Hey everyone! We're looking to integrate SSO between our Microsoft Entra ID and a third-party platform. The goal is for our users to log in to their web portal using Entra ID with MFA enabled. From a governance and security standpoint, I want to ensure that the configuration is secure, free of exploitable vulnerabilities, and aligns with best practices. Can anyone suggest a recommended process or a checklist of key items I should review before approving this integration? I'd really appreciate your insights!
3 Answers
Pay attention to session lengths in the application, especially for sensitive data. Some of our sessions last over 4 hours before requiring re-authentication. We keep a table of our apps with their session durations and SLO support to ensure access is cut off promptly when someone leaves the organization.
First off, check what security certifications you need to comply with—your vendor should have the same certifications. At the very least, I’d recommend asking for ISO 27001 certification as a starting point.
As someone who’s worked with vendors, the most important advice is to stick to the integration documentation provided by the vendor, which should align with Microsoft’s guidelines for Entra Enterprise Apps. Check out Microsoft's documentation for examples. Make sure to also ask the vendor for their SAML integration documentation.
It's crucial to advocate for having their docs in Entra for easy auditing. Additionally, implement procedures for change control, security reviews, and delineation of access based on data classification. Lastly, read up on SAML or OIDC docs to determine your institution's standards for best practices.
Thanks for all the great points! Just to add, since there’s no pre-built app in the Entra ID Enterprise App Gallery, we'll need to manually create a custom Enterprise Application based on the vendor's basic SAML setup.
Absolutely agreed on this front.