4 Common Security Flaws Found in SSO Protected Live Streams
Many organizations will be surprised to learn that their SSO protected live streams may not be as secure as they initially thought. Whilst conducting an audit of SSO compatible live streaming platforms we made the following observations.
Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials.
#1 The embed page is protected, but the live stream content isn’t.
The first issue we noticed is that most providers only use SSO to protect the page on which the video player is embedded. Some providers included SSO protection within the player itself, however the majority did not encrypt the stream manifest and video segments. This meant that anyone with a direct link to the video manifest could watch the stream with no SSO authorization required.
#2 The live stream archives aren’t encrypted.
Similar to the above point, we noticed that majority of providers only protected the archive embed location and didn’t encrypt the video file itself. This meant that if a user accessed the archive with a direct link, then they would be able to watch/download it with no restrictions.
#3 How is the access control list referenced?
The SSO protection implemented might not update in real time and there might be significant delays between the identity provider’s access control list (ACL) and the behaviour of the SSO implementation that protects the live streams, which causes authentication faults. This could result in situations where an employee who is no longer with the company may still have access to the company’s live streams and on-demand content.
#4 No SSO viewer audit trail.
The majority of providers only logged emails and names of SSO users, which isn’t useful. At the very least the live streaming platform should capture the number of sessions per users, and geographical locations, which allows identification of suspicious activity such as unauthorized SSO account sharing.
How StreamShark protects live and on-demand streams with SSO
Many StreamShark customers use SSO providers and we support Okta, OneLogin, GSuite, Active Directory or any SAML 2.0 compatible Identity Provider.
We offer SSO for both User authentication (live stream portal access) and Viewer authentication (video player access). Our platform considers the identity provider as the source of truth. For every single user/viewer access request, our platform refers to the identity provider to check the ACL (list as well as group/subgroup) in real-time and confirm whether access is granted or denied.
All user and viewer access is logged in detail (IP, sessions, browsers, devices, city etc.) and the SSO reports are exportable in .csv and can be shared with Security team for audits if required. Along with the portal and the video player, access to the manifest and each video segment of a live stream is protected via SSO. Furthermore, all live streams and archives delivered via StreamShark are encrypted.
The diagram below depicts how in accordance with the ACL in Okta, User access is restricted to the StreamShark Platform and Viewer access is restricted to the StreamSharkVideo Player.