-address.jpg" style="width: 340px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/3993iDCB9A9A28809A39F/image-size/medium?v=v2&amp;px=400" role="button" title="nerd-address.jpg" alt="nerd-address.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 09 Apr 2020 14:16:01 GMT https://community.isc2.org/t5/Tech-Talk/Location-Location-Location/m-p/34598#M2559 CraginS 2020-04-09T14:16:01Z https://community.isc2.org/t5/Tech-Talk/Location-Location-Location/m-p/34633#M2564 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/780103681">@CraginS</a>Would they have received the same response, if you were asked for your post box address?</P><P>&nbsp;</P><P>Interesting situation arose, shared client infrastructure using the same source IP address range.&nbsp;&nbsp; Salesforce Authentication uses SAML and XML messages, by default without MFA etc.&nbsp;</P><P>&nbsp;</P><P>What happens if you have a business contract, which prevents users from seeing information from another organisation (insurance acquisition), but the original organisation is still in migration mode for months to come.&nbsp; So one user from the organisation goes through to Salesforce, using the same IP address (shared infrastructure), and due to the current remote working situation (COVID-19) and they are forced to used BYOD to keep the business up and running.</P><P>&nbsp;</P><P>Interesting situation.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_cautim</P> Fri, 10 Apr 2020 07:26:07 GMT https://community.isc2.org/t5/Tech-Talk/Location-Location-Location/m-p/34633#M2564 Caute_cautim 2020-04-10T07:26:07Z https://community.isc2.org/t5/Tech-Talk/Location-Location-Location/m-p/34678#M2571 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/809125741">@Caute_cautim</a>&nbsp;wrote:<P>Interesting situation arose, shared client infrastructure using the same source IP address range.&nbsp;&nbsp; Salesforce Authentication uses SAML and XML messages, by default without MFA etc.&nbsp;</P><P>&nbsp;</P><P>What happens if you have a business contract, which prevents users from seeing information from another organisation (insurance acquisition), but the original organisation is still in migration mode for months to come.&nbsp; So one user from the organisation goes through to Salesforce, using the same IP address (shared infrastructure), and due to the current remote working situation (COVID-19) and they are forced to used BYOD to keep the business up and running.</P><HR /></BLOCKQUOTE><P>Source IP really should not be used as an authorization factor (e.g. to which organizational unit the user may access).&nbsp; Instead, the SAML IdP (Identity Provider) should return said authorization in an attribute. This ensures that if an employee visits the other unit, their authorization remains consistent.&nbsp;&nbsp;</P><P>&nbsp;</P><P><SPAN>Now that we are all in the midst of work-from-home mandates, the use of source-IP as part of the IAAA process really shows its limitations.&nbsp; It took my colleagues a few years of dealing with a mobile work force and mergers/acquisitions to come up with a few SAML strategies that seem work well for us:</SPAN></P><P>&nbsp;</P><OL><LI><SPAN>All aspects of authentication are done by our IdP.&nbsp; For example, we would <STRONG>not</STRONG> use Salesforce OTP or Salesforce geolocation.&nbsp; Instead, our IdP handles those tasks internally (and consistently across all SPs - Service Providers).</SPAN></LI><LI><FONT face="inherit">We use Geolocation to determine which authentication factors are required.&nbsp; For example, if one is onsite, we accept NTLM or Username/Password.&nbsp; When offsite, we add an OTP requirement.&nbsp; We are contemplating adding a third factor when in countries where we have no business or when geolocation indicates improbable travel (e.g. over 1,235 km/h)</FONT><FONT face="inherit">. However, we do not use GeoFencing to completely block access.&nbsp; There are enough border cases and database errors that users need a way to react when it flares up.</FONT></LI><LI><SPAN>Significant access roles (admin, manager, user, org unit, etc.) are best kept in corporate AD (or whatever you use for identity management) and handed off to the SP by attribute.&nbsp; &nbsp;This keeps your core security team in charge of the fundamental access decisions and more quickly able to modify/remove access.</SPAN></LI><LI><SPAN>App settings and preferences best remain with the SP.&nbsp; Our general rule is that SAML only sends mandatory things via attribute.&nbsp; For example, if the default should be "Compact View", the SP sets it initially and keeps track of the user's preference.&nbsp; On the other hand, our IdP often sends "email address" because it needs to be "right" and users can not change it.</SPAN></LI><LI><A href="https://help.salesforce.com/articleView?id=sso_jit_about.htm&amp;type=5" target="_blank" rel="noopener">Just-in-time provisioning</A><FONT face="inherit">&nbsp;can be your friend, but you still need a sync process to handle deprovisioning.</FONT></LI><LI><FONT face="inherit">SAML becomes an easy "sell" when admins realize how simple it is to comply with account life-cycle management requirements (i.e. refer the auditors to the AD team).</FONT></LI></OL><P><SPAN>Like most things, after one has a dozen or so SPs, it becomes more obvious where the line in the sand should be drawn between the IdP vs the SP.</SPAN></P> Sat, 11 Apr 2020 01:14:38 GMT https://community.isc2.org/t5/Tech-Talk/Location-Location-Location/m-p/34678#M2571 denbesten 2020-04-11T01:14:38Z