ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

1.3.3 - Handling Session Termination with SSO (Documentation)

Open ryarmst opened this issue 1 year ago • 7 comments

Proposal for handling session termination with SSO and other systems:

# Description L1 L2 L3
1.3.3 Verify that all session granting systems (such as SSO applications) are documented along with controls to propagate session termination across all such systems.

ryarmst avatar Sep 21 '24 16:09 ryarmst

Very good. Thank you for this!

jmanico avatar Sep 23 '24 02:09 jmanico

is this linked to section 3.6? Would it be worth preparing matching/complementary requirements for both sections 1.3 and 3.6? @ryarmst

tghosth avatar Sep 23 '24 15:09 tghosth

@tghosth Do you mean for 1.3 items to reference requirements in V3 or for there to be something like an in-order alignment between 1.3 and V3 sections?

ryarmst avatar Oct 14 '24 16:10 ryarmst

My guess is that Josh pointed to section "V3.6 Federated Re-authentication".

elarlang avatar Oct 14 '24 16:10 elarlang

Yes, but my question is: what form should complementary requirements take? This is of course related to V3.6.

ryarmst avatar Oct 15 '24 14:10 ryarmst

Let's handle it with the "next iteration/discussion round"

elarlang avatar Oct 15 '24 15:10 elarlang

Really sorry my original point was not super clear @ryarmst, my point was that 1.x is designed for documentation requirements so my question was whether there should be a matching implementation requirement in chapter 3.x and whether there were any other documentation/implementation requirement pairs needed between these chapters.

tghosth avatar Oct 22 '24 06:10 tghosth

@tghosth We did not come to a precise conclusion following further discussion, but this is a reformulated attempt to meet 3.6.1 needs. Proposal:

# Description L1 L2 L3
1.3.3 Verify that all session granting systems (such as SSO applications) are documented along with associated session timeouts and controls to propagate session termination across all such systems.

Currently, 3.6.1 uses the terminology "maximum authentication time" which I will suggest updating for clarity dependent on this requirement's evolution.

ryarmst avatar Nov 05 '24 18:11 ryarmst

So it feels like it is in the right direction but I find it a little confusing because the terminology in 1.3.3 seems very different to the terminology in 3.6.x, do you understand what I mean?

tghosth avatar Nov 06 '24 08:11 tghosth

@tghosth please consider the following in conjunction with #1190:

# Description L1 L2 L3
1.3.3 Verify that all systems that create and manage user sessions as part of a federated identity management ecosystem (such as SSO systems) are documented along with controls to coordinate session lifetimes and termination, requiring re-authentication.

Considering in addition (separately) section text to reference NIST Federation and Assertions.

ryarmst avatar Nov 06 '24 17:11 ryarmst

...along with controls to coordinate session lifetimes and termination, requiring re-authentication.

The wording of this last bit seems weird, especially the part after the comma, could you rephrase?

tghosth avatar Nov 06 '24 22:11 tghosth

@tghosth Agreed, try this:

L1 L2 L3
1.3.3 Verify that all systems that create and manage user sessions as part of a federated identity management ecosystem (such as SSO systems) are documented along with controls to coordinate session lifetimes, termination, and any other condition that should require re-authentication.

ryarmst avatar Nov 07 '24 11:11 ryarmst

Yeah let's get it in :) @ryarmst

tghosth avatar Nov 07 '24 11:11 tghosth

@tghosth please see #2336

ryarmst avatar Nov 07 '24 15:11 ryarmst