Attackers can—and do—bypass Identity Providers (IdPs) like Okta, OneLogin, and Microsoft to access Salesforce directly. Salesforce is perhaps any organization’s most mature and integrated app containing highly sensitive data. And attackers know it—Salesforce was one of the six most targeted SaaS apps in 2023.
Protecting your core business operations and data requires hardening your SaaS posture and closing this loophole quickly; Obsidian Security research predicts this method will be a popular attack vector in 2024.
This blog will demonstrate:
- How attackers are able to circumvent the powerful security controls IdPs deploy and log-in to Salesforce directly
- How to federate Salesforce, and
- Proactive steps to detect similar gaps in posture and prevent successful identity breaches
IdPs and MFA are Vulnerable to Weak Posture
Organizations are smartly placing business-critical applications behind IdPs and SSO. This creates a central point of entry to manage SaaS provisioning, life-cycle, and security. Additionally, investments in strong MFA solutions ensure these authentication mechanisms are robust against attackers.
However, this is not the full story. Obsidian Security found that:
- 85% of users can bypass IdPs and access apps locally
- 95% of those users are not required to complete MFA
Just enabling users to be federated through the IdP does not prevent employees—or attackers—from logging-in locally to Salesforce or other SaaS platforms using their username and password. Disabling this configuration often requires additional steps.
Let’s review how Salesforce admins can solve this issue and harden their posture.
How to Federate Salesforce in 4 Steps
1. Disable Direct Login
From the Admin Console, click Setup and then Company Settings. Select My Domain, and choose Routing and Policies. Ensure “Prevent Login from https://login.salesforce.com” is checked.
2. Disable Login Using Salesforce Credentials
Browse back to the Admin Console. Select Setup, then Single Sign-On Settings. Check that “Disable Login with Salesforce Credentials” is also selected.
3. Enable SSO at the Profile/Permission Level
Next, admins need to federate every user. This can be done by ensuring “Is Single Sign-On Enabled” is set to true.
Note: it is not recommended to federate admins in case there is an outage with the SSO provider. This ensures that access to Salesforce is not blocked.
4. Make the IdP the Default Authentication Service
Finally, set the default authentication service to the chosen IdP. This ensures that users that browse directly to Salesforce are prompted to login through the IdP.
This is how attackers bypass authentication through the IdP. By browsing directly to the SaaS login page, if the correct authentication service is not selected, attackers could bypass IdP security altogether.
Administrators or implementation specialists frequently complete the first few parts but crucially omit the final step. Or they do complete each step successfully, but with every new Profile or Permission added, the “Is Single Sign-On Enabled” control must be enabled. If not, through configuration drift, new users can login locally.
Test for Yourself
To check if your Salesforce application is vulnerable, try to bypass the IdP yourself! First, browse to the Salesforce tenant. You will be directed to the default authentication service.
However, by simply appending the URL with “?login=true” at the end you can access the local login page. See the animation below:
Although the IdP removes password ownership from users, attackers can still breach the app. Clicking “Forgot Your Password” and entering the username will send a reset email to login directly.
Depending on the strength of your password policy—which can be much weaker than that of the IdP—a brute force attack could be successful (especially if there is no limit to login attempts).
A Growing Problem
This misconfiguration is observed frequently in Salesforce, but in other applications it is even more prevalent. As defenders harden the IdP, attackers look for new mechanisms to subvert it.
Taking the aforementioned proactive steps is one strategy to minimize this vulnerability in your SaaS applications. For every Salesforce tenant you have, check the settings mentioned above for all users (with the potential exception of administrators).
But is it really possible to stay on top of your SaaS posture manually for every app?
Prevent Attackers from Bypassing the IdP with Obsidian Security
Automating this process through a SaaS security platform ensures your posture is always hardened. Having alerts in place to check that your posture and security tools are implemented correctly is a must-have for any organization that relies on SaaS applications.
Pro tip: This technique is not unique to Salesforce; Obsidian Security observes this problem frequently across SaaS applications. Application owners often do not have the background or experience to always think in an “adversarial” mindset. Helpful tools to alert IT teams to opportunities to harden posture promote better identity security practices.
Visit the Obsidian Security website to learn more about our proactive alerts and preventative controls to block attackers before they breach.