Threat model
This threat model covers a correctly configured PassBeyond instance, its public reverse proxy, IdP connection, dynamic state, and backend trust relationship.
Assets
The primary assets are:
- authenticated access to the protected application;
- the identity and group data supplied to the backend;
- JWT and SAML signing keys in dynamic configuration;
- passthrough tokens in static configuration;
- IdP metadata and the trust relationship it represents;
- session JWTs stored in browsers.
Attacker capabilities
Assume an unauthenticated remote attacker can send arbitrary HTTP methods, paths, cookies, and headers to the public domain. The attacker may attempt redirects, replay stolen browser state, forge identity headers, abuse public endpoints, or exhaust resources.
Also consider a network attacker between improperly protected internal components, a low-privilege local user, a compromised backend, and an operator who makes a configuration error.
Threats and controls
| Threat | PassBeyond control | Deployment responsibility |
|---|---|---|
| Forged SAML response | Validation against configured IdP metadata | Protect metadata source and IdP administration |
| Forged session | HS256 signature, issuer, time, and algorithm checks | Protect dynamic state and browser endpoints with TLS |
| Identity header spoofing | Removes incoming identity and X-Passbeyond-* headers | Prevent direct backend access |
| Client IP spoofing | Trusts forwarding data only from trustedProxies and overwrites downstream headers | Configure narrow proxy addresses |
| Open redirect | Return URL must be HTTPS and match the configured domain and port | Configure the exact public domain |
| Proxy loop | Instance ID header detects a request returning to the same instance | Set targetURL to the actual backend |
| Stolen JWT replay | Short, signed expiry window | Prevent cookie theft; choose an appropriate timeout |
| Key disclosure | Restricted dynamic file created with private permissions | Harden host, backups, and diagnostics; rotate after disclosure |
| Backend interception | Upstream TLS verification enabled by default | Use a trusted CA and keep verification enabled |
| Metadata resource exhaustion | Remote response capped at 10 MiB and fetched with a timeout | Restrict outbound connectivity and monitor refresh failures |
| Log injection | Security-relevant request data is sanitized before logging | Protect and monitor log access |
Residual risks
Session replay
The application JWT is a bearer credential and is not bound to a device, TLS channel, or client key. An attacker who steals it can use it until expiry. PassBeyond has no per-session server-side revocation list.
Delayed identity changes
The JWT carries a snapshot of IdP attributes. Disabling an account or changing its groups at the IdP does not update an already issued session.
Intentional bypasses
A matched passthrough path or token skips SAML authentication by design. Token compromise or an overly broad path exposes the backend independently of the IdP.
Trusted component compromise
A compromised TLS proxy can alter requests before they reach PassBeyond. A compromised PassBeyond host exposes signing keys and sessions. A compromised backend receives user identity data and may ignore authorization rules. These components require independent hardening.
Review triggers
Revisit the threat model whenever you:
- add a passthrough rule or preserve incoming authorization headers;
- change the edge proxy or trusted proxy ranges;
- expose a new backend route or protocol;
- change IdP metadata delivery or signing requirements;
- lengthen the session timeout;
- share storage, networks, or configuration across instances.