Imposing Gadget AuthN & Compliance at Pinterest | by Pinterest Engineering | Pinterest Engineering Weblog | Jan, 2023
Armen Tashjian | Safety Engineer, Company Safety
Pinterest has enforced the usage of managed and compliant units in our Okta authentication circulate, utilizing a passwordless implementation, in order that entry to our instruments all the time requires a wholesome Pinterest machine.
Following the phishing-based assaults towards our friends within the tech trade, Pinterest determined to take a two pronged method to defend towards comparable assaults. We determined to:
- Require a managed and wholesome Pinterest machine be used to entry all Pinterest sources, even when within the possession of legitimate credentials
- Require FIDO2 credentials for consumer authentication
On this put up, we’ll be specializing in how we required the usage of Pinterest managed units in our Okta authentication circulate.
There are a couple of driving forces behind this initiative:
- With the introduction of our PinFlex WFH coverage, we anticipated an elevated variety of workers interacting with Pinterest instruments and companies exterior of the workplace.
- For worker going through instruments, Pinterest is a SaaS-first firm, which implies that the overwhelming majority of our instruments are web accessible. These instruments will stay internet-accessible both by selection, or due to the dearth of native IP-based allowlisting capabilities.
- Our urge for food for network-centric safety controls has diminished. Whereas that doesn’t imply that VPN or on-premise network-based entry shall be totally going away, we acknowledge that our default place received’t be to drive customers to be on a selected community as a way to entry sources, particularly a SaaS software.
- We’ve a set of vital safety controls that solely exist on company-managed units and/or Cellular BYOD with MDM.
We really feel that requiring a managed and wholesome machine for authentication mitigates among the misplaced safety boundaries described above, by guaranteeing that:
- Phished consumer credentials (whether or not password, OTP, or push notification) won’t end in entry to Pinterest sources.
- Web-accessible Pinterest instruments, together with people who might include delicate information, can’t be accessed from unmanaged or unknown units.
- Managed units shall be in a hardened state, making it harder for adversaries to realize a foothold.
Whereas researching the totally different integration choices inside Okta, a couple of issues turned obvious for Okta Basic clients:
- The prevailing bespoke machine associated integrations that do exist between MDM suppliers and Okta, equivalent to Gadget Belief with Jamf or WS1, don’t present complete options to clients.
- If an Okta buyer or a possible vendor desires to combine with Okta to do one thing “fascinating” with the authentication circulate, the one avenue for doing so is to determine mutual belief with some external identity provider (IdP), the place these “fascinating” issues can happen.
Due to this fact, we didn’t have a lot of a selection however to construct and route customers to our personal customized id supplier. Zuul (apologies Netflix) is an OIDC id supplier that the Pinterest safety workforce constructed, as a way to incorporate our machine auth and compliance necessities into the Okta authentication circulate.
Like among the distributors on this house, we combine our IdP with Okta utilizing IdP Routing/Discovery, the place our IdP acts as a trusted exterior id supplier. We combine with Okta utilizing the “IdP as SSO” method, quite than the “IdP as a Issue/MFA” method, because the latter conflicts with our FIDO2 implementation.
At its core, and from Okta’s perspective, our IdP is nothing greater than a compliant OIDC IdP. Nevertheless, now that we’re within the important path for SSO authentication, your complete expertise, in addition to the success of the authentication request, will be enhanced to implement the usage of a managed and compliant machine.
One of many challenges that must be overcome with any device-based answer is with the ability to affiliate an authentication try with a particular machine. This requirement is why a certificate-based method was a pretty possibility.
We concern certificates to all managed units, together with desktop and cell platforms, via our MDM answer, which requires customers to authenticate to ensure that a credential to be issued to the machine. This enables us to:
- Decide the consumer id earlier than interacting with them (e.g. FIDO2) by encoding the consumer id within the PKI certificates issued to the machine throughout MDM enrollment
- Affiliate an authentication try with a bodily machine, because the certificates was issued to that machine throughout enrollment
- Keep away from platform-specific brokers, as certificate-based authentication is natively supported on the platforms that we assist at Pinterest, so we’re capable of benefit from a platform-agnostic method to authentication
Our customized IdP solely helps mTLS authentication with consumer certificates, utilizing certificates which are tied each to a consumer and machine. With no legitimate consumer certificates, which is barely distributed to managed units, authentication to our IdP will not be doable.
For functions that don’t assist Mutual TLS authentication, for the explanations described within the followup weblog put up, a workaround exists to revert again to password-based authentication.
One other hurdle to beat is Okta’s lack of “enforcement” of an exterior id supplier. Though we will route customers to an exterior id supplier, Okta doesn’t present the instruments essential to correctly implement the usage of an id supplier.
Okta clearly indicates that the usage of IdP Routing, and corresponding IdP Routing Guidelines, will not be a safety management:
Routing guidelines enhance the end-user sign-in expertise, however they don’t present safety enhancements. You have to configure consumer authentication insurance policies in your IdPs independently of your routing guidelines.
This successfully implies that we can’t depend on exterior IdP as being something greater than an “non-obligatory” type of authentication. With out taking any further steps to implement the usage of an exterior IdP, it’s trivial to bypass the usage of an exterior IdP by reverting again to Okta username/password-based authentication.
Within the quote above, Okta alludes to “consumer authentication insurance policies” as a way of enforcement. Had these referenced insurance policies been precise “utility sign-on insurance policies,” enforcement would have been a non-issue. Sadly, the one Okta insurance policies that exist are “world sign-on” insurance policies, which can’t account for the inevitable utility exceptions that you’ll possible run into, and are subsequently not sensible to make use of.
SAML Inline Hooks enable for an exterior service to change a SAML assertion earlier than that SAML Assertion is signed by Okta. On the floor, that’s not likely related to a tool authentication answer, however there’s one notable return kind that piqued our curiosity: the power to reject an entry try by returning an error.
The requests despatched by Okta in a SAML Inline Hook include some related details about an utility entry try, together with:
- The appliance that’s being accessed
- The consumer trying to entry the applying
- How the consumer’s Okta session was established
Within the examples under, observe the distinction between the “classes” in these two app entry makes an attempt.
Entry try to reject (exterior IdP not used)
"context":
"protocol":
"issuer":
"id": "app_id",
"identify": "application_name",
"uri": "http://www.okta.com/<app_id>"
,
"session":
"idp":
"id": "okta_idp_id",
"kind": "OKTA"
Entry try to permit (exterior IdP used)
"context":
"protocol":
"issuer":
"id": "app_id",
"identify": "application_name",
"uri": "http://www.okta.com/<app_id>"
,
"session":
"idp":
"id": "zuul_idp_id",
"kind": "SOCIAL"
Because of this we will programmatically make an access-based resolution for each single utility entry try. For an entry try that ought to proceed, we return an empty response. For entry makes an attempt that should be rejected, we throw an error. In different phrases, we will overcome no matter limitations exist in Okta app sign-on insurance policies by bolting on our personal customized app sign-on coverage utilizing an inline hook.
To enhance the consumer expertise, we additionally revoke a consumer’s Okta session when this error is surfaced.
Within the instance under, a consumer has established an Okta session with one of many many ways in which IdP routing will be bypassed, in an try to bypass our machine necessities. But, they nonetheless can’t entry an utility that requires our exterior IdP.
Though SAML Inline Hooks characterize an excellent short-term answer for us, that is certainly not perfect. SAML Inline Hooks have to be enabled on a per utility foundation and might solely be enabled on functions which are manually configured in Okta, so some reconfiguration of apps could be obligatory. We’re planning to reconfigure functions that had been downloaded from the Okta Integration Network for the only objective of enabling our SAML Inline Hook on these functions.
We’re hopeful that Okta will launch one thing, in both Okta Basic or OIE, that permits for us to natively implement an IdP on a per utility foundation, with a configuration that additionally permits FIDO2 enforcement. Alternatively, an “Inline Hook” for common authentication that may be universally utilized to each Okta app would even be an fascinating various.
Now that each Okta authentication try requires customers to authenticate towards our IdP, we have now the chance to guage the well being of a tool. The intent of our compliance insurance policies is to implement our safety hardening tips to make sure that the fleet of units which are able to accessing our instruments are in compliance and in a hardened state.
Within the occasion {that a} machine with compliance failures makes an attempt to authenticate, we will take a couple of actions, together with presenting a warning to the consumer, or for some insurance policies, blocking the authentication try altogether.
Our compliance framework permits for some capabilities that had been vital to us and will not be generally seen in different options. This contains:
- Insurance policies which are outlined as code, permitting us to create advanced insurance policies if obligatory
- Insurance policies that may bear in mind information from as many information sources as wanted. We presently combine with Splunk, Chef, Workspace One, and osquery, with extra integrations deliberate.
- “Actions” which are executed upon the failure of a coverage, two of which we present on this weblog put up (Block/Warn)
- The power to slowly shard a brand new coverage throughout the fleet, utilizing our present manufacturing framework for deploying experiments
Under we’ve created an instance coverage to make sure that a consumer authenticating to Okta is doing so from a tool that’s owned by them and logged in on that machine with an identical username.
Under is the code related to this instance coverage. So as to carry out this analysis, we take information collected from two totally different information sources (Airwatch MDM and osquery), and evaluate the usernames with the particular person trying to authenticate to Okta.
@device_policy(
identify="username_mismatch",
decider="zuul_device_policy_username_mismatch",
actions=[PolicyAction.BLOCK],
customers=["atashjian"],
units=[PolicyScope.ALL_DEVICES],
user_exception=[],
device_exception=[],
sources=[DataSource.OSQUERY, DataSource.AIRWATCH],
staleness_threshold=2400,
platforms=[DevicePlatform.MACOS],
remediation_message="The consumer trying to auth, the native username on the machine, "
"and the machine proprietor, should all match."
)
def username_mismatch(machine):
'''make sure that the consumer that is authenticating, the consumer logged in on the machine, and the machine proprietor match.
'''
authenticating_user = machine.username
device_logged_in_user = machine.collected_data[DataSource.OSQUERY].information['results']['data']['logged_in_user']['username']
airwatch_device_owner = machine.collected_data[DataSource.AIRWATCH].information['UserName']
if authenticating_user == device_logged_in_user == airwatch_device_owner:
return PolicyResult(consequence=PolicyEval.PASS)
else:
return PolicyResult(consequence=PolicyEval.FAIL,
particulars=f"Consumer Authenticating: authenticating_user, "
f"Gadget Proprietor: airwatch_device_owner, "
f"Logged In Consumer: device_logged_in_user")
Potential future compliance insurance policies may bear in mind:
- Patch standing
- Malware detection
- Safety agent well being
- Log ingestion well being
- Software/browser extensions
- Kernel/system extensions
- Root CAs
- CIS hardening tips
- And many different issues!
We’ve solely begun our machine compliance journey, and an excellent quantity of labor lies forward, together with:
- Constantly codifying machine compliance insurance policies
- Extra integrations, for each amassing information, in addition to performing actions within the occasion of failures
- Evaluating machine compliance not simply at authentication time, however on a steady foundation
- Closing the Okta enforcement gaps by enabling SAML Inline Hooks throughout all apps
A giant thanks to our companions in IT and Visitors Engineering, for serving to Company Safety to implement this, and a particular point out goes to Jason Craig, a human being.
Keep tuned for some followup weblog posts, together with:
- Our FIDO2 implementation
- A extra in depth look into machine compliance
For any ideas or suggestions, be happy to succeed in out to zuul[at]pinterest.com
Curious about studying extra about this matter? Take a look at the second a part of this weblog article right here: Worker-facing Mutual TLS.
To be taught extra about engineering at Pinterest, take a look at the remainder of our Engineering Weblog and go to our Pinterest Labs web site. To discover life at Pinterest, go to our Careers web page.