We are about to move our users from IAM to External authentication type. Testing and reviewing this migration proved very simple: I only have to change the authentication type for the user from IAM to External. This change seems to do nothing more and nothing less than updating the authentication type of the user in the usr_authentication table.
The great benefit of SSO is not only a better User Experience, but also improved security, as it eliminates the need for storing User credentials in different systems (i.e. it reduces the ‘attack surface’ for hackers).
For the purpose of improved security I would therefore advocate that the (now obsolete) authentication details from the usr_authentication table in IAM should be deleted when changing from IAM to External or Windows authentication type.
I intend to run this script myself after having updated the authentication type, but I would rather see IAM doing this by default:
UPDATE
usr_authentication
SET
two_factor_authentication_type = 0
, totp_key = null
, totp_active = 0
, password_hash = null
, password_salt = null
, password_algorithm = null
where
authentication_type = 4
and password_hash is not nullNote: to make sure this doesn't happen accidently or unnoticed, I would recommend adding a warning message or confirmation when an administrator is changing the authentication type from IAM to External.
Note 2: I am not certain about Kerberos authentication type, but I think the same would apply.