#infosec question, sorry if this is dumb:
My employer has an SSO; *most of the time* I log into services, including offsite ones, by typing my username/password into a auth-token-generating page at a campus URL I trust.
But sometimes a site asks for my SSO credentials directly at their own URL---anyone from janky campus-service contractors to obviously-legit things like login.microsoftonline.com.
As a user, is there a way to tell a legit third-party-URL SSO auth request from an unsafe one?
First, good on you for paying attention and asking, and I don't think it's a dumb question. You're the kind of team member that is an asset to your company's security posture in my opinion.
My recommendation from your perspective as a user (rather than an IT admin) would be butt-covering, combined with providing an opportunity for your org to share info with you / improve your understanding on the topic.
My suggestion is to explicitly raise your concerns to someone who has the authority to direct your behavior (your supervisor, the highest ranking IT person (e.g. CIO, if you have one) and/or the company overall leader (easier for a small company, but regardless of CEO tech ability the IT person should be able to explain their decisions to a CEO in words they can understand). Then ask them to tell you what you should do. This way, when you do it their way, you can point to that direction and say: "I'm doing what I was told" if things go south for any reason.
Something like: "My current expectation is that I should only enter my SSO credentials <in a specific set of ways> to ensure they are not intercepted, captured and/or abused by a third party.
Tools X, Y, and Z (as well as others) violate that expectation by requiring me to enter my credentials in another way: <specify differences>.
Can you either confirm that it is required for me to enter my credentials in this different manner for tools like these or share with me the correct procedure?
Please also share how you expect me to participate in protecting the company from the risk of intercepted SSO credentials in the future (e.g. by alerting you when I observe this, as I am doing now, or some other approach)."
The short answer to your question of how to tell is:
My assumption is that a third-party URL SSO auth is NOT legit, and it is a sign that that third party does not have their security act together.
That said, a business may choose to accept that risk or mitigate it in any number of ways and for a variety of reasons (including that the benefit of having access to the tool balances the added risk)
@kissake I have followed your advice and pointed the janky vendor out to campus IT for followup.