Accepted/In Progress

SAML / SSO Integration for Management Portal


Userlevel 2
Badge +2
This has been posted befor but failed to gain traction.  I would like Webroot to implement SAML for the https://my.webrootanywhere.com portal.  Since admins are able to remove agents from PC's and run command line processes, I would argue that the lack of these features is a security risk.  I would add that the portal should support MFA, however most SSO providers also support MFA.  So if we get SAML integration we would be in good shape.  I'm sure others would like the opportunity to use MFA with local accounts as well though.
 
Thank you,
Matt  
 

16 replies

Userlevel 4
Badge +8
Thank you for the suggestion. In fact, we have been looking into this functionality. It's in the backlog!
Userlevel 4
Badge +8
Thank you for the suggestion. In fact, we have been looking into this functionality. It's in the backlog!
Userlevel 6
Badge +24
I agree with @ - that assessment is spot on.  This request along with the request for comon MFA support should be a high priority for the team and contribute significantly to the security of the platform as a whole - especially since WR is adding other components - UAT & DNS.  In addition to the original comments having SAML & SSO also would allow organizations to leverage their IAM solutions if they have them and ensure a unified access policy across a multitude of cloud/web apps.
 
Thanks,

Jesse
Userlevel 2
Badge +2
Any further update on this from the dev team?  Do you have an ETA or idea of where it's located on the roadmap?  Thank you.
Just a post of support here. 
@ thanks for the information but as @ says can we please get an guesstamite (I won't hold you to it - promise) as to when we will see this. 
To add what @ says MFA is pretty much a requirement these days, however if you are using Azure MFA or similar you can use their solution to provide this fucntionality. OOTB service might be nice for other users whom have not implemented this.
 
Thanks all.
 
Just throwing my support in for this future as well. I am eager to see SAML SSO implemented for the security of my customers. I would much prefer SAML over a built in MFA solution, but either would be nice.
@all we need is SAML, if you want MFA you can then create an Enterprise app in Azure AD. Then If you have MFA enabled or a conditional access policy enforcing it (for that app) users will recieve the MFA challenge. 
 
In short, Webroot just needs to add an app to the Azure gallery, or provide the details to us on what we need to create a custom app ourselves. It's then up to us to configure MFA in the platform itself. 
Badge

@BruceR, we need webroot to support SSO/SAML

Userlevel 4
Badge +8
Hi, we are actively looking at this feature request and recognize the need for two factor auth to be implemented. I will keep the community informed once we have decided on the solution and how we are going to implement this for our global customers. Thanks
Userlevel 2
Badge +4
Received this today in my e-mail:


Webroot Customer,

A critical component of an effective cybersecurity strategy is good cyber hygiene, including implementing two-factor authentication (2FA), using strong passwords, regularly installing software updates and avoiding saving credentials in browsers.

Recently, Webroot’s Advanced Malware Removal team discovered that a small number of customers were impacted by threat actors who could have been thwarted with more consistent cyber hygiene. We immediately began working with those customers to remediate any impact.

As a proactive measure to help ensure all our customers are following security best practices, we initiated an automated console logoff at 3 a.m. EDT on June 20 and are implementing mandatory 2FA in the Webroot ®️ Management Console.

To learn more about setting up 2FA, visit our Community post. There you will also find links to our knowledge base, including articles on other security best practices. If you need additional assistance, please open a support ticket.

Thank you for your vigilance,

Chad Bacher
SVP, Products
WEBROOT, a Carbonite Company
Userlevel 2
Badge +4
Maybe this will get the right person's attention.... Can we get the webroot dev people to watch some Security Awareness Training videos?
Userlevel 2
Badge +4
https://community.webroot.com/submit-a-business-feature-request-30/saml-support-for-management-console-logon-73639 - 5 years ago... so yeah.
Userlevel 2
Badge +4
Do I need to say how ridiculous the current security code implementation is?
Badge
Do I need to say how ridiculous the current security code implementation is?

Probably not, but let's go ahead. This method, by their own definition, does not satisfy the requirement of MFA/2FA. If Webroot Inc. has a data breach, there's nothing stopping logins from being automated.
The number of Webroot-authored blog posts preaching the benefits of MFA, yet not implementing the feature itself is laughable. Do you know of any other platforms that use this rudimentary 2-password method?

Chad Bacher, this is the security industry, not banking; get up to speed.
Badge
As a Webroot customer I am tracking the latest security concerns regarding the MSP breaches reported June 20th, 2019. The requests for an improved security posture are extensive, the link follows and for reference:

"A researcher from Huntress Labs, a firm that provides security services to MSPs, claimed on Reditt to have confirmation that the attackers used a remote management console from Webroot to execute a PowerShell based payload that in turn downloaded the ransomware on client systems. Webroot describes the console as allowing administrators to view and manage devices protected by the company's AV software."

https://news.viceroy.tech/?post=487
Userlevel 2
Badge +4
What I find ironic is that I encounter the same objections and difficulties with my technology vendors as I do my customers. They have to feel the pain of a security issue before they are willing to address it the correct way with an investment, and even then, they typically do not address it with a forward thinking approach. Kaseya and Webroot both fall into that camp.

https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/

If a few more events like this (link above) get tech vendors to pause on buying/merging their companies to better their portfolios and get take a moment to realize the liability they face if they don't take some of these security measures seriously, then its for the good of the whole community. What's infuriating is that webroot is a company that has all of this data at their fingertips and they know and sell their products using this data. They send it out regularly to help market their products... I'm no lawyer, but that's close to my definition of negligence and opens them up to the possibility of a catastrophically large lawsuit.

Reply