Implementing Machine AuthN & Compliance at Pinterest | by Pinterest Engineering | Pinterest Engineering Weblog | Jan, 2023
Armen Tashjian | Safety Engineer, Company Safety
Pinterest has enforced using managed and compliant gadgets in our Okta authentication circulate, utilizing a passwordless implementation, in order that entry to our instruments all the time requires a wholesome Pinterest gadget.
Following the phishing-based assaults towards our friends within the tech business, Pinterest determined to take a two pronged method to defend towards comparable assaults. We determined to:
- Require a managed and wholesome Pinterest gadget be used to entry all Pinterest assets, even when within the possession of legitimate credentials
- Require FIDO2 credentials for person authentication
On this put up, we’ll be specializing in how we required using Pinterest managed gadgets in our Okta authentication circulate.
There are a number of driving forces behind this initiative:
- With the introduction of our PinFlex WFH coverage, we anticipated an elevated variety of workers interacting with Pinterest instruments and providers exterior of the workplace.
- For worker going through instruments, Pinterest is a SaaS-first firm, which signifies that the overwhelming majority of our instruments are web accessible. These instruments will stay internet-accessible both by selection, or due to the dearth of native IP-based allowlisting capabilities.
- Our urge for food for network-centric safety controls has diminished. Whereas that doesn’t imply that VPN or on-premise network-based entry might be completely going away, we acknowledge that our default place received’t be to drive customers to be on a selected community with a view to entry assets, particularly a SaaS instrument.
- Now we have a set of necessary safety controls that solely exist on company-managed gadgets and/or Cellular BYOD with MDM.
We really feel that requiring a managed and wholesome gadget for authentication mitigates among the misplaced safety boundaries described above, by making certain that:
- Phished person credentials (whether or not password, OTP, or push notification) won’t end in entry to Pinterest assets.
- Web-accessible Pinterest instruments, together with those who might comprise delicate knowledge, can’t be accessed from unmanaged or unknown gadgets.
- Managed gadgets might be in a hardened state, making it harder for adversaries to achieve a foothold.
Whereas researching the completely different integration choices inside Okta, a number of issues grew to become obvious for Okta Traditional clients:
- The prevailing bespoke gadget associated integrations that do exist between MDM suppliers and Okta, akin to Machine Belief with Jamf or WS1, don’t present complete options to clients.
- If an Okta buyer or a possible vendor desires to combine with Okta to do one thing “attention-grabbing” with the authentication circulate, the one avenue for doing so is to ascertain mutual belief with some external identity provider (IdP), the place these “attention-grabbing” issues can happen.
Due to this fact, we didn’t have a lot of a selection however to construct and route customers to our personal customized identification supplier. Zuul (apologies Netflix) is an OIDC identification supplier that the Pinterest safety group constructed, with a view to incorporate our gadget auth and compliance necessities into the Okta authentication circulate.
Like among the distributors on this area, we combine our IdP with Okta utilizing IdP Routing/Discovery, the place our IdP acts as a trusted exterior identification supplier. We combine with Okta utilizing the “IdP as SSO” method, quite than the “IdP as a Issue/MFA” method, because the latter conflicts with our FIDO2 implementation.
At its core, and from Okta’s perspective, our IdP is nothing greater than a compliant OIDC IdP. Nevertheless, now that we’re within the vital path for SSO authentication, all the expertise, in addition to the success of the authentication request, may be enhanced to implement using a managed and compliant gadget.
One of many challenges that must be overcome with any device-based resolution is with the ability to affiliate an authentication try with a selected gadget. This requirement is why a certificate-based method was a horny possibility.
We difficulty certificates to all managed gadgets, together with desktop and cellular platforms, via our MDM resolution, which requires customers to authenticate to ensure that a credential to be issued to the gadget. This permits us to:
- Decide the person identification earlier than interacting with them (e.g. FIDO2) by encoding the person identification within the PKI certificates issued to the gadget throughout MDM enrollment
- Affiliate an authentication try with a bodily gadget, because the certificates was issued to that gadget throughout enrollment
- Keep away from platform-specific brokers, as certificate-based authentication is natively supported on the platforms that we help at Pinterest, so we’re capable of reap the benefits of a platform-agnostic method to authentication
Our customized IdP solely helps mTLS authentication with shopper certificates, utilizing certificates which are tied each to a person and gadget. With no legitimate shopper certificates, which is simply distributed to managed gadgets, authentication to our IdP just isn’t potential.
For purposes that don’t help Mutual TLS authentication, for the explanations described within the followup weblog put up, a workaround exists to revert again to password-based authentication.
One other hurdle to beat is Okta’s lack of “enforcement” of an exterior identification supplier. Though we are able to route customers to an exterior identification supplier, Okta doesn’t present the instruments essential to correctly implement using an identification supplier.
Okta clearly indicates that using IdP Routing, and corresponding IdP Routing Guidelines, just isn’t a safety management:
Routing guidelines enhance the end-user sign-in expertise, however they don’t present safety enhancements. You should configure person authentication insurance policies on your IdPs independently of your routing guidelines.
This successfully signifies that we can not depend on exterior IdP as being something greater than an “elective” type of authentication. With out taking any further steps to implement using an exterior IdP, it’s trivial to bypass using an exterior IdP by reverting again to Okta username/password-based authentication.
Within the quote above, Okta alludes to “person authentication insurance policies” as a technique of enforcement. Had these referenced insurance policies been precise “software sign-on insurance policies,” enforcement would have been a non-issue. Sadly, the one Okta insurance policies that exist are “international sign-on” insurance policies, which can not account for the inevitable software exceptions that you’ll doubtless run into, and are due to this fact not sensible to make use of.
SAML Inline Hooks enable for an exterior service to switch a SAML assertion earlier than that SAML Assertion is signed by Okta. On the floor, that’s not likely related to a tool authentication resolution, however there may be one notable return kind that piqued our curiosity: the flexibility to reject an entry try by returning an error.
The requests despatched by Okta in a SAML Inline Hook comprise some related details about an software entry try, together with:
- The applying that’s being accessed
- The person trying to entry the appliance
- How the person’s Okta session was established
Within the examples beneath, observe the distinction between the “classes” in these two app entry makes an attempt.
Entry try and reject (exterior IdP not used)
"context":
"protocol":
"issuer":
"id": "app_id",
"title": "application_name",
"uri": "http://www.okta.com/<app_id>"
,
"session":
"idp":
"id": "okta_idp_id",
"kind": "OKTA"
Entry try to permit (exterior IdP used)
"context":
"protocol":
"issuer":
"id": "app_id",
"title": "application_name",
"uri": "http://www.okta.com/<app_id>"
,
"session":
"idp":
"id": "zuul_idp_id",
"kind": "SOCIAL"
Because of this we are able to programmatically make an access-based choice for each single software entry try. For an entry try that ought to proceed, we return an empty response. For entry makes an attempt that have to be rejected, we throw an error. In different phrases, we are able to overcome no matter limitations exist in Okta app sign-on insurance policies by bolting on our personal customized app sign-on coverage utilizing an inline hook.
To enhance the person expertise, we additionally revoke a person’s Okta session when this error is surfaced.
Within the instance beneath, a person has established an Okta session with one of many many ways in which IdP routing may be bypassed, in an try and bypass our gadget necessities. But, they nonetheless can not entry an software that requires our exterior IdP.
Though SAML Inline Hooks symbolize momentary resolution for us, that is under no circumstances superb. SAML Inline Hooks should be enabled on a per software foundation and might solely be enabled on purposes which are manually configured in Okta, so some reconfiguration of apps is perhaps obligatory. We’re planning to reconfigure purposes that have been downloaded from the Okta Integration Network for the only real objective of enabling our SAML Inline Hook on these purposes.
We’re hopeful that Okta will launch one thing, in both Okta Traditional or OIE, that permits for us to natively implement an IdP on a per software foundation, with a configuration that additionally permits FIDO2 enforcement. Alternatively, an “Inline Hook” for common authentication that may be universally utilized to each Okta app would even be an attention-grabbing different.
Now that each Okta authentication try requires customers to authenticate towards our IdP, now we have the chance to judge the well being of a tool. The intent of our compliance insurance policies is to implement our safety hardening tips to make sure that the fleet of gadgets which are able to accessing our instruments are in compliance and in a hardened state.
Within the occasion {that a} gadget with compliance failures makes an attempt to authenticate, we are able to take a number of actions, together with presenting a warning to the person, or for some insurance policies, blocking the authentication try altogether.
Our compliance framework permits for some capabilities that have been necessary to us and should not generally seen in different options. This contains:
- Insurance policies which are outlined as code, permitting us to create advanced insurance policies if obligatory
- Insurance policies that may consider knowledge from as many knowledge sources as wanted. We at the moment combine with Splunk, Chef, Workspace One, and osquery, with extra integrations deliberate.
- “Actions” which are executed upon the failure of a coverage, two of which we present on this weblog put up (Block/Warn)
- The power to slowly shard a brand new coverage throughout the fleet, utilizing our present manufacturing framework for deploying experiments
Beneath we’ve created an instance coverage to make sure that a person authenticating to Okta is doing so from a tool that’s owned by them and logged in on that gadget with an identical username.
Beneath is the code related to this instance coverage. With the intention to carry out this analysis, we take knowledge collected from two completely different knowledge sources (Airwatch MDM and osquery), and examine the usernames with the individual trying to authenticate to Okta.
@device_policy(
title="username_mismatch",
decider="zuul_device_policy_username_mismatch",
actions=[PolicyAction.BLOCK],
customers=["atashjian"],
gadgets=[PolicyScope.ALL_DEVICES],
user_exception=[],
device_exception=[],
sources=[DataSource.OSQUERY, DataSource.AIRWATCH],
staleness_threshold=2400,
platforms=[DevicePlatform.MACOS],
remediation_message="The person trying to auth, the native username on the gadget, "
"and the gadget proprietor, should all match."
)
def username_mismatch(gadget):
'''be sure that the person that is authenticating, the person logged in on the gadget, and the gadget proprietor match.
'''
authenticating_user = gadget.username
device_logged_in_user = gadget.collected_data[DataSource.OSQUERY].knowledge['results']['data']['logged_in_user']['username']
airwatch_device_owner = gadget.collected_data[DataSource.AIRWATCH].knowledge['UserName']
if authenticating_user == device_logged_in_user == airwatch_device_owner:
return PolicyResult(outcome=PolicyEval.PASS)
else:
return PolicyResult(outcome=PolicyEval.FAIL,
particulars=f"Consumer Authenticating: authenticating_user, "
f"Machine Proprietor: airwatch_device_owner, "
f"Logged In Consumer: device_logged_in_user")
Potential future compliance insurance policies may consider:
- Patch standing
- Malware detection
- Safety agent well being
- Log ingestion well being
- Software/browser extensions
- Kernel/system extensions
- Root CAs
- CIS hardening tips
- And many different issues!
We’ve solely begun our gadget compliance journey, and quantity of labor lies forward, together with:
- Repeatedly codifying gadget compliance insurance policies
- Further integrations, for each amassing knowledge, in addition to performing actions within the occasion of failures
- Evaluating gadget compliance not simply at authentication time, however on a steady foundation
- Closing the Okta enforcement gaps by enabling SAML Inline Hooks throughout all apps
A giant thanks to our companions in IT and Visitors Engineering, for serving to Company Safety to implement this, and a particular point out goes to Jason Craig, a human being.
Keep tuned for some followup weblog posts, together with:
- Our FIDO2 implementation
- A extra in depth look into gadget compliance
For any ideas or suggestions, be happy to achieve out to zuul[at]pinterest.com
To study extra about engineering at Pinterest, take a look at the remainder of our Engineering Weblog and go to our Pinterest Labs web site. To discover life at Pinterest, go to our Careers web page.
