Subscribe to the Non-Human & AI Identity Journal

How should security teams add SSO to a homegrown authentication system without creating new risk?

Keep tenant routing, IdP selection, and claim handling on the backend, then validate the federated response before creating local sessions. Homegrown SSO becomes risky when the client influences federation choice or when authentication success is allowed to bypass application-level authorisation rules.

Why This Matters for Security Teams

Adding SSO to a homegrown authentication flow is not just a login-project change. It changes who decides trust, where identity assertions are validated, and whether application authorisation still has the final say. If tenant routing or identity-provider selection leaks into the client, an attacker can steer a user into the wrong federation path and turn a convenience feature into an account-takeover path. That is why this question sits squarely in the same risk family covered by the Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0: trust boundaries must be explicit, not implied by the front end. NHI Management Group research also shows why identity mistakes matter operationally, not theoretically. In the State of Non-Human Identity Security, 85% of organisations lacked full visibility into third-party vendors connected via OAuth apps, which is a strong reminder that federated identity needs careful control even before a session is created. In practice, many security teams encounter SSO abuse only after a misrouted login or privilege bypass has already occurred, rather than through intentional testing.

How It Works in Practice

The safest pattern is to keep federation logic on the server side and treat the browser as an untrusted transport. The client may initiate login, but it should not choose the identity provider, determine tenant scope, or interpret claims. The backend should select the federation path, validate the IdP response, and only then mint a local session after checking that the user is allowed to access the application and that the specific tenant, group, or role is authorised for that request.

A practical implementation usually includes:

  • Server-side IdP discovery based on preconfigured tenant mappings, not client-supplied parameters.
  • Strict validation of issuer, audience, signature, nonce, and token lifetime before any session creation.
  • Claim normalization so that group names, tenant identifiers, and subject identifiers are mapped to local policy consistently.
  • Application-level authorisation checks after authentication, because successful SSO does not equal permission to use every feature.
  • Short-lived sessions and explicit re-authentication for sensitive actions where risk is higher.

This is consistent with the direction described in the Ultimate Guide to NHIs, especially where identity sprawl and weak governance create avoidable exposure. It also aligns with the NIST guidance model, which emphasises verifying identity assertions before relying on them for access decisions. The operational rule is simple: federated authentication proves who the user is, while your application still decides what that user may do. These controls tend to break down when legacy apps share a session layer across tenants because a single trust mistake can propagate into every downstream request.

Common Variations and Edge Cases

Tighter federation controls often increase implementation and support overhead, requiring organisations to balance user experience against assurance. That tradeoff becomes especially visible in multi-tenant environments, M&A integrations, and apps that support both local credentials and SSO.

There is no universal standard for every edge case yet, but current guidance suggests the following:

  • If multiple IdPs are supported, resolve tenant-to-IdP mapping on the backend from authoritative configuration, not from a URL parameter or browser hint.
  • If local accounts and SSO coexist, keep their session paths separate and prevent silent privilege merging.
  • If claims drive authorisation, treat them as inputs to policy, not as direct grants of access.
  • If a user changes groups or leaves the organisation, refresh authorisation state quickly rather than waiting for the next full session expiry.

The main failure mode appears when teams assume the federated login flow is the security boundary. It is not. The true boundary is the combination of validated identity assertion, local session issuance, and post-login authorisation enforcement. That is why the OWASP NHI Top 10 is useful here even for human SSO design: it reinforces that trust should be anchored in the backend, with policy applied at the point of use. When that discipline is missing, a clean-looking SSO rollout can quietly expand the blast radius of every authentication mistake.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-1 Identity proofs and access decisions must be separated from the client.
OWASP Non-Human Identity Top 10 NHI-01 Client-controlled federation choice and claim handling create identity trust flaws.
NIST AI RMF AI governance guidance helps frame policy-based runtime decisions and trust boundaries.

Apply runtime policy checks so identity assertions never bypass application authorisation.