TrustedX: eidas Platform

Similar documents
TrustedX - PKI Authentication. Whitepaper

Securing Identities & Trust

The Top 5 Federated Single Sign-On Scenarios

The increasing popularity of mobile devices is rapidly changing how and where we

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

NCSU SSO. Case Study

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Agenda. How to configure

Flexible Identity Federation

PRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS

Mobile Security. Policies, Standards, Frameworks, Guidelines

nexus Hybrid Access Gateway

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

HOL9449 Access Management: Secure web, mobile and cloud access

SECUREAUTH IDP AND OFFICE 365

Single Sign On. SSO & ID Management for Web and Mobile Applications

How To Use Salesforce Identity Features

Connected Data. Connected Data requirements for SSO

WHITEPAPER SECUREAUTH IDP DEVICE FINGERPRINTING LOW-FRICTION, BYOD AUTHENTICATION

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Introduction to SAML

API-Security Gateway Dirk Krafzig

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Online Identity Attribute Exchange Initiatives

Identity. Provide. ...to Office 365 & Beyond

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

USING FEDERATED AUTHENTICATION WITH M-FILES

Security Challenges. in Moving to Externalized Datacenters. (Focusing on SaaS) Eran Birk, Spring Business. Intelligence

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

Layered security in authentication. An effective defense against Phishing and Pharming

SAML Security Option White Paper

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

PortWise Access Management Suite

Enhancing Web Application Security

Evaluation of different Open Source Identity management Systems

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Online Identity Attribute Exchange Initiatives

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Scalable Authentication

SAP NetWeaver AS Java

Perceptive Experience Single Sign-On Solutions

Egnyte Single Sign-On (SSO) Installation for OneLogin

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

How To Manage A Plethora Of Identities In A Cloud System (Saas)

The Challenges of Web single sign-on

People-Focused Access Management. Software Consulting Support Services

Copyright Pivotal Software Inc, of 10

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

How to Implement Enterprise SAML SSO

Approaches to Enterprise Identity Management: Best of Breed vs. Suites

NISTIC Pilot - Attribute Exchange Network. Biometric Consortium Conference

Leveraging SAML for Federated Single Sign-on:

Media Shuttle s Defense-in- Depth Security Strategy

Identity Implementation Guide

Enabling SSO for native applications

Ping Identity, Euro Cloud award entry

HOW IT WORKS E-SIGNLIVE 1 INTRODUCTION 2 OVERVIEW

Working with Indicee Elements

SAML and OAUTH comparison

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Apigee Edge API Services Manage, scale, secure, and build APIs and apps

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Google Identity Services for work

The Future of Cloud Identity Security. Michael Schwartz Founder / CEO Gluu

WHITE PAPER Usher Mobile Identity Platform

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Onegini Token server / Web API Platform

Walk Then Run: 10 Essential Steps to Securing the Cloud

Authentication Scenarios India. Ramachandran

IGI Portal architecture and interaction with a CA- online

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Managed Portable Security Devices

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Identity in the Cloud

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

Secure Your Enterprise with Usher Mobile Identity

Increase the Security of Your Box Account With Single Sign-On

Frequently asked questions

tibbr Now, the Information Finds You.

A Standards-based Mobile Application IdM Architecture

DreamFactory Security Whitepaper Customer Information about Privacy and Security

UAF Architectural Overview

JVA-122. Secure Java Web Development

Configuring Salesforce

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Transcription:

TrustedX: eidas Platform Identification, authentication and electronic signature platform for Web environments. Guarantees identity via adaptive authentication and the recognition of either corporate, recognized or social identities: Includes authentication, single sign-on and identity federation functionality. Provides authentication methods based on context, behavior biometrics, one-time keys, digital certificates and mobile devices. Platform complemented through the incorporation of PKI identity attributes for developing electronic signature functions. Along with the authentication functionality, provides server and mobile device signature services, providing an integral solution for deploying the new eidas trust services. Characteristics Adaptive Authentication, Federation and SSO Methods Integration of the organization in Social, Mobile and Cloud (SoMoClo) media to assure a variable level of trust tailored to the applications. Adaptive authentication. Balances security, risk/cost and user convenience through the intelligent elevation of trust based on contextual information and the dynamic accumulation of multiple factors. Manages trust in the federation of identities and provides single sign-on (SSO) control between applications across different media and devices, adapting it to the variable trust requirements. Electronic Signature Methods Two modes for the straightforward and uniform integration of advanced esigning into applications on a server (e.g., in the Cloud) and in user devices (e.g., a mobile). encryption and for the protection of electronic transactions. - C/ Basauri, 17 Edif. Valrealty

2 Auditing and Regulations Provides a single point for data incorporation, audits, reporting and intelligence analysis on the use of credentials for authentication and esigning. Serves as a technology framework for deploying applications and services based on the new European regulation on electronic identification and authentication services (eidas) and the new EU Directive on epayment and financial services. Benefits Identity Provider/Broker Acts as an identity provider and/or broker. Supports federation with external providers and enhances security in the authentication of existing users and groups. Also provides SSO between applications. Supports corporate directories (including AD/Kerberos), national eids and social identifiers (i.e., Google, Facebook, etc). Electronic Signature Provider The system treats PKI material as identity attributes and/or credentials and centrally manages them on the server or distributed on devices (e.g., mobiles) that can be used to perform advanced electronic signatures as set out in the new eidas regulation. Integration Standards Extends the control of corporate authentication to Cloud applications such as Google Apps, Salesforce and Office 365 through the implementation of generalized Web and Cloud protocols. Support for SAML 2.0 Web SSO and OAuth 2.0/OpenIDConnect 1.0, which facilitates the integration and deployment of applications promoting the API Economy. Versatile Authentication Integration of authentication and esignature in multiple user devices based on browser and/or native applications (e.g., mobile devices). Thanks to the Web OAuth and OpenIDConnect protocols and Safelayer's Mobile ID app, integration in applications is very straightforward and highly secure. Trust Elevation An additional layer of security transparently assesses the authentication risk level by taking into account the user's profile, habits and biometrics. Users continue using their identities. They are only prompted for an additional authentication step when a certain risk threshold is exceeded.

3 Rules and Regulations The new eidas regulation is of particular relevance. It puts forward functions and recommendations for assuring identity, authentication and the electronic signature with the aim of improving trust, security and interoperability between both public and private organizations, e.g., the new epayment directive on financial services and the banking sector is based on the eidas regulation. Operation The eidas platform acts as an identity, authentication and electronic signature provider for multiple applications through the use of the following functionality and concepts: Adaptive Authentication Policies: Identity and authentication workflows are modeled that can accumulate identity attributes and request one or more authentication factors (deployed OTPs, SMSs, emails, etc.) explicitly or when a threshold of acceptable risk is exceded. Authentication Method Classification: Support for the level of assurance (LoA) identity classification as recommended by the new EU regulation (eidas), Spain's ENS regulations, the US s OMB/NIST 800-63 recommendation and the ITU-T X.1254 / ISO/IEC 29115 standard. Trust Elevation y Step-up: Methods for analyzing the user's context (the user's device, location and connection habits) are incorporated along with an improvement in security (intuitive server authentication, device registration, typing rhythm) that allow elevating the trust within an LoA or skipping to another level depending on the risk configured and detected. Adaptive Single Sign-On (SSO): User authentication in multiple applications is streamlined while observing security requirements. Two types of SSO are supported: i) by LoA and ii) by factor. In the first, SSO only occurs if the destination application requires an LoA less or equal to that obtained in a prior authentication. In the second, SSO only occurs if the factors required were successfully passed previously. If SSO cannot be applied, step-up reauthentication (factor accumulation) can be forced. Federation: The can connect with any external identity provider and in particular with social networks (e.g., Facebook, Google plus, etc.) to incorporate new sources of users and identity information. It also acts as an identity provider for external service providers and in particular with Cloud/SaaS applications (e.g., salesforce, Google Apps, Office 365, etc.). All the applications integrated in the federation can also make use of the trust elevation, step-up and adaptive SSO functionality. Electronic Signature: As an identity provider, the system can authoritatively manage PKI attributes (keys and certificates) associated to the identities and can also in this way act as an esignature provider. The PKI key attributes are protected by a secure container that can be on the server itself, in an HSM or on a user device, e.g., a mobile, in all cases under the exclusive control of the user. Only user owners of the key attributes can access these attributes via an esignature service.

4 Mobile eidas: The platform can be complemented with the Mobile ID" mobile application (app) that protects PKI keys and certificates transparently and in a userfriendly way. This app, in cooperation with the eidas platform, lets the user perform PKI strong authentication and advanced electronic signing in any Web application either on the mobile or another device. In practice, it follows the recommendations of the eidas regulation. User-centricity and Privacy: The system is based on a user-centric identity management paradigm, which means that it is the user in the last instance who authorizes the identity provider to provide identity information to the applications and services requesting it. The protocols used are OAuth 2.0, OpenIDConnect 1.0 and SAML 2.0 WebSSO, which use the user as the point of interconnection between the providers. The OAuth and OpenIDConnect protocols respect the privacy of user data. Integration, Interoperability and the API Economy: The system is completely based on Web technologies: REST, HTTP, HTML, JavaScript, JSON and Web OAuth and OpenIDConnect protocols, which means that the organization can provide its community with an authentication and authorization API to identity information on its users along with a delegated esignature service with which applications can request esigning authorization on behalf of users. Furthermore, an infinite number of systems and third-party tools support these Web technologies. BigData and Intelligence: As the system is user-centric, it accumulates and adds identity information, context, credentials, authentication attempts, SSO, service and application authorization, etc., that the user performs via the platform. This generates a lot of information about the user that seen together with the entire population provides potential for a very valuable intelligence analysis for the company, both in terms of security and incident prevention and for insights on the user community. The following is a use-case example: A user is usually logged in to Facebook in their portable computer. At a given moment, they access an e-commerce application (RP). This application delegates to an identity provider (IdP) federated with Facebook so that when the primary authentication starts, as the user is already logged in, the IdP obtains information on the user from Facebook without the user having to re-authenticate. The IdP's authentication flow was configured to transparently analyze the user's context information so that if it is the first time that the user accesses using the device and/or from a new country geolocation, the user must enter an OTP sent via SMS. Once the OTP has been entered, the system registers the device and the location as trusted so that further accesses detect this situation and do not request more factors from the user. At this point, the platform assigns a medium level of assurance (LoA) to the user's identity. With this trust, the user has read access to their e-commerce profile, including the purchase agenda, mobile telephone number, delivery addresses, direct debit accounts, personalized offers, etc. However, with this medium level they cannot make changes to or write to their profile.

5 The user purchases a digital product for which they need to authorize a direct debit in their bank account. At this point, and in cooperation with the account owner's financial entity, the system detects that the user has a mobile signature key (Mobile ID app) and sends a transaction acceptance notification for the user to sign electronically. The user now wants to enter a new delivery address into their profile. When the user accesses the form, the system detects that the LoA is medium and that to edit the profile, a "high" level is required. As a result, the system sends an authentication notification to the user's mobile (Mobile ID app) so the user can perform a PKI strong authentication that will result in a high LoA. This use-case example aims to demonstrate the versatility and potential of the platform for resolving identity security demands that arise depending on how critical the service to be consumed is or the risk attached to it. The methods described in the example can be replaced by others more suited to the service being provided. Architecture

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information