How is everyone, that is utilizing OneLogin SSO, handling the breach? Looking to see how others are mitigating the changes that are required and any tools/recommendations past what OneLogin recommends.
OneLogin Security Incident
On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to possibly decrypt some encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions:
If you replicate your directory password to provisioned applications (using the SSO Password feature) or if your users authentication method is OneLogin as a directory, force a OneLogin directory password reset for your users.
You don't need to reset directory passwords if you don't use the SSO Password feature or if your users authenticate using Active Directory!
See Password Management.
Generate new certificates for your apps that use SAML SSO.
Generate new API credentials and OAuth tokens.
- For legacy API keys, see developers.onelogin.com/api-docs/v1-v3/getting-started/using-the-onelogin-api
- For current API keys, see developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials
- For OAuth tokens, see developers.onelogin.com/api-docs/1/oauth20-tokens/refresh-tokens
Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.
For Active Directory Connectors:
- Create a new failover Active Directory Connector instance, following steps 1- 5a in "Adding additional ADC instances for load balancing and failover."
- Copy the installation token for the new failover over the existing primary Active Directory Connector token on the server where the Active Directory Connector instance runs, replacing the contents of the Windows Registry key at
HKEY_Local_Machine\SOFTWARE\Wow6432Node\OneLogin, Inc.\Active Directory Connector\DirectoryToken
- Restart the Active Directory Connector.
- Switch the new failover Active Directory Connector instance to be the primary (sync) connector, following the instructions in "Failing over a synchronization Active Directory Connector instance manually."
- Delete the old Active Directory Connector instance from OneLogin by following the instructions in "Deleting or disabling your Active Directory Connector instance."
For LDAP Directory Connectors:
- Create a new failover LDAP Directory Connector instance, following steps 1 - 6 in Installing Multiple LDAP Directory Connectors for High Availability.
- Copy the token from the new instance to the config file for your existing active LDAP Directory Connector by editing the file
conf/ldc.confand updating the configuration property
ldc.api.token. (See steps 9 and 10 in "Installing an LDAP Directory Connector")
- Restart the LDAP Directory Connector.
- Switch the new failover LDAP Directory Connector instance to be the active connector, following the instructions in "Switching a standby connector to active."
- Remove the old LDAP Directory Connector instance from OneLogin by clicking Delete on the Basic tab of the LDAP Directory Connector configuration page (Go to Users > Directories, select the directory, go to the Basic tab, and select the instance to delete).
Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro.
For details, see:
Generate and apply new Desktop SSO tokens.
- If you use Active Directory Connectors for Desktop SSO, you should generate and apply new directory tokens, as described above.
- If you use a remote authentication script running in IIS (rather than Active Directory Connectors), go to Settings > Desktop SSO, scroll down to Redirect URLs, select Fixed URL, click Generate new token, and copy the new token to your remote authentication script. For more details, see Configuring Desktop SSO Using a Remote Authentication Script in IIS.
Recycle any secrets stored in Secure Notes.
See Secure Notes.
Update the credentials you use to authenticate to 3rd party apps for provisioning.
Some apps use OAuth, others use API keys. For information about the apps you use, view the provisioning doc for those apps in the App Integration section.
Update the admin-configured login credentials for apps that use form-based authentication.
Tip! You can use CSV batch login update to update passwords for form-based authentication. See CSV Batch Login Update.
- Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps.
Replace your RADIUS shared secrets.
If you have questions or need assistance please contact us at firstname.lastname@example.org.