Implementing Machine AuthN & Compliance at Pinterest | by Pinterest Engineering | Pinterest Engineering Weblog

Armen Tashjian | Safety Engineer, Company Safety

Flow map from User to Okta to External Identity Provider to Device Compliance Check with an arrow back to Okta “User redirected back to Okta to proceed with authentication.”

Pinterest has enforced using managed and compliant gadgets in our Okta authentication move, utilizing a passwordless implementation, in order that entry to our instruments all the time requires a wholesome Pinterest gadget.

Following the phishing-based assaults towards our friends within the tech trade, Pinterest determined to take a two pronged strategy to defend towards comparable assaults. We determined to:

Require a managed and wholesome Pinterest gadget be used to entry all Pinterest assets, even when within the possession of legitimate credentials
Require FIDO2 credentials for person authentication

On this submit, we’ll be specializing in how we required using Pinterest managed gadgets in our Okta authentication move.

**Picture 1: A person on an Android gadget is prevented from authenticating. Picture 2: A person on macOS is warned about some compliance failures.**

There are a couple of driving forces behind this initiative:

With the introduction of our PinFlex WFH coverage, we anticipated an elevated variety of staff interacting with Pinterest instruments and companies outdoors of the workplace.
For worker going through instruments, Pinterest is a SaaS-first firm, which signifies that the overwhelming majority of our instruments are web accessible. These instruments will stay internet-accessible both by alternative, or due to the shortage of native IP-based allowlisting capabilities.
Our urge for food for network-centric safety controls has diminished. Whereas that doesn’t imply that VPN or on-premise network-based entry will probably be completely going away, we acknowledge that our default place gained’t be to power customers to be on a selected community so as to entry assets, particularly a SaaS software.
We’ve got a set of necessary safety controls that solely exist on company-managed gadgets and/or Cell BYOD with MDM.

We really feel that requiring a managed and wholesome gadget for authentication mitigates a few of the misplaced safety boundaries described above, by guaranteeing that:

Phished person credentials (whether or not password, OTP, or push notification) won’t lead to entry to Pinterest assets.
Web-accessible Pinterest instruments, together with those who could comprise delicate knowledge, can’t be accessed from unmanaged or unknown gadgets.
Managed gadgets will probably be in a hardened state, making it harder for adversaries to achieve a foothold.

Whereas researching the totally different integration choices inside Okta, a couple of issues turned obvious for Okta Basic prospects:

The present bespoke gadget associated integrations that do exist between MDM suppliers and Okta, comparable to Machine Belief with Jamf or WS1, don’t present complete options to prospects.
If an Okta buyer or a possible vendor desires to combine with Okta to do one thing “fascinating” with the authentication move, the one avenue for doing so is to determine mutual belief with some external identity provider (IdP), the place these “fascinating” issues can happen.

Subsequently, we didn’t have a lot of a alternative however to construct and route customers to our personal customized identification supplier. Zuul (apologies Netflix) is an OIDC identification supplier that the Pinterest safety staff constructed, so as to incorporate our gadget auth and compliance necessities into the Okta authentication move.

Like a few of the distributors on this house, we combine our IdP with Okta utilizing IdP Routing/Discovery, the place our IdP acts as a trusted exterior identification supplier. We combine with Okta utilizing the “IdP as SSO” strategy, reasonably than the “IdP as a Issue/MFA” strategy, because the latter conflicts with our FIDO2 implementation.

At its core, and from Okta’s perspective, our IdP is nothing greater than a compliant OIDC IdP. Nevertheless, now that we’re within the important path for SSO authentication, the complete expertise, in addition to the success of the authentication request, may be enhanced to implement using a managed and compliant gadget.

One of many challenges that must be overcome with any device-based answer is having the ability to affiliate an authentication try with a selected gadget. This requirement is why a certificate-based strategy was a gorgeous choice.

We difficulty certificates to all managed gadgets, together with desktop and cellular platforms, by way of our MDM answer, which requires customers to authenticate to ensure that a credential to be issued to the gadget. This permits us to:

Decide the person identification earlier than interacting with them (e.g. FIDO2) by encoding the person identification within the PKI certificates issued to the gadget throughout MDM enrollment
Affiliate an authentication try with a bodily gadget, because the certificates was issued to that gadget throughout enrollment
Keep away from platform-specific brokers, as certificate-based authentication is natively supported on the platforms that we help at Pinterest, so we’re in a position to make the most of a platform-agnostic strategy to authentication

Our customized IdP solely helps mTLS authentication with consumer certificates, utilizing certificates which might be tied each to a person and gadget. And not using a legitimate consumer certificates, which is barely distributed to managed gadgets, authentication to our IdP will not be potential.

For functions that don’t help Mutual TLS authentication, for the explanations described within the followup weblog submit, a workaround exists to revert again to password-based authentication.

One other hurdle to beat is Okta’s lack of “enforcement” of an exterior identification supplier. Though we will route customers to an exterior identification supplier, Okta doesn’t present the instruments essential to correctly implement using an identification supplier.

Okta clearly indicates that using IdP Routing, and corresponding IdP Routing Guidelines, will not be a safety management:

Routing guidelines enhance the end-user sign-in expertise, however they don’t present safety enhancements. You must configure person authentication insurance policies on your IdPs independently of your routing guidelines.

This successfully signifies that we can’t depend on exterior IdP as being something greater than an “elective” type of authentication. With out taking any extra steps to implement using an exterior IdP, it’s trivial to bypass using an exterior IdP by reverting again to Okta username/password-based authentication.

Within the quote above, Okta alludes to “person authentication insurance policies” as a way of enforcement. Had these referenced insurance policies been precise “utility sign-on insurance policies,” enforcement would have been a non-issue. Sadly, the one Okta insurance policies that exist are “international sign-on” insurance policies, which can’t account for the inevitable utility exceptions that you’ll probably run into, and are subsequently not sensible to make use of.

SAML Inline Hooks enable for an exterior service to switch a SAML assertion earlier than that SAML Assertion is signed by Okta. On the floor, that’s not likely related to a tool authentication answer, however there may be one notable return sort that piqued our curiosity: the flexibility to reject an entry try by returning an error.

The requests despatched by Okta in a SAML Inline Hook comprise some related details about an utility entry try, together with:

The applying that’s being accessed
The person making an attempt to entry the applying
How the person’s Okta session was established

Within the examples under, be aware the distinction between the “classes” in these two app entry makes an attempt.

Entry try and reject (exterior IdP not used)


"context":

"protocol":

"issuer":

"id": "app_id",
"identify": "application_name",
"uri": "http://www.okta.com/<app_id>"

,
"session":

"idp":

"id": "okta_idp_id",
"sort": "OKTA"

Entry try to permit (exterior IdP used)


"context":

"protocol":

"issuer":

"id": "app_id",
"identify": "application_name",
"uri": "http://www.okta.com/<app_id>"

,
"session":

"idp":

"id": "zuul_idp_id",
"sort": "SOCIAL"

Because of this we will programmatically make an access-based determination for each single utility entry try. For an entry try that ought to proceed, we return an empty response. For entry makes an attempt that have to be rejected, we throw an error. In different phrases, we will overcome no matter limitations exist in Okta app sign-on insurance policies by bolting on our personal customized app sign-on coverage utilizing an inline hook.

To enhance the person expertise, we additionally revoke a person’s Okta session when this error is surfaced.

Within the instance under, a person has established an Okta session with one of many many ways in which IdP routing may be bypassed, in an try and bypass our gadget necessities. But, they nonetheless can’t entry an utility that requires our exterior IdP.

User is directed to a 400 bad request screen and has to be redirected back to the hompage. — **Picture 4: SAML Inline Hook blocks an utility entry try, because of an Okta session that was not established with the proper idP**

Though SAML Inline Hooks characterize a very good short-term answer for us, that is not at all best. SAML Inline Hooks should be enabled on a per utility foundation and might solely be enabled on functions which might be manually configured in Okta, so some reconfiguration of apps is perhaps mandatory. We’re planning to reconfigure functions that had been downloaded from the Okta Integration Network for the only real function of enabling our SAML Inline Hook on these functions.

We’re hopeful that Okta will launch one thing, in both Okta Basic or OIE, that enables for us to natively implement an IdP on a per utility foundation, with a configuration that additionally permits FIDO2 enforcement. Alternatively, an “Inline Hook” for common authentication that may be universally utilized to each Okta app would even be an fascinating different.

Now that each Okta authentication try requires customers to authenticate towards our IdP, we have now the chance to judge the well being of a tool. The intent of our compliance insurance policies is to implement our safety hardening pointers to make sure that the fleet of gadgets which might be able to accessing our instruments are in compliance and in a hardened state.

Within the occasion {that a} gadget with compliance failures makes an attempt to authenticate, we will take a couple of actions, together with presenting a warning to the person, or for some insurance policies, blocking the authentication try altogether.

User is directed to a screen that reads “There are one or more issues with your device. Warnings: chrome_running_versions and uptime.” — **Picture 5: A person on macOS is warned about some compliance failures.**

Our compliance framework permits for some capabilities that had been necessary to us and will not be generally seen in different options. This contains:

Insurance policies which might be outlined as code, permitting us to create complicated insurance policies if mandatory
Insurance policies that may take note of knowledge from as many knowledge sources as wanted. We at the moment combine with Splunk, Chef, Workspace One, and osquery, with extra integrations deliberate.
“Actions” which might be executed upon the failure of a coverage, two of which we present on this weblog submit (Block/Warn)
The power to slowly shard a brand new coverage throughout the fleet, utilizing our current manufacturing framework for deploying experiments

Under we’ve created an instance coverage to make sure that a person authenticating to Okta is doing so from a tool that’s owned by them and logged in on that gadget with an identical username.

**Picture 6: A person on macOS is prevented from authenticating as their gadget is failing the instance coverage “username_mismatch”.**

Under is the code related to this instance coverage. With a purpose to carry out this analysis, we take knowledge collected from two totally different knowledge sources (Airwatch MDM and osquery), and examine the usernames with the particular person making an attempt to authenticate to Okta.

@device_policy(
identify="username_mismatch",
decider="zuul_device_policy_username_mismatch",
actions=[PolicyAction.BLOCK],
customers=["atashjian"],
gadgets=[PolicyScope.ALL_DEVICES],
user_exception=[],
device_exception=[],
sources=[DataSource.OSQUERY, DataSource.AIRWATCH],
staleness_threshold=2400,
platforms=[DevicePlatform.MACOS],
remediation_message="The person making an attempt to auth, the native username on the gadget, "
"and the gadget proprietor, should all match."
)
def username_mismatch(gadget):
'''make sure that the person that is authenticating, the person logged in on the gadget, and the gadget proprietor match.
'''
authenticating_user = gadget.username
device_logged_in_user = gadget.collected_data[DataSource.OSQUERY].knowledge['results']['data']['logged_in_user']['username']
airwatch_device_owner = gadget.collected_data[DataSource.AIRWATCH].knowledge['UserName']
if authenticating_user == device_logged_in_user == airwatch_device_owner:
return PolicyResult(end result=PolicyEval.PASS)
else:
return PolicyResult(end result=PolicyEval.FAIL,
particulars=f"Consumer Authenticating: authenticating_user, "
f"Machine Proprietor: airwatch_device_owner, "
f"Logged In Consumer: device_logged_in_user")

Potential future compliance insurance policies would possibly take note of:

Patch standing
Malware detection
Safety agent well being
Log ingestion well being
Utility/browser extensions
Kernel/system extensions
Root CAs
CIS hardening pointers
And many different issues!

We’ve solely begun our gadget compliance journey, and a very good quantity of labor lies forward, together with:

Repeatedly codifying gadget compliance insurance policies
Extra integrations, for each accumulating knowledge, in addition to performing actions within the occasion of failures
Evaluating gadget compliance not simply at authentication time, however on a steady foundation
Closing the Okta enforcement gaps by enabling SAML Inline Hooks throughout all apps

An enormous thanks to our companions in IT and Site visitors Engineering, for serving to Company Safety to implement this, and a particular point out goes to Jason Craig, a human being.

Keep tuned for some followup weblog posts, together with:

Our FIDO2 implementation
A extra in depth look into gadget compliance

For any ideas or suggestions, be at liberty to succeed in out to zuul[at]pinterest.com

All for studying extra about this subject? Try the second a part of this weblog article right here: Worker-facing Mutual TLS.

To be taught extra about engineering at Pinterest, take a look at the remainder of our Engineering Weblog and go to our Pinterest Labs website. To discover life at Pinterest, go to our Careers web page.