Controls

Terug naar overzicht
Version

SB.9.001 Authentication through organisational identity

Identity & Access Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description

End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data.

The organisation has a defined relationship with individuals that have been given access, either directly or through contractual agreements with third parties.

Only production environments can be linked to the production IdP.

Specification

Federated identities are used for all employees for authenticating to the system. The use of local accounts is only permitted:

  • if neccessary for external users, following any relevant other controls including password complexity and multi-factor requirements
  • for break-glass or separate privileged accounts

For end-user access to applications Single-Sign On is highly recommended to reduce the amount of authentication prompts and with it phishing opportunities.

Specification

ISO

Federated identities are used for all employees for authenticating to the system. The use of local accounts is only permitted:
- if neccessary for external users, following any relevant other controls including password complexity and multi-factor requirements
- for break-glass or separate privileged accounts

NBA