When the IdP admin API is Tier-0: OneLogin backdoor persistence

OneLogin is the single sign-on identity provider, so its admin API is effectively Tier-0. Whoever holds it can mint users, grant access into every connected app, and weaken MFA.

How the attack works

Admin API credentials leak from an automation host. The credential authenticates from an unfamiliar source and creates a new user, adding it to an admin-capable role for a standing foothold. It then provisions that identity into connected SaaS applications, granting downstream access through SSO, and modifies an authentication policy to relax MFA for a set of users, easing impersonation and re-entry. This is durable tenant persistence that survives any one user’s password reset. In ATT&CK terms this is T1098, Account Manipulation, and T1136, Create Account, with T1556, Modify Authentication Process, for the policy change.

Why it works

The API credential is independent of any human password, and it was over-scoped: an HR-sync bot did not need to change auth policy. There was no source restriction and no alerting on privileged IdP actions.

How to fix it

The non-obvious move is that resetting the associated admin’s password does nothing, because the API credential is independent of it and keeps working. Revoke the credential itself, remove the backdoor users and app grants and restore the auth policy, then force tenant-wide re-authentication so the SSO sessions the attacker rode are invalidated. For the class fix, scope admin API credentials to least privilege, store them in a secret store with rotation, restrict API access by source, and alert on privileged IdP actions regardless of caller. The OneLogin event log filtered to the credential and window is the authoritative record of every change made.

Practice it

We built this as a GraphLattice Range scenario so teams can rehearse the IdP persistence chain, the revoke-undo-and-force-reauth containment, and the federated blast radius that reaches every connected app.