AuditRubric
pr-aa-4 high Protect / Identity Management, Authentication, and Access Control

Identity assertions are protected, conveyed, and verified

When a user authenticates once and that identity is passed to other systems (federation, SSO, OAuth tokens), each handoff is an opportunity for tampering or forgery. Protecting how identity assertions are created, signed, and validated prevents attackers from forging tokens to impersonate users or escalate privileges.

Estimated effort: 4h
ssosamloauthtokensidentity-federation
Complete first: pr-aa-3

Implementation steps

  1. 1

    Use signed tokens for all identity federation

    All SAML assertions and OAuth/OIDC tokens must be cryptographically signed by the issuing IdP. Receiving services must validate the signature before trusting any claims in the token. Never accept unsigned or self-signed assertions from untrusted sources.

    oktamicrosoft-entraauth0google-workspace
  2. 2

    Set short expiry times on access tokens

    Short-lived tokens limit the damage from token theft. Access tokens should expire within 15 to 60 minutes. Refresh tokens can be longer-lived but must be rotated on each use and invalidated on logout.

    oktaauth0keycloak
  3. 3

    Validate audience and issuer claims

    Configure every service that consumes identity tokens to validate the issuer (iss), audience (aud), and expiry (exp) claims. A token intended for one service should not be accepted by another.

    auth0keycloakaws-cognito
  4. 4

    Audit federation trust relationships

    Document every SAML trust, OAuth client, and federated identity provider. Review this list quarterly and remove any unused or untrusted relationships.

Evidence required

Token signing configuration

Evidence that all identity tokens are cryptographically signed by your IdP.

  • · IdP SAML certificate and signing algorithm settings
  • · OAuth application configuration showing RS256 or ES256 signing
  • · OIDC discovery endpoint showing signing key set

Token lifetime settings

Configuration showing access token expiry and refresh token rotation policy.

  • · Okta access token lifetime policy screenshot
  • · Auth0 API settings showing token expiry
  • · Keycloak realm token settings screenshot

Federation trust inventory

A documented list of all SAML service providers, OAuth clients, and external identity providers.

  • · IdP application list with trust dates and owners
  • · OAuth client registry export
  • · SAML metadata list from your identity provider admin console

Related controls

pr-aa-1 critical

Identities and credentials are managed for authorized users and devices

Identity Management, Authentication, and Access Control
pr-aa-2 critical

Identities are proofed and bound to credentials based on the context of interactions

Identity Management, Authentication, and Access Control
pr-aa-3 critical

Users, services, and hardware are authenticated

Identity Management, Authentication, and Access Control
pr-aa-5 critical

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Identity Management, Authentication, and Access Control