SSO Incident Response
RCCE students will learn single sign-on architecture, implementation, and security including SAML 2.0, OpenID Connect, Kerberos, federation protocols, and SSO session management. RCCE students will learn to design SSO architectures that balance user convenience with security, configure identity providers and service providers for SAML-based SSO, implement OIDC-based SSO for modern applications, troubleshoot SSO authentication failures, secure SSO sessions against hijacking and replay attacks, audit SSO configurations for misconfigurations, and respond to incidents involving SSO compromise including golden SAML attacks and session token theft. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Building on core knowledge, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing SSO Incident Response
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for learning objectives
- Build detections and response workflows for privilege escalation
- Build detections and response workflows for privilege escalation, including SSO architectures, and Secure SSO sessions.
- Explain SSO Architecture Overview fundamentals
- Execute hands-on tasks for auth request
- Execute hands-on tasks for token/assertion
- Execute hands-on tasks for user agent — covering Authenticates user.
- Integrate privilege controls with identity providers and SIEM telemetry, including Authenticates user.
- Execute hands-on tasks for security risks — covering Reduced password fatigue across services, Single point of failure if IdP is.
- Execute hands-on tasks for saml 2.0 protocol deep dive
| Module 01 | Single Sign-On Architecture, Security & Incident Handling |
| Module 02 | Learning Objectives |
| Module 03 | Architecture & Protocols |
| Module 04 | Security & Detection |
| Module 05 | Incident Response |
| Module 06 | SSO Architecture Overview |
| Module 07 | Auth Request |
| Module 08 | Token/Assertion |
| Module 09 | User Agent |
| Module 10 | Identity Provider (IdP) |
| Module 11 | Security Risks |
| Module 12 | SAML 2.0 Protocol Deep Dive |
| Module 13 | Security-Critical Fields |
| Module 14 | Signature: XML DSig integrity proof |
All hands-on labs run on Rocheston Rose X OS. Students practice sso incident response by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Design a scalable privilege management architecture with policy and enforcement
- Lab 2: Execute hands-on tasks for learning objectives
- Lab 3: Design a scalable privilege management architecture with policy and enforcement
- Lab 4: Build detections and response workflows for privilege escalation
- Lab 5: Build detections and response workflows for privilege escalation
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for SSO Incident Response, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI