Thank you for your interest in Obsidian! Please enter your information in the form and we will contact you shortly to schedule a demo.
Attackers are increasingly bypassing Identity Providers (IdPs) like Okta, OneLogin, and Microsoft to gain access to Salesforce. In fact, in 2023, Salesforce was one of the six most targeted SaaS applications.
Protecting your core business operations and data requires hardening your SaaS posture and closing this loophole quickly. We expect this to be a popular attack vector in 2024.
In this blogpost, we explore:
Organizations are increasingly placing-critical applications behind IdPs and SSO. This creates a central point of entry to manage SaaS provisioning, life-cycle, and security. Moreover, investments in strong MFA solutions ensure these authentication mechanisms are robust against attackers.
However, this is not the full story. Our security research team found that:
Just enabling users to be federated through the IdP does not prevent employees—or attackers—from logging-in locally to Salesforce or other SaaS platforms using their username and password. Disabling this configuration often requires additional steps.
Let’s review how Salesforce admins can solve this issue and harden their posture.
From the Admin Console, click Setup and then Company Settings. Select My Domain, and choose Routing and Policies. Ensure “Prevent Login from https://login.salesforce.com” is checked.
Browse back to the Admin Console. Select Setup, then Single Sign-On Settings. Check that “Disable Login with Salesforce Credentials” is also selected.
Next, admins need to federate every user. This can be done by ensuring “Is Single Sign-On Enabled” is set to true.
Note: it is not recommended to federate admins in case there is an outage with the SSO provider. This ensures that access to Salesforce is not blocked.
Finally, set the default authentication service to the chosen IdP. This ensures that users that browse directly to Salesforce are prompted to login through the IdP.
To check if your Salesforce application is vulnerable, try to bypass the IdP yourself! First, browse to the Salesforce tenant. You will be directed to the default authentication service.
However, by simply appending the URL with “?login=true” at the end you can access the local login page. See the animation below:
Even though the IdP removes password ownership from users, attackers can still breach the app. If they click “Forgot Your Password” and enter the username, a reset email will allow them to log in directly.
The strength of your password policy—often weaker than that of the IdP—can determine if a brute force attack succeeds, especially without limits on login attempts.
This misconfiguration frequently occurs in Salesforce, and it’s even more prevalent in other applications. As defenders strengthen the IdP, attackers seek new ways to undermine it.
Implementing the proactive steps mentioned is one strategy to reduce this vulnerability in your SaaS applications. For instance, review the settings mentioned above for all users (excluding administrators) for every Salesforce tenant you manage.
Yet, can you effectively manage your SaaS posture manually for every app?
Automating this process through a SaaS security platform ensures organizations always harden their posture. It is crucial for any organization relying on SaaS applications to have alerts in place to verify the correct implementation of posture and security tools.
Pro tip: Obsidian Security frequently observes this issue across various SaaS applications, not just Salesforce. Many application owners lack the background or experience to consistently adopt an adversarial mindset. Implementing tools that alert IT teams to opportunities for posture hardening promotes better identity security practices.
Visit the Obsidian Security website to learn more about our proactive alerts and preventative controls to block attackers before they breach.