End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data.
The organisation has a defined relationship with individuals that have been given access, either directly or through contractual agreements with third parties.
Only production environments can be linked to the production IdP.
Specification
Federated identities are used for all employees for authenticating to the system. The use of local accounts is only permitted:
- if neccessary for external users, following any relevant other controls including password complexity and multi-factor requirements
- for break-glass or separate privileged accounts
For end-user access to applications Single-Sign On is highly recommended to reduce the amount of authentication prompts and with it phishing opportunities.
ISO 27001 & 27002:2022
A5.2,
A5.3,
A5.15,
A5.16,
A5.17,
A5.18,
A8.2
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.01 Access rules